Analysis
-
max time kernel
33s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07-01-2025 11:21
Behavioral task
behavioral1
Sample
95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe
-
Size
93KB
-
MD5
660f86e9680a541245dc6036d39d6e10
-
SHA1
aba9549ad7ca8a2fcde29aadc9c43fd58ede07f8
-
SHA256
95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423
-
SHA512
ecac33cfb704df97ff8d3f48bdc941422ded003d592cdf089b5cb21bfa6467eb90e55c68c363d71ea041a5ecdcecb99b01d02694e41190273a4a7a4048988efc
-
SSDEEP
1536:xe27cJx0xVT2pN/HmDZOXUPHm6fXfdz1DaYfMZRWuLsV+1b:IEcJGTy//HmzG6v9gYfc0DV+1b
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnmjokn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caajmilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idncdgai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlcekgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcfojhhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbilimn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfeda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blabef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gloppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nihgndip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maejpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oindpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlpdifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkajgonp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adenqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihhjjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjhfkqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaibpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napfihmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjeao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indiodbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhclfphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldljqpli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpgmak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noajmlnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmeknakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bodhlane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdpkdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkhocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogfagmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfpllg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikcpmieg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbdghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaojiqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdkagga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcknqicd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiaiooja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbanfbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napfihmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbienj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhejed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gloppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbagdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djfooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enjand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mggoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnkqih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjgmhaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clpeajjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkpakla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgichoqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biiljjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanenoeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlpdifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcmkamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qipmdhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gajlcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qakkncmi.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 3036 Jfkdik32.exe 2792 Jpfehq32.exe 2788 Kfbjjjci.exe 2960 Khfcgbge.exe 2828 Khhpmbeb.exe 2708 Kdoaackf.exe 2292 Lpfagd32.exe 2440 Laenqg32.exe 2760 Lcignoki.exe 2032 Lejppj32.exe 1060 Lelmei32.exe 2084 Maejpj32.exe 1768 Mdhpgeeg.exe 2152 Mlcekgbb.exe 2520 Nqamaeii.exe 1084 Nqdjge32.exe 928 Nfcoel32.exe 340 Nnndin32.exe 2432 Nkbdbbop.exe 440 Ogiegc32.exe 1064 Oqcffi32.exe 1300 Ofqonp32.exe 1980 Ofcldoef.exe 2180 Ocglmcdp.exe 2640 Pblinp32.exe 796 Pifakj32.exe 2256 Pnefiq32.exe 2908 Pngcnpkg.exe 2896 Pjndca32.exe 2848 Qmomelml.exe 2132 Aamekk32.exe 2684 Amcfpl32.exe 2272 Aflkiapg.exe 1188 Apdobg32.exe 1928 Aecdpmbm.exe 3028 Bdknfiea.exe 2472 Bncboo32.exe 2192 Bdpgai32.exe 1988 Bnjipn32.exe 2176 Clpeajjb.exe 1684 Cblniaii.exe 1280 Cbagdq32.exe 2460 Chkpakla.exe 1752 Dklibf32.exe 1780 Djaedbnj.exe 960 Djcbib32.exe 2616 Dclgbgbh.exe 2532 Djfooa32.exe 2436 Dcnchg32.exe 1856 Diklpn32.exe 1720 Ebcqicem.exe 2808 Emieflec.exe 2880 Enjand32.exe 3048 Elnagijk.exe 2676 Ebhjdc32.exe 2660 Elpnmhgh.exe 2944 Eeicenni.exe 2620 Eekpknlf.exe 2724 Ejhhcdjm.exe 1076 Fpdqlkhe.exe 2168 Fjjeid32.exe 2100 Fpgmak32.exe 2160 Ffaeneno.exe 2164 Fdefgimi.exe -
Loads dropped DLL 64 IoCs
pid Process 1656 95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe 1656 95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe 3036 Jfkdik32.exe 3036 Jfkdik32.exe 2792 Jpfehq32.exe 2792 Jpfehq32.exe 2788 Kfbjjjci.exe 2788 Kfbjjjci.exe 2960 Khfcgbge.exe 2960 Khfcgbge.exe 2828 Khhpmbeb.exe 2828 Khhpmbeb.exe 2708 Kdoaackf.exe 2708 Kdoaackf.exe 2292 Lpfagd32.exe 2292 Lpfagd32.exe 2440 Laenqg32.exe 2440 Laenqg32.exe 2760 Lcignoki.exe 2760 Lcignoki.exe 2032 Lejppj32.exe 2032 Lejppj32.exe 1060 Lelmei32.exe 1060 Lelmei32.exe 2084 Maejpj32.exe 2084 Maejpj32.exe 1768 Mdhpgeeg.exe 1768 Mdhpgeeg.exe 2152 Mlcekgbb.exe 2152 Mlcekgbb.exe 2520 Nqamaeii.exe 2520 Nqamaeii.exe 1084 Nqdjge32.exe 1084 Nqdjge32.exe 928 Nfcoel32.exe 928 Nfcoel32.exe 340 Nnndin32.exe 340 Nnndin32.exe 2432 Nkbdbbop.exe 2432 Nkbdbbop.exe 440 Ogiegc32.exe 440 Ogiegc32.exe 1064 Oqcffi32.exe 1064 Oqcffi32.exe 1300 Ofqonp32.exe 1300 Ofqonp32.exe 1980 Ofcldoef.exe 1980 Ofcldoef.exe 2180 Ocglmcdp.exe 2180 Ocglmcdp.exe 2640 Pblinp32.exe 2640 Pblinp32.exe 796 Pifakj32.exe 796 Pifakj32.exe 2256 Pnefiq32.exe 2256 Pnefiq32.exe 2908 Pngcnpkg.exe 2908 Pngcnpkg.exe 2896 Pjndca32.exe 2896 Pjndca32.exe 2848 Qmomelml.exe 2848 Qmomelml.exe 2132 Aamekk32.exe 2132 Aamekk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pomcgf32.dll Fgmaphdg.exe File opened for modification C:\Windows\SysWOW64\Ajcpgi32.exe Qakkncmi.exe File created C:\Windows\SysWOW64\Pdijjmef.dll Cehlbihg.exe File created C:\Windows\SysWOW64\Poplqm32.exe Pbjoaibo.exe File created C:\Windows\SysWOW64\Eniokogi.dll Ajcpgi32.exe File created C:\Windows\SysWOW64\Maedlmdn.dll Hjaiaolb.exe File created C:\Windows\SysWOW64\Cjmfag32.dll Elpnmhgh.exe File created C:\Windows\SysWOW64\Glbcpokl.exe Gdgoll32.exe File created C:\Windows\SysWOW64\Kgqcam32.exe Kmkodd32.exe File opened for modification C:\Windows\SysWOW64\Qipmdhcj.exe Pccelqeb.exe File created C:\Windows\SysWOW64\Fjmdgmnl.exe Fcckjb32.exe File opened for modification C:\Windows\SysWOW64\Hcohbh32.exe Glbcpokl.exe File created C:\Windows\SysWOW64\Dgmfbf32.dll Ahjcqcdm.exe File created C:\Windows\SysWOW64\Gafemcch.dll Qgbfen32.exe File created C:\Windows\SysWOW64\Hhfcnkcn.dll Cmkkhfmn.exe File opened for modification C:\Windows\SysWOW64\Jcknqicd.exe Injlmcib.exe File created C:\Windows\SysWOW64\Qofnnj32.dll Eddlcgjb.exe File opened for modification C:\Windows\SysWOW64\Gjjcqpbj.exe Gdpkdf32.exe File created C:\Windows\SysWOW64\Begpdg32.dll Laenqg32.exe File opened for modification C:\Windows\SysWOW64\Gdpikmci.exe Ghihfl32.exe File created C:\Windows\SysWOW64\Njmhcj32.exe Npecjdaf.exe File opened for modification C:\Windows\SysWOW64\Nadpdg32.exe Njmhcj32.exe File opened for modification C:\Windows\SysWOW64\Ebkpma32.exe Ejpkho32.exe File created C:\Windows\SysWOW64\Imifpagp.exe Ifoncgpc.exe File created C:\Windows\SysWOW64\Kaojiqej.exe Kamncagl.exe File created C:\Windows\SysWOW64\Jjgihphj.dll Kamncagl.exe File created C:\Windows\SysWOW64\Mlidpopk.dll Mggoli32.exe File created C:\Windows\SysWOW64\Ekcmkamj.exe Edieng32.exe File created C:\Windows\SysWOW64\Gijlagpq.dll Qjofljho.exe File created C:\Windows\SysWOW64\Gniidaih.dll Befcne32.exe File opened for modification C:\Windows\SysWOW64\Jfkdik32.exe 95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe File created C:\Windows\SysWOW64\Kfbjjjci.exe Jpfehq32.exe File opened for modification C:\Windows\SysWOW64\Laenqg32.exe Lpfagd32.exe File created C:\Windows\SysWOW64\Ikcpmieg.exe Idihponj.exe File created C:\Windows\SysWOW64\Mfkkek32.dll Pfjdmggb.exe File opened for modification C:\Windows\SysWOW64\Lpfagd32.exe Kdoaackf.exe File created C:\Windows\SysWOW64\Lkfibnjf.dll Ocglmcdp.exe File created C:\Windows\SysWOW64\Dclgbgbh.exe Djcbib32.exe File opened for modification C:\Windows\SysWOW64\Eqklhh32.exe Eddlcgjb.exe File created C:\Windows\SysWOW64\Hemggm32.exe Hlebog32.exe File created C:\Windows\SysWOW64\Kmdbkbpn.exe Kfkjnh32.exe File created C:\Windows\SysWOW64\Lkpekajj.dll Obdlcjkd.exe File created C:\Windows\SysWOW64\Nkpjfkhf.exe Nceeaikk.exe File created C:\Windows\SysWOW64\Npqbka32.dll 95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe File opened for modification C:\Windows\SysWOW64\Mkhocj32.exe Mdnffpif.exe File opened for modification C:\Windows\SysWOW64\Edafjiqe.exe Egmeadbk.exe File created C:\Windows\SysWOW64\Injlmcib.exe Idojon32.exe File created C:\Windows\SysWOW64\Ihgpibnp.dll Aflmbj32.exe File created C:\Windows\SysWOW64\Cefpmiji.exe Cmkkhfmn.exe File created C:\Windows\SysWOW64\Gjjcqpbj.exe Gdpkdf32.exe File created C:\Windows\SysWOW64\Impblnna.exe Idgmch32.exe File created C:\Windows\SysWOW64\Dlpdifda.exe Dpicceon.exe File created C:\Windows\SysWOW64\Gdpkdf32.exe Gjhfkqdm.exe File created C:\Windows\SysWOW64\Melmba32.dll Apdobg32.exe File opened for modification C:\Windows\SysWOW64\Idihponj.exe Igeggkoq.exe File created C:\Windows\SysWOW64\Hgfqkokb.dll Pccelqeb.exe File opened for modification C:\Windows\SysWOW64\Gljfeimi.exe Gjgmhaim.exe File created C:\Windows\SysWOW64\Noepfkgh.exe Nihgndip.exe File created C:\Windows\SysWOW64\Ebkpma32.exe Ejpkho32.exe File opened for modification C:\Windows\SysWOW64\Dlpdifda.exe Dpicceon.exe File created C:\Windows\SysWOW64\Mkcdgd32.dll Idgmch32.exe File created C:\Windows\SysWOW64\Jfkdik32.exe 95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe File created C:\Windows\SysWOW64\Gaibpa32.exe Gddbfm32.exe File opened for modification C:\Windows\SysWOW64\Kmkodd32.exe Jgnflmia.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4544 4520 WerFault.exe 350 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andlmnki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmaphdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljfeimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapbbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhjdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpikmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jollgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiljjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddgkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamncagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdnpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clphjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdqlkhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlliof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caajmilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqcam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppgfkpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfejn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpicceon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdhpgeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcokaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmknifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obfiijia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkkhfmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idncdgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgkqmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomdcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mamjchoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcoei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajlcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceeaikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpihog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gadidabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhclfphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlebog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfagd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjndca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpkll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbdghi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkihfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelmei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjdfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjoaibo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noajmlnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdefgimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mefiog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbienj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhejed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfcle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdkagga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqonp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommfibdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbagdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faopib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddbfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgbpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napfihmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjpjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcohbh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbiimp32.dll" Bncboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mknaahhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eddlcgjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpekajj.dll" Obdlcjkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohcedje.dll" Nldgdpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhcfhci.dll" Poplqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbcjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqkgeb32.dll" Cefpmiji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcnchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnipcbbg.dll" Gadidabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Indiodbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igjckcbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apgnpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pejnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aipickfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjgmhaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leghlp32.dll" Nnnmoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obfiijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjgmhaim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbfpafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdoaackf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdknfiea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlliof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gajlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qinack32.dll" Kmeknakn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlbanfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bffamejl.dll" Imifpagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgkaakf.dll" Lhnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjgbloo.dll" Fcckjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdpgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epopff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkpjfkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qipmdhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbjoaibo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfcoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepipcbp.dll" Lkcehkeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Momqbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khhpmbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emcqpjhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bamdcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baeanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdbdlp32.dll" Idojon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdlhbmm.dll" Oindpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckeekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofnnj32.dll" Eddlcgjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emieflec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffpjfep.dll" Idihponj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioebelhe.dll" Dlbanfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koggin32.dll" Gloppi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cehlbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpicceon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpccqd32.dll" Nnkqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfjjigo.dll" Ohikeegf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfhkhhb.dll" Ecfcle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aflmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidcqahi.dll" Cnhjbjam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mofjof32.dll" Pifakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmdbkbpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obdlcjkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbilimn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djcbib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiaiooja.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 3036 1656 95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe 29 PID 1656 wrote to memory of 3036 1656 95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe 29 PID 1656 wrote to memory of 3036 1656 95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe 29 PID 1656 wrote to memory of 3036 1656 95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe 29 PID 3036 wrote to memory of 2792 3036 Jfkdik32.exe 30 PID 3036 wrote to memory of 2792 3036 Jfkdik32.exe 30 PID 3036 wrote to memory of 2792 3036 Jfkdik32.exe 30 PID 3036 wrote to memory of 2792 3036 Jfkdik32.exe 30 PID 2792 wrote to memory of 2788 2792 Jpfehq32.exe 31 PID 2792 wrote to memory of 2788 2792 Jpfehq32.exe 31 PID 2792 wrote to memory of 2788 2792 Jpfehq32.exe 31 PID 2792 wrote to memory of 2788 2792 Jpfehq32.exe 31 PID 2788 wrote to memory of 2960 2788 Kfbjjjci.exe 32 PID 2788 wrote to memory of 2960 2788 Kfbjjjci.exe 32 PID 2788 wrote to memory of 2960 2788 Kfbjjjci.exe 32 PID 2788 wrote to memory of 2960 2788 Kfbjjjci.exe 32 PID 2960 wrote to memory of 2828 2960 Khfcgbge.exe 33 PID 2960 wrote to memory of 2828 2960 Khfcgbge.exe 33 PID 2960 wrote to memory of 2828 2960 Khfcgbge.exe 33 PID 2960 wrote to memory of 2828 2960 Khfcgbge.exe 33 PID 2828 wrote to memory of 2708 2828 Khhpmbeb.exe 34 PID 2828 wrote to memory of 2708 2828 Khhpmbeb.exe 34 PID 2828 wrote to memory of 2708 2828 Khhpmbeb.exe 34 PID 2828 wrote to memory of 2708 2828 Khhpmbeb.exe 34 PID 2708 wrote to memory of 2292 2708 Kdoaackf.exe 35 PID 2708 wrote to memory of 2292 2708 Kdoaackf.exe 35 PID 2708 wrote to memory of 2292 2708 Kdoaackf.exe 35 PID 2708 wrote to memory of 2292 2708 Kdoaackf.exe 35 PID 2292 wrote to memory of 2440 2292 Lpfagd32.exe 36 PID 2292 wrote to memory of 2440 2292 Lpfagd32.exe 36 PID 2292 wrote to memory of 2440 2292 Lpfagd32.exe 36 PID 2292 wrote to memory of 2440 2292 Lpfagd32.exe 36 PID 2440 wrote to memory of 2760 2440 Laenqg32.exe 37 PID 2440 wrote to memory of 2760 2440 Laenqg32.exe 37 PID 2440 wrote to memory of 2760 2440 Laenqg32.exe 37 PID 2440 wrote to memory of 2760 2440 Laenqg32.exe 37 PID 2760 wrote to memory of 2032 2760 Lcignoki.exe 38 PID 2760 wrote to memory of 2032 2760 Lcignoki.exe 38 PID 2760 wrote to memory of 2032 2760 Lcignoki.exe 38 PID 2760 wrote to memory of 2032 2760 Lcignoki.exe 38 PID 2032 wrote to memory of 1060 2032 Lejppj32.exe 39 PID 2032 wrote to memory of 1060 2032 Lejppj32.exe 39 PID 2032 wrote to memory of 1060 2032 Lejppj32.exe 39 PID 2032 wrote to memory of 1060 2032 Lejppj32.exe 39 PID 1060 wrote to memory of 2084 1060 Lelmei32.exe 40 PID 1060 wrote to memory of 2084 1060 Lelmei32.exe 40 PID 1060 wrote to memory of 2084 1060 Lelmei32.exe 40 PID 1060 wrote to memory of 2084 1060 Lelmei32.exe 40 PID 2084 wrote to memory of 1768 2084 Maejpj32.exe 41 PID 2084 wrote to memory of 1768 2084 Maejpj32.exe 41 PID 2084 wrote to memory of 1768 2084 Maejpj32.exe 41 PID 2084 wrote to memory of 1768 2084 Maejpj32.exe 41 PID 1768 wrote to memory of 2152 1768 Mdhpgeeg.exe 42 PID 1768 wrote to memory of 2152 1768 Mdhpgeeg.exe 42 PID 1768 wrote to memory of 2152 1768 Mdhpgeeg.exe 42 PID 1768 wrote to memory of 2152 1768 Mdhpgeeg.exe 42 PID 2152 wrote to memory of 2520 2152 Mlcekgbb.exe 43 PID 2152 wrote to memory of 2520 2152 Mlcekgbb.exe 43 PID 2152 wrote to memory of 2520 2152 Mlcekgbb.exe 43 PID 2152 wrote to memory of 2520 2152 Mlcekgbb.exe 43 PID 2520 wrote to memory of 1084 2520 Nqamaeii.exe 44 PID 2520 wrote to memory of 1084 2520 Nqamaeii.exe 44 PID 2520 wrote to memory of 1084 2520 Nqamaeii.exe 44 PID 2520 wrote to memory of 1084 2520 Nqamaeii.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe"C:\Users\Admin\AppData\Local\Temp\95d2a4bc68985e22059d295294c658c51eea1fcdaf493d6d1f04c418933f6423N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Kfbjjjci.exeC:\Windows\system32\Kfbjjjci.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Khfcgbge.exeC:\Windows\system32\Khfcgbge.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Khhpmbeb.exeC:\Windows\system32\Khhpmbeb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Lpfagd32.exeC:\Windows\system32\Lpfagd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Laenqg32.exeC:\Windows\system32\Laenqg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Lcignoki.exeC:\Windows\system32\Lcignoki.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Lejppj32.exeC:\Windows\system32\Lejppj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Lelmei32.exeC:\Windows\system32\Lelmei32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Maejpj32.exeC:\Windows\system32\Maejpj32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Mdhpgeeg.exeC:\Windows\system32\Mdhpgeeg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Mlcekgbb.exeC:\Windows\system32\Mlcekgbb.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Nqamaeii.exeC:\Windows\system32\Nqamaeii.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Nqdjge32.exeC:\Windows\system32\Nqdjge32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Nfcoel32.exeC:\Windows\system32\Nfcoel32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Nnndin32.exeC:\Windows\system32\Nnndin32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Ogiegc32.exeC:\Windows\system32\Ogiegc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:440 -
C:\Windows\SysWOW64\Oqcffi32.exeC:\Windows\system32\Oqcffi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Ofqonp32.exeC:\Windows\system32\Ofqonp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\Ofcldoef.exeC:\Windows\system32\Ofcldoef.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Pblinp32.exeC:\Windows\system32\Pblinp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Pifakj32.exeC:\Windows\system32\Pifakj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Pnefiq32.exeC:\Windows\system32\Pnefiq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Pngcnpkg.exeC:\Windows\system32\Pngcnpkg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Pjndca32.exeC:\Windows\system32\Pjndca32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Qmomelml.exeC:\Windows\system32\Qmomelml.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Aamekk32.exeC:\Windows\system32\Aamekk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Amcfpl32.exeC:\Windows\system32\Amcfpl32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Aflkiapg.exeC:\Windows\system32\Aflkiapg.exe34⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Apdobg32.exeC:\Windows\system32\Apdobg32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe36⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Bdknfiea.exeC:\Windows\system32\Bdknfiea.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Bncboo32.exeC:\Windows\system32\Bncboo32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Bdpgai32.exeC:\Windows\system32\Bdpgai32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Bnjipn32.exeC:\Windows\system32\Bnjipn32.exe40⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Clpeajjb.exeC:\Windows\system32\Clpeajjb.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Cblniaii.exeC:\Windows\system32\Cblniaii.exe42⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Cbagdq32.exeC:\Windows\system32\Cbagdq32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\Chkpakla.exeC:\Windows\system32\Chkpakla.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Dklibf32.exeC:\Windows\system32\Dklibf32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe46⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Djcbib32.exeC:\Windows\system32\Djcbib32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Dclgbgbh.exeC:\Windows\system32\Dclgbgbh.exe48⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Djfooa32.exeC:\Windows\system32\Djfooa32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Dcnchg32.exeC:\Windows\system32\Dcnchg32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Diklpn32.exeC:\Windows\system32\Diklpn32.exe51⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ebcqicem.exeC:\Windows\system32\Ebcqicem.exe52⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Emieflec.exeC:\Windows\system32\Emieflec.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Enjand32.exeC:\Windows\system32\Enjand32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Elnagijk.exeC:\Windows\system32\Elnagijk.exe55⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Ebhjdc32.exeC:\Windows\system32\Ebhjdc32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Elpnmhgh.exeC:\Windows\system32\Elpnmhgh.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Eeicenni.exeC:\Windows\system32\Eeicenni.exe58⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Eekpknlf.exeC:\Windows\system32\Eekpknlf.exe59⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ejhhcdjm.exeC:\Windows\system32\Ejhhcdjm.exe60⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Fpdqlkhe.exeC:\Windows\system32\Fpdqlkhe.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Fjjeid32.exeC:\Windows\system32\Fjjeid32.exe62⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Fpgmak32.exeC:\Windows\system32\Fpgmak32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Ffaeneno.exeC:\Windows\system32\Ffaeneno.exe64⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Fdefgimi.exeC:\Windows\system32\Fdefgimi.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Flpkll32.exeC:\Windows\system32\Flpkll32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe67⤵PID:2916
-
C:\Windows\SysWOW64\Fhgkqmph.exeC:\Windows\system32\Fhgkqmph.exe68⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Faopib32.exeC:\Windows\system32\Faopib32.exe69⤵
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Ghihfl32.exeC:\Windows\system32\Ghihfl32.exe70⤵
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Gdpikmci.exeC:\Windows\system32\Gdpikmci.exe71⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Gadidabc.exeC:\Windows\system32\Gadidabc.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Gohjnf32.exeC:\Windows\system32\Gohjnf32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Gddbfm32.exeC:\Windows\system32\Gddbfm32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Gaibpa32.exeC:\Windows\system32\Gaibpa32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Gdgoll32.exeC:\Windows\system32\Gdgoll32.exe76⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Glbcpokl.exeC:\Windows\system32\Glbcpokl.exe77⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Hcohbh32.exeC:\Windows\system32\Hcohbh32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Hlgmkn32.exeC:\Windows\system32\Hlgmkn32.exe79⤵PID:2056
-
C:\Windows\SysWOW64\Heoadcmh.exeC:\Windows\system32\Heoadcmh.exe80⤵PID:2200
-
C:\Windows\SysWOW64\Hohfmi32.exeC:\Windows\system32\Hohfmi32.exe81⤵PID:2508
-
C:\Windows\SysWOW64\Hfanjcke.exeC:\Windows\system32\Hfanjcke.exe82⤵PID:2068
-
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe83⤵PID:968
-
C:\Windows\SysWOW64\Igeggkoq.exeC:\Windows\system32\Igeggkoq.exe84⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Idihponj.exeC:\Windows\system32\Idihponj.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Ikcpmieg.exeC:\Windows\system32\Ikcpmieg.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1468 -
C:\Windows\SysWOW64\Iqpiepcn.exeC:\Windows\system32\Iqpiepcn.exe87⤵PID:696
-
C:\Windows\SysWOW64\Indiodbh.exeC:\Windows\system32\Indiodbh.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Ifoncgpc.exeC:\Windows\system32\Ifoncgpc.exe89⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Imifpagp.exeC:\Windows\system32\Imifpagp.exe90⤵
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Igojmjgf.exeC:\Windows\system32\Igojmjgf.exe91⤵PID:2712
-
C:\Windows\SysWOW64\Imkbeqem.exeC:\Windows\system32\Imkbeqem.exe92⤵PID:952
-
C:\Windows\SysWOW64\Jcekbk32.exeC:\Windows\system32\Jcekbk32.exe93⤵PID:1236
-
C:\Windows\SysWOW64\Jjocoedg.exeC:\Windows\system32\Jjocoedg.exe94⤵PID:1312
-
C:\Windows\SysWOW64\Jollgl32.exeC:\Windows\system32\Jollgl32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Jidppaio.exeC:\Windows\system32\Jidppaio.exe96⤵PID:2236
-
C:\Windows\SysWOW64\Jnaihhgf.exeC:\Windows\system32\Jnaihhgf.exe97⤵PID:2096
-
C:\Windows\SysWOW64\Jgnflmia.exeC:\Windows\system32\Jgnflmia.exe98⤵
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Kmkodd32.exeC:\Windows\system32\Kmkodd32.exe99⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Kgqcam32.exeC:\Windows\system32\Kgqcam32.exe100⤵
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Kmphpc32.exeC:\Windows\system32\Kmphpc32.exe101⤵PID:2284
-
C:\Windows\SysWOW64\Kfkjnh32.exeC:\Windows\system32\Kfkjnh32.exe102⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Kmdbkbpn.exeC:\Windows\system32\Kmdbkbpn.exe103⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Kbajci32.exeC:\Windows\system32\Kbajci32.exe104⤵PID:2296
-
C:\Windows\SysWOW64\Lhnckp32.exeC:\Windows\system32\Lhnckp32.exe105⤵
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Lbdghi32.exeC:\Windows\system32\Lbdghi32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Lojhmjag.exeC:\Windows\system32\Lojhmjag.exe107⤵PID:1488
-
C:\Windows\SysWOW64\Ledpjdid.exeC:\Windows\system32\Ledpjdid.exe108⤵PID:1016
-
C:\Windows\SysWOW64\Lhclfphg.exeC:\Windows\system32\Lhclfphg.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Lomdcj32.exeC:\Windows\system32\Lomdcj32.exe110⤵
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Ldjmkq32.exeC:\Windows\system32\Ldjmkq32.exe111⤵PID:860
-
C:\Windows\SysWOW64\Lkcehkeh.exeC:\Windows\system32\Lkcehkeh.exe112⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Ldljqpli.exeC:\Windows\system32\Ldljqpli.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Mdnffpif.exeC:\Windows\system32\Mdnffpif.exe114⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Mkhocj32.exeC:\Windows\system32\Mkhocj32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Mpegka32.exeC:\Windows\system32\Mpegka32.exe116⤵PID:1808
-
C:\Windows\SysWOW64\Mgoohk32.exeC:\Windows\system32\Mgoohk32.exe117⤵PID:1340
-
C:\Windows\SysWOW64\Mmigdend.exeC:\Windows\system32\Mmigdend.exe118⤵PID:2232
-
C:\Windows\SysWOW64\Mojdlm32.exeC:\Windows\system32\Mojdlm32.exe119⤵PID:2348
-
C:\Windows\SysWOW64\Mgalnk32.exeC:\Windows\system32\Mgalnk32.exe120⤵PID:1804
-
C:\Windows\SysWOW64\Mlndfa32.exeC:\Windows\system32\Mlndfa32.exe121⤵PID:1672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-