Analysis
-
max time kernel
90s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 23:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
28cf9ca537f5bf7e52822e16c09415beb5dbdd93d9eb015bceed0f5677d0c389.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
28cf9ca537f5bf7e52822e16c09415beb5dbdd93d9eb015bceed0f5677d0c389.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
28cf9ca537f5bf7e52822e16c09415beb5dbdd93d9eb015bceed0f5677d0c389.exe
-
Size
64KB
-
MD5
832c2f17e53d462bb1d276f1582d6eac
-
SHA1
835cb369ded17276b1a5b21c4aea22f8c96ea703
-
SHA256
28cf9ca537f5bf7e52822e16c09415beb5dbdd93d9eb015bceed0f5677d0c389
-
SHA512
37bc61bf222e310d009d51be406fa5de54adee2ebfd78f0e28446af327c3001b950f80a66a9e47e3518d1a1b3d665248bbbfbda10d7c7ca445e91faf72d532fb
-
SSDEEP
768:Hl+b0l9lP/gBVKOBERH4AfHuE1k62p/1H5eXdnh3F+FoQAyLQ2:Hl+Yl9ZYCOB0sEW62LGRF+FoQs2
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaajhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kefiopki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhenai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlofcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfihbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqbcbkab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egohdegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbgkei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcaipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqgmmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fganqbgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcegclgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqlfhjig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejhef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhpfbce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqaiecjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhqefjpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnajppda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqfbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geanfelc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmohmoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglkoeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemooo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noppeaed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgohklm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gghdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haaaaeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefphb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gngeik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepleocn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbgeqmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocihgnam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqeioiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpqggh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpapnfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqeioiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glfmgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdcmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhifomdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjggal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbiockdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqbcbkab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniihmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahokfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hecjke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcoljagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eohmkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmcpoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilkoim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofegni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkfcqb32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2236 Dnajppda.exe 4996 Dqpfmlce.exe 4740 Dgjoif32.exe 2240 Dndgfpbo.exe 2456 Dqbcbkab.exe 1492 Dglkoeio.exe 4956 Doccpcja.exe 396 Ebaplnie.exe 1472 Edplhjhi.exe 4652 Egohdegl.exe 1216 Eoepebho.exe 2720 Enhpao32.exe 4552 Eqgmmk32.exe 116 Egaejeej.exe 2584 Eohmkb32.exe 3856 Ebfign32.exe 2568 Edeeci32.exe 1192 Ekonpckp.exe 2160 Eqlfhjig.exe 4076 Egened32.exe 1084 Enpfan32.exe 1964 Ebkbbmqj.exe 4892 Edionhpn.exe 2528 Eghkjdoa.exe 4376 Fooclapd.exe 1664 Fbmohmoh.exe 3404 Fqppci32.exe 4308 Fgjhpcmo.exe 840 Fkfcqb32.exe 628 Fbplml32.exe 1808 Fqbliicp.exe 4460 Fijdjfdb.exe 5052 Fkhpfbce.exe 1580 Fnfmbmbi.exe 976 Fqeioiam.exe 2000 Feqeog32.exe 2588 Fkjmlaac.exe 3616 Fniihmpf.exe 932 Fecadghc.exe 3972 Finnef32.exe 1184 Fganqbgg.exe 4544 Fohfbpgi.exe 4232 Fbgbnkfm.exe 2220 Feenjgfq.exe 2784 Fgcjfbed.exe 4732 Gokbgpeg.exe 2724 Gbiockdj.exe 1548 Gegkpf32.exe 3052 Ggfglb32.exe 3676 Gpmomo32.exe 2072 Gbkkik32.exe 3008 Gejhef32.exe 436 Gghdaa32.exe 2880 Gpolbo32.exe 544 Gbnhoj32.exe 2812 Geldkfpi.exe 212 Glfmgp32.exe 1680 Gndick32.exe 3904 Gacepg32.exe 2400 Gijmad32.exe 4528 Ggmmlamj.exe 2432 Gpdennml.exe 3612 Gngeik32.exe 4404 Gbbajjlp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nblolm32.exe Mqjbddpl.exe File created C:\Windows\SysWOW64\Nfihbk32.exe Noppeaed.exe File created C:\Windows\SysWOW64\Dkjfaikb.dll Ofegni32.exe File created C:\Windows\SysWOW64\Mjaonjaj.dll Ebkbbmqj.exe File created C:\Windows\SysWOW64\Lhcali32.exe Laiipofp.exe File created C:\Windows\SysWOW64\Laiimcij.dll Lpochfji.exe File created C:\Windows\SysWOW64\Mqjbddpl.exe Mlofcf32.exe File opened for modification C:\Windows\SysWOW64\Nhegig32.exe Nblolm32.exe File opened for modification C:\Windows\SysWOW64\Enpfan32.exe Egened32.exe File opened for modification C:\Windows\SysWOW64\Hejqldci.exe Haodle32.exe File created C:\Windows\SysWOW64\Ieagmcmq.exe Ibcjqgnm.exe File created C:\Windows\SysWOW64\Ebdoljdi.dll Mcaipa32.exe File created C:\Windows\SysWOW64\Iheocj32.dll Pbekii32.exe File created C:\Windows\SysWOW64\Pmmlla32.exe Pcegclgp.exe File created C:\Windows\SysWOW64\Gcilohid.dll Ppnenlka.exe File created C:\Windows\SysWOW64\Edionhpn.exe Ebkbbmqj.exe File created C:\Windows\SysWOW64\Chbfoaba.dll Hahokfag.exe File opened for modification C:\Windows\SysWOW64\Ieagmcmq.exe Ibcjqgnm.exe File opened for modification C:\Windows\SysWOW64\Jhifomdj.exe Jifecp32.exe File opened for modification C:\Windows\SysWOW64\Kcoccc32.exe Kpqggh32.exe File created C:\Windows\SysWOW64\Khlaie32.dll Mlhqcgnk.exe File created C:\Windows\SysWOW64\Maenpfhk.dll Oqhoeb32.exe File opened for modification C:\Windows\SysWOW64\Dgjoif32.exe Dqpfmlce.exe File created C:\Windows\SysWOW64\Ohlemeao.dll Jihbip32.exe File opened for modification C:\Windows\SysWOW64\Joekag32.exe Jlgoek32.exe File opened for modification C:\Windows\SysWOW64\Likhem32.exe Lepleocn.exe File created C:\Windows\SysWOW64\Ebdpoomj.dll Ockdmmoj.exe File created C:\Windows\SysWOW64\Eghkjdoa.exe Edionhpn.exe File opened for modification C:\Windows\SysWOW64\Gejhef32.exe Gbkkik32.exe File opened for modification C:\Windows\SysWOW64\Ieccbbkn.exe Ibegfglj.exe File created C:\Windows\SysWOW64\Pnjiffif.dll Iamamcop.exe File created C:\Windows\SysWOW64\Jhnojl32.exe Jadgnb32.exe File opened for modification C:\Windows\SysWOW64\Kplmliko.exe Klpakj32.exe File opened for modification C:\Windows\SysWOW64\Mcoljagj.exe Mpapnfhg.exe File opened for modification C:\Windows\SysWOW64\Egaejeej.exe Eqgmmk32.exe File created C:\Windows\SysWOW64\Fkjmlaac.exe Feqeog32.exe File created C:\Windows\SysWOW64\Ecipcemb.dll Fgcjfbed.exe File created C:\Windows\SysWOW64\Fjohgj32.dll Kekbjo32.exe File created C:\Windows\SysWOW64\Nfldgk32.exe Ncmhko32.exe File created C:\Windows\SysWOW64\Oiikeffm.dll Dnajppda.exe File created C:\Windows\SysWOW64\Blnfhilh.dll Hpioin32.exe File created C:\Windows\SysWOW64\Kolabf32.exe Klndfj32.exe File opened for modification C:\Windows\SysWOW64\Edeeci32.exe Ebfign32.exe File created C:\Windows\SysWOW64\Dnajppda.exe 28cf9ca537f5bf7e52822e16c09415beb5dbdd93d9eb015bceed0f5677d0c389.exe File opened for modification C:\Windows\SysWOW64\Gpmomo32.exe Ggfglb32.exe File created C:\Windows\SysWOW64\Jocnlg32.exe Jldbpl32.exe File created C:\Windows\SysWOW64\Mcaipa32.exe Mlhqcgnk.exe File created C:\Windows\SysWOW64\Fldeljei.dll Mjlalkmd.exe File opened for modification C:\Windows\SysWOW64\Niojoeel.exe Nfqnbjfi.exe File created C:\Windows\SysWOW64\Eapjpi32.dll Pcgdhkem.exe File created C:\Windows\SysWOW64\Ilphdlqh.exe Iefphb32.exe File created C:\Windows\SysWOW64\Nijqcf32.exe Nfldgk32.exe File opened for modification C:\Windows\SysWOW64\Enhpao32.exe Eoepebho.exe File created C:\Windows\SysWOW64\Focanl32.dll Fooclapd.exe File opened for modification C:\Windows\SysWOW64\Fijdjfdb.exe Fqbliicp.exe File opened for modification C:\Windows\SysWOW64\Haodle32.exe Hpmhdmea.exe File opened for modification C:\Windows\SysWOW64\Iamamcop.exe Ipkdek32.exe File created C:\Windows\SysWOW64\Khnhommq.dll Jbepme32.exe File opened for modification C:\Windows\SysWOW64\Kofdhd32.exe Kpccmhdg.exe File created C:\Windows\SysWOW64\Nhegig32.exe Nblolm32.exe File created C:\Windows\SysWOW64\Fohfbpgi.exe Fganqbgg.exe File created C:\Windows\SysWOW64\Hhaggp32.exe Hecjke32.exe File created C:\Windows\SysWOW64\Jlgoek32.exe Jhkbdmbg.exe File created C:\Windows\SysWOW64\Jojdlfeo.exe Jllhpkfk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7264 8164 WerFault.exe 319 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndick32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niojoeel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieccbbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaajhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefiopki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doccpcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfmbmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obqanjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooclapd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mledmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejhef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpolbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngeik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhqefjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edeeci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geldkfpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahokfag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaggp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haodle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifojnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhijd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likhem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqaiecjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbeