Analysis
-
max time kernel
46s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 00:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe
-
Size
64KB
-
MD5
8f8fef79eeaca763170d40b90b25407e
-
SHA1
14fb3dff1b8abbe8086170d5e6b6636fb4fef3c1
-
SHA256
921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37
-
SHA512
2ef492f81cb8ccf331c7f45f1672734709610e79de8c1d3631edf2b9a2dffb5d8fe70306124dcd0957c1af546efd01e8264bb502768c13082de96898d59740e9
-
SSDEEP
768:wNyqX0XtrwCtWpZ37oIaQ6+ExNQZsVEhe+k0VbxKmDOFiuA9zW/1H5JuXdnhgl7j:wWrwZUITtnZsVEj0FiRM4gNtn
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgbemjqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jodfilko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aabhiikm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjgpqjqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oohmmojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jknlfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onacgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioeaeolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apjdin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcghcgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfjnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgmah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbakiee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjiiim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfgkleh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjehe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnealbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgjgapaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcllii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiepga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllggbde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kofnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndaaclac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anpekggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkebig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgjknijp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjpqmhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogqihcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfkidh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aikine32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edieng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koacjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpmqom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caligc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiieqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpcjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmcfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpjfkhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhooaog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohofimje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjdkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlekm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcakdhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljlhme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fflgahfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedlph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcghffen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcajpjoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neagan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnmih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnogmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqpfchka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifecen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcihicad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmefcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfagjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbibla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halkahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdlfpcnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlaffbqk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2136 Hfanjcke.exe 2068 Iolohhpc.exe 2944 Icnealbb.exe 2932 Iqbekpal.exe 2284 Ifoncgpc.exe 2804 Igojmjgf.exe 2064 Jbhkngcd.exe 2028 Jchhhjjg.exe 2668 Jnaihhgf.exe 1852 Jncenh32.exe 1708 Jjjfbikh.exe 2952 Jjmchhhe.exe 1232 Kfccmini.exe 2512 Kidlodkj.exe 2244 Kclmbm32.exe 2492 Kofnbk32.exe 2460 Lafgdfbm.exe 2268 Lhqpqp32.exe 1216 Ledpjdid.exe 1720 Lmpdoffo.exe 776 Lheilofe.exe 1408 Looahi32.exe 1964 Mpcjfa32.exe 2764 Mkhocj32.exe 2008 Mgoohk32.exe 1648 Mlndfa32.exe 2320 Mefiog32.exe 2964 Mdlfpcnd.exe 2828 Ndqokc32.exe 3032 Nnidchqp.exe 2768 Njpdiifd.exe 536 Ocjfgo32.exe 2724 Ofmknifp.exe 2664 Ofphdi32.exe 2348 Oohmmojn.exe 1692 Pbienj32.exe 2000 Pnpfckmc.exe 1292 Pclolakk.exe 2992 Pgjgapaa.exe 3000 Pmimpf32.exe 928 Qfdnnlbc.exe 3028 Qlaffbqk.exe 2364 Ajfcgoec.exe 2316 Alfpab32.exe 1532 Aabhiikm.exe 288 Afoqbpid.exe 688 Adcakdhn.exe 1328 Akpfmnmh.exe 3024 Biecoj32.exe 1752 Belcck32.exe 1448 Bpahad32.exe 1928 Benpik32.exe 1496 Bofebqlb.exe 2496 Bhoikfbb.exe 2832 Boiagp32.exe 2796 Ckoblapc.exe 2100 Cdhgegfd.exe 2164 Cnpknl32.exe 2248 Ccmcfc32.exe 1680 Cdlppf32.exe 316 Cjiiim32.exe 2372 Ccamabgg.exe 764 Cljajh32.exe 2860 Dfbfcn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2600 921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe 2600 921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe 2136 Hfanjcke.exe 2136 Hfanjcke.exe 2068 Iolohhpc.exe 2068 Iolohhpc.exe 2944 Icnealbb.exe 2944 Icnealbb.exe 2932 Iqbekpal.exe 2932 Iqbekpal.exe 2284 Ifoncgpc.exe 2284 Ifoncgpc.exe 2804 Igojmjgf.exe 2804 Igojmjgf.exe 2064 Jbhkngcd.exe 2064 Jbhkngcd.exe 2028 Jchhhjjg.exe 2028 Jchhhjjg.exe 2668 Jnaihhgf.exe 2668 Jnaihhgf.exe 1852 Jncenh32.exe 1852 Jncenh32.exe 1708 Jjjfbikh.exe 1708 Jjjfbikh.exe 2952 Jjmchhhe.exe 2952 Jjmchhhe.exe 1232 Kfccmini.exe 1232 Kfccmini.exe 2512 Kidlodkj.exe 2512 Kidlodkj.exe 2244 Kclmbm32.exe 2244 Kclmbm32.exe 2492 Kofnbk32.exe 2492 Kofnbk32.exe 2460 Lafgdfbm.exe 2460 Lafgdfbm.exe 2268 Lhqpqp32.exe 2268 Lhqpqp32.exe 1216 Ledpjdid.exe 1216 Ledpjdid.exe 1720 Lmpdoffo.exe 1720 Lmpdoffo.exe 776 Lheilofe.exe 776 Lheilofe.exe 1408 Looahi32.exe 1408 Looahi32.exe 1964 Mpcjfa32.exe 1964 Mpcjfa32.exe 2764 Mkhocj32.exe 2764 Mkhocj32.exe 2008 Mgoohk32.exe 2008 Mgoohk32.exe 1648 Mlndfa32.exe 1648 Mlndfa32.exe 2320 Mefiog32.exe 2320 Mefiog32.exe 2964 Mdlfpcnd.exe 2964 Mdlfpcnd.exe 2828 Ndqokc32.exe 2828 Ndqokc32.exe 3032 Nnidchqp.exe 3032 Nnidchqp.exe 2768 Njpdiifd.exe 2768 Njpdiifd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Afhcgjkq.exe Pmbpda32.exe File created C:\Windows\SysWOW64\Lgodiaaa.dll Medobp32.exe File created C:\Windows\SysWOW64\Afmokbop.exe Ajfoea32.exe File opened for modification C:\Windows\SysWOW64\Pmimpf32.exe Pgjgapaa.exe File created C:\Windows\SysWOW64\Ejbhno32.exe Emogdk32.exe File opened for modification C:\Windows\SysWOW64\Npdlpnnj.exe Neohbe32.exe File opened for modification C:\Windows\SysWOW64\Ekacnjfp.exe Ekofijic.exe File created C:\Windows\SysWOW64\Nmgbmq32.dll Cdlppf32.exe File created C:\Windows\SysWOW64\Gjfbaj32.dll Odmhjp32.exe File created C:\Windows\SysWOW64\Lemlao32.dll Acafnm32.exe File opened for modification C:\Windows\SysWOW64\Ildhcd32.exe Ipmgncii.exe File created C:\Windows\SysWOW64\Gfhihbpb.dll Ihmene32.exe File created C:\Windows\SysWOW64\Nmnjfc32.dll Lmkgajnm.exe File opened for modification C:\Windows\SysWOW64\Mboekp32.exe Lifqbjpk.exe File opened for modification C:\Windows\SysWOW64\Odiagj32.exe Niopgljl.exe File created C:\Windows\SysWOW64\Ljfaffjj.dll Emadjj32.exe File opened for modification C:\Windows\SysWOW64\Gfkagc32.exe Gigano32.exe File created C:\Windows\SysWOW64\Gbolncpj.dll Minnmomo.exe File created C:\Windows\SysWOW64\Angohn32.dll Jqmadn32.exe File created C:\Windows\SysWOW64\Iapjad32.exe Ifkecl32.exe File created C:\Windows\SysWOW64\Ionahd32.dll Kjgjpiob.exe File opened for modification C:\Windows\SysWOW64\Kofnbk32.exe Kclmbm32.exe File created C:\Windows\SysWOW64\Bbeaaiga.dll Dclikp32.exe File created C:\Windows\SysWOW64\Ppidbidd.exe Ocedieek.exe File created C:\Windows\SysWOW64\Jknlfg32.exe Ihopjl32.exe File created C:\Windows\SysWOW64\Poifhgla.dll Hhmioa32.exe File opened for modification C:\Windows\SysWOW64\Oooeeb32.exe Odiagj32.exe File created C:\Windows\SysWOW64\Abklpl32.dll Nkpckeek.exe File opened for modification C:\Windows\SysWOW64\Ckbakiee.exe Cajmbd32.exe File created C:\Windows\SysWOW64\Fdmpmneg.dll Kncmknkg.exe File created C:\Windows\SysWOW64\Ffogha32.dll Fmnccn32.exe File created C:\Windows\SysWOW64\Necandjo.exe Nknmplji.exe File opened for modification C:\Windows\SysWOW64\Jgaikb32.exe Impblnna.exe File created C:\Windows\SysWOW64\Mhpgnfpn.exe Mjlgdaad.exe File created C:\Windows\SysWOW64\Cbmoeeod.exe Cffnpdip.exe File created C:\Windows\SysWOW64\Geenlkeo.dll Icidlf32.exe File created C:\Windows\SysWOW64\Jfijmdbh.exe Jqmadn32.exe File created C:\Windows\SysWOW64\Jpojog32.dll Jfijmdbh.exe File created C:\Windows\SysWOW64\Bbcjfn32.exe Bikemiik.exe File created C:\Windows\SysWOW64\Ceclmc32.exe Bbbckh32.exe File opened for modification C:\Windows\SysWOW64\Icnealbb.exe Iolohhpc.exe File opened for modification C:\Windows\SysWOW64\Benpik32.exe Bpahad32.exe File opened for modification C:\Windows\SysWOW64\Ilolol32.exe Hcghffen.exe File opened for modification C:\Windows\SysWOW64\Iihhmhng.exe Ildhcd32.exe File created C:\Windows\SysWOW64\Cibddm32.dll Bgjknijp.exe File opened for modification C:\Windows\SysWOW64\Mmolll32.exe Mcghcgfb.exe File created C:\Windows\SysWOW64\Bbiangbo.dll Doclijgd.exe File opened for modification C:\Windows\SysWOW64\Hacabgig.exe Hjiiemaj.exe File opened for modification C:\Windows\SysWOW64\Icidlf32.exe Ilolol32.exe File opened for modification C:\Windows\SysWOW64\Iaqnbb32.exe Ikfffh32.exe File created C:\Windows\SysWOW64\Chkbjc32.exe Cocnanmd.exe File created C:\Windows\SysWOW64\Hiieqd32.exe Hfkidh32.exe File opened for modification C:\Windows\SysWOW64\Kaagnp32.exe Knckbe32.exe File opened for modification C:\Windows\SysWOW64\Medobp32.exe Mphfji32.exe File created C:\Windows\SysWOW64\Lloalk32.dll Odhhdk32.exe File opened for modification C:\Windows\SysWOW64\Gmnkqcem.exe Gceghn32.exe File created C:\Windows\SysWOW64\Hkkcbdhc.exe Hdakej32.exe File opened for modification C:\Windows\SysWOW64\Nkpckeek.exe Nipgab32.exe File created C:\Windows\SysWOW64\Ffglae32.dll Gpknjp32.exe File opened for modification C:\Windows\SysWOW64\Alfpab32.exe Ajfcgoec.exe File opened for modification C:\Windows\SysWOW64\Odpeop32.exe Onelbfab.exe File created C:\Windows\SysWOW64\Bpcmal32.dll Odpeop32.exe File created C:\Windows\SysWOW64\Algida32.exe Abodlk32.exe File opened for modification C:\Windows\SysWOW64\Hinlck32.exe Hpehje32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2292 1892 WerFault.exe 511 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjpmqjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnaihhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbpaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlmpjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maplcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodikecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjiffd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcajpjoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlddbgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfccmini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafgdfbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqlhbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdlkeln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncmknkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikflm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakjfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhoikfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiaiooja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icidlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmnloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbmoeeod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmcfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cljajh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnicemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedlph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjiiim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelinm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeaqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjglpncm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgmah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhooaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbemjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekofijic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okecak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqnghfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Japfphle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommfibdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdedoegh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcaiqfib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghjjoeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfqmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledpjdid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpfmnmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padcqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knicjipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcjfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdefdjnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppemgjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emogdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkifld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfklgape.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjpqmhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfecim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neohbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifqbjpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkkcbdhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmekd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlekm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmkgajnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oooeeb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llmnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnndce32.dll" Maplcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgjebcf.dll" Fbeeliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmcogf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iackhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjingc32.dll" Lmmaoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glgcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjjgpdc.dll" Kdehmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcpecdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnkdeagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcknnonh.dll" Hpcnmnnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgmmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofcnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leiabnbn.dll" Llojpghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdegkgi.dll" Lbjlppja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlkonhkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Belcck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqpffok.dll" Fiepga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehlolh32.dll" Jknlfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhgfh32.dll" Hinlck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqlhbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiepga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gigano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjabhq32.dll" Jgllof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lifqbjpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnglkj32.dll" Bakjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeelld32.dll" Ocjfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhoikfbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpgpjdnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdklcebk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpehje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceclmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmcchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngmma32.dll" Pockoeeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjjfbikh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfjdnpo.dll" Hlamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilolol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icidlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajfoea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjaejbmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpolb32.dll" Dfecim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hijeld32.dll" Ihfmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbbgge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noepfkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfdnnlbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdedoegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iopqoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccmcfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ageedflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgfkoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhqpqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmefcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpldjajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqnpke32.dll" Ilolol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cidhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkmpgpcl.dll" Djfagjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekdni32.dll" Fnleqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmolll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcmeqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjmaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhchnllb.dll" Pclolakk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2136 2600 921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe 29 PID 2600 wrote to memory of 2136 2600 921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe 29 PID 2600 wrote to memory of 2136 2600 921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe 29 PID 2600 wrote to memory of 2136 2600 921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe 29 PID 2136 wrote to memory of 2068 2136 Hfanjcke.exe 30 PID 2136 wrote to memory of 2068 2136 Hfanjcke.exe 30 PID 2136 wrote to memory of 2068 2136 Hfanjcke.exe 30 PID 2136 wrote to memory of 2068 2136 Hfanjcke.exe 30 PID 2068 wrote to memory of 2944 2068 Iolohhpc.exe 31 PID 2068 wrote to memory of 2944 2068 Iolohhpc.exe 31 PID 2068 wrote to memory of 2944 2068 Iolohhpc.exe 31 PID 2068 wrote to memory of 2944 2068 Iolohhpc.exe 31 PID 2944 wrote to memory of 2932 2944 Icnealbb.exe 32 PID 2944 wrote to memory of 2932 2944 Icnealbb.exe 32 PID 2944 wrote to memory of 2932 2944 Icnealbb.exe 32 PID 2944 wrote to memory of 2932 2944 Icnealbb.exe 32 PID 2932 wrote to memory of 2284 2932 Iqbekpal.exe 33 PID 2932 wrote to memory of 2284 2932 Iqbekpal.exe 33 PID 2932 wrote to memory of 2284 2932 Iqbekpal.exe 33 PID 2932 wrote to memory of 2284 2932 Iqbekpal.exe 33 PID 2284 wrote to memory of 2804 2284 Ifoncgpc.exe 34 PID 2284 wrote to memory of 2804 2284 Ifoncgpc.exe 34 PID 2284 wrote to memory of 2804 2284 Ifoncgpc.exe 34 PID 2284 wrote to memory of 2804 2284 Ifoncgpc.exe 34 PID 2804 wrote to memory of 2064 2804 Igojmjgf.exe 35 PID 2804 wrote to memory of 2064 2804 Igojmjgf.exe 35 PID 2804 wrote to memory of 2064 2804 Igojmjgf.exe 35 PID 2804 wrote to memory of 2064 2804 Igojmjgf.exe 35 PID 2064 wrote to memory of 2028 2064 Jbhkngcd.exe 36 PID 2064 wrote to memory of 2028 2064 Jbhkngcd.exe 36 PID 2064 wrote to memory of 2028 2064 Jbhkngcd.exe 36 PID 2064 wrote to memory of 2028 2064 Jbhkngcd.exe 36 PID 2028 wrote to memory of 2668 2028 Jchhhjjg.exe 37 PID 2028 wrote to memory of 2668 2028 Jchhhjjg.exe 37 PID 2028 wrote to memory of 2668 2028 Jchhhjjg.exe 37 PID 2028 wrote to memory of 2668 2028 Jchhhjjg.exe 37 PID 2668 wrote to memory of 1852 2668 Jnaihhgf.exe 38 PID 2668 wrote to memory of 1852 2668 Jnaihhgf.exe 38 PID 2668 wrote to memory of 1852 2668 Jnaihhgf.exe 38 PID 2668 wrote to memory of 1852 2668 Jnaihhgf.exe 38 PID 1852 wrote to memory of 1708 1852 Jncenh32.exe 39 PID 1852 wrote to memory of 1708 1852 Jncenh32.exe 39 PID 1852 wrote to memory of 1708 1852 Jncenh32.exe 39 PID 1852 wrote to memory of 1708 1852 Jncenh32.exe 39 PID 1708 wrote to memory of 2952 1708 Jjjfbikh.exe 40 PID 1708 wrote to memory of 2952 1708 Jjjfbikh.exe 40 PID 1708 wrote to memory of 2952 1708 Jjjfbikh.exe 40 PID 1708 wrote to memory of 2952 1708 Jjjfbikh.exe 40 PID 2952 wrote to memory of 1232 2952 Jjmchhhe.exe 41 PID 2952 wrote to memory of 1232 2952 Jjmchhhe.exe 41 PID 2952 wrote to memory of 1232 2952 Jjmchhhe.exe 41 PID 2952 wrote to memory of 1232 2952 Jjmchhhe.exe 41 PID 1232 wrote to memory of 2512 1232 Kfccmini.exe 42 PID 1232 wrote to memory of 2512 1232 Kfccmini.exe 42 PID 1232 wrote to memory of 2512 1232 Kfccmini.exe 42 PID 1232 wrote to memory of 2512 1232 Kfccmini.exe 42 PID 2512 wrote to memory of 2244 2512 Kidlodkj.exe 43 PID 2512 wrote to memory of 2244 2512 Kidlodkj.exe 43 PID 2512 wrote to memory of 2244 2512 Kidlodkj.exe 43 PID 2512 wrote to memory of 2244 2512 Kidlodkj.exe 43 PID 2244 wrote to memory of 2492 2244 Kclmbm32.exe 44 PID 2244 wrote to memory of 2492 2244 Kclmbm32.exe 44 PID 2244 wrote to memory of 2492 2244 Kclmbm32.exe 44 PID 2244 wrote to memory of 2492 2244 Kclmbm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe"C:\Users\Admin\AppData\Local\Temp\921aebcd128e03f1f8328ac068e19a5d40be049ac89e3796c96348bd00bb6d37.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Hfanjcke.exeC:\Windows\system32\Hfanjcke.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Iolohhpc.exeC:\Windows\system32\Iolohhpc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Icnealbb.exeC:\Windows\system32\Icnealbb.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Iqbekpal.exeC:\Windows\system32\Iqbekpal.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Ifoncgpc.exeC:\Windows\system32\Ifoncgpc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Igojmjgf.exeC:\Windows\system32\Igojmjgf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Jbhkngcd.exeC:\Windows\system32\Jbhkngcd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Jchhhjjg.exeC:\Windows\system32\Jchhhjjg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Jnaihhgf.exeC:\Windows\system32\Jnaihhgf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Jncenh32.exeC:\Windows\system32\Jncenh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Jjjfbikh.exeC:\Windows\system32\Jjjfbikh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Jjmchhhe.exeC:\Windows\system32\Jjmchhhe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Kfccmini.exeC:\Windows\system32\Kfccmini.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Kidlodkj.exeC:\Windows\system32\Kidlodkj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Kclmbm32.exeC:\Windows\system32\Kclmbm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Kofnbk32.exeC:\Windows\system32\Kofnbk32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Lafgdfbm.exeC:\Windows\system32\Lafgdfbm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Lhqpqp32.exeC:\Windows\system32\Lhqpqp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Ledpjdid.exeC:\Windows\system32\Ledpjdid.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\SysWOW64\Lmpdoffo.exeC:\Windows\system32\Lmpdoffo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Lheilofe.exeC:\Windows\system32\Lheilofe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Looahi32.exeC:\Windows\system32\Looahi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Mpcjfa32.exeC:\Windows\system32\Mpcjfa32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Mkhocj32.exeC:\Windows\system32\Mkhocj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Mgoohk32.exeC:\Windows\system32\Mgoohk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Mlndfa32.exeC:\Windows\system32\Mlndfa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Mefiog32.exeC:\Windows\system32\Mefiog32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Mdlfpcnd.exeC:\Windows\system32\Mdlfpcnd.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Ndqokc32.exeC:\Windows\system32\Ndqokc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Nnidchqp.exeC:\Windows\system32\Nnidchqp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Njpdiifd.exeC:\Windows\system32\Njpdiifd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe34⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe35⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Oohmmojn.exeC:\Windows\system32\Oohmmojn.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Pbienj32.exeC:\Windows\system32\Pbienj32.exe37⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe38⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Pgjgapaa.exeC:\Windows\system32\Pgjgapaa.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Pmimpf32.exeC:\Windows\system32\Pmimpf32.exe41⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Qfdnnlbc.exeC:\Windows\system32\Qfdnnlbc.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Qlaffbqk.exeC:\Windows\system32\Qlaffbqk.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ajfcgoec.exeC:\Windows\system32\Ajfcgoec.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Alfpab32.exeC:\Windows\system32\Alfpab32.exe45⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Aabhiikm.exeC:\Windows\system32\Aabhiikm.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Afoqbpid.exeC:\Windows\system32\Afoqbpid.exe47⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Adcakdhn.exeC:\Windows\system32\Adcakdhn.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Akpfmnmh.exeC:\Windows\system32\Akpfmnmh.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Biecoj32.exeC:\Windows\system32\Biecoj32.exe50⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Benpik32.exeC:\Windows\system32\Benpik32.exe53⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Bofebqlb.exeC:\Windows\system32\Bofebqlb.exe54⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Bhoikfbb.exeC:\Windows\system32\Bhoikfbb.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe56⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ckoblapc.exeC:\Windows\system32\Ckoblapc.exe57⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Cdhgegfd.exeC:\Windows\system32\Cdhgegfd.exe58⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Cnpknl32.exeC:\Windows\system32\Cnpknl32.exe59⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ccmcfc32.exeC:\Windows\system32\Ccmcfc32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Cdlppf32.exeC:\Windows\system32\Cdlppf32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Cjiiim32.exeC:\Windows\system32\Cjiiim32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Ccamabgg.exeC:\Windows\system32\Ccamabgg.exe63⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Cljajh32.exeC:\Windows\system32\Cljajh32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:764 -
C:\Windows\SysWOW64\Dfbfcn32.exeC:\Windows\system32\Dfbfcn32.exe65⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Dkookd32.exeC:\Windows\system32\Dkookd32.exe66⤵PID:2088
-
C:\Windows\SysWOW64\Dfecim32.exeC:\Windows\system32\Dfecim32.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Dkakad32.exeC:\Windows\system32\Dkakad32.exe68⤵PID:1424
-
C:\Windows\SysWOW64\Dheljhof.exeC:\Windows\system32\Dheljhof.exe69⤵PID:1464
-
C:\Windows\SysWOW64\Dbnpcn32.exeC:\Windows\system32\Dbnpcn32.exe70⤵PID:2120
-
C:\Windows\SysWOW64\Dndahokk.exeC:\Windows\system32\Dndahokk.exe71⤵PID:2960
-
C:\Windows\SysWOW64\Dcaiqfib.exeC:\Windows\system32\Dcaiqfib.exe72⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Ecdffe32.exeC:\Windows\system32\Ecdffe32.exe73⤵PID:324
-
C:\Windows\SysWOW64\Emlkoknp.exeC:\Windows\system32\Emlkoknp.exe74⤵PID:2156
-
C:\Windows\SysWOW64\Egaoldnf.exeC:\Windows\system32\Egaoldnf.exe75⤵PID:2892
-
C:\Windows\SysWOW64\Emogdk32.exeC:\Windows\system32\Emogdk32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Ejbhno32.exeC:\Windows\system32\Ejbhno32.exe77⤵PID:2700
-
C:\Windows\SysWOW64\Emadjj32.exeC:\Windows\system32\Emadjj32.exe78⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Eelinm32.exeC:\Windows\system32\Eelinm32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Elfakg32.exeC:\Windows\system32\Elfakg32.exe80⤵PID:1764
-
C:\Windows\SysWOW64\Fflehp32.exeC:\Windows\system32\Fflehp32.exe81⤵PID:2568
-
C:\Windows\SysWOW64\Fngjmb32.exeC:\Windows\system32\Fngjmb32.exe82⤵PID:1380
-
C:\Windows\SysWOW64\Filnjk32.exeC:\Windows\system32\Filnjk32.exe83⤵PID:3040
-
C:\Windows\SysWOW64\Fcfojhhh.exeC:\Windows\system32\Fcfojhhh.exe84⤵PID:436
-
C:\Windows\SysWOW64\Fmnccn32.exeC:\Windows\system32\Fmnccn32.exe85⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Fmqpinlf.exeC:\Windows\system32\Fmqpinlf.exe86⤵PID:1568
-
C:\Windows\SysWOW64\Gigano32.exeC:\Windows\system32\Gigano32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Gfkagc32.exeC:\Windows\system32\Gfkagc32.exe88⤵PID:844
-
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe89⤵PID:1788
-
C:\Windows\SysWOW64\Gdobqgpn.exeC:\Windows\system32\Gdobqgpn.exe90⤵PID:2056
-
C:\Windows\SysWOW64\Geehcoaf.exeC:\Windows\system32\Geehcoaf.exe91⤵PID:2844
-
C:\Windows\SysWOW64\Hlamfh32.exeC:\Windows\system32\Hlamfh32.exe92⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Hmefcp32.exeC:\Windows\system32\Hmefcp32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Hkifld32.exeC:\Windows\system32\Hkifld32.exe94⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Hdakej32.exeC:\Windows\system32\Hdakej32.exe95⤵
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Hkkcbdhc.exeC:\Windows\system32\Hkkcbdhc.exe96⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Hlmpjl32.exeC:\Windows\system32\Hlmpjl32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Ilolol32.exeC:\Windows\system32\Ilolol32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Icidlf32.exeC:\Windows\system32\Icidlf32.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Ihfmdm32.exeC:\Windows\system32\Ihfmdm32.exe101⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Iejnna32.exeC:\Windows\system32\Iejnna32.exe102⤵PID:932
-
C:\Windows\SysWOW64\Ikfffh32.exeC:\Windows\system32\Ikfffh32.exe103⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Iaqnbb32.exeC:\Windows\system32\Iaqnbb32.exe104⤵PID:3008
-
C:\Windows\SysWOW64\Iackhb32.exeC:\Windows\system32\Iackhb32.exe105⤵
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Iogkaf32.exeC:\Windows\system32\Iogkaf32.exe106⤵PID:2716
-
C:\Windows\SysWOW64\Ihopjl32.exeC:\Windows\system32\Ihopjl32.exe107⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Jknlfg32.exeC:\Windows\system32\Jknlfg32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Jciaki32.exeC:\Windows\system32\Jciaki32.exe109⤵PID:2748
-
C:\Windows\SysWOW64\Jjcigcmd.exeC:\Windows\system32\Jjcigcmd.exe110⤵PID:1684
-
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe111⤵
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Jfijmdbh.exeC:\Windows\system32\Jfijmdbh.exe112⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Jqonjmbn.exeC:\Windows\system32\Jqonjmbn.exe113⤵PID:2304
-
C:\Windows\SysWOW64\Jmfoon32.exeC:\Windows\system32\Jmfoon32.exe114⤵PID:1536
-
C:\Windows\SysWOW64\Jbbgge32.exeC:\Windows\system32\Jbbgge32.exe115⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Jimodo32.exeC:\Windows\system32\Jimodo32.exe116⤵PID:2340
-
C:\Windows\SysWOW64\Kcbcah32.exeC:\Windows\system32\Kcbcah32.exe117⤵PID:2288
-
C:\Windows\SysWOW64\Kfqpmc32.exeC:\Windows\system32\Kfqpmc32.exe118⤵PID:2896
-
C:\Windows\SysWOW64\Koidficq.exeC:\Windows\system32\Koidficq.exe119⤵PID:1044
-
C:\Windows\SysWOW64\Kiaiooja.exeC:\Windows\system32\Kiaiooja.exe120⤵
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe121⤵PID:2988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-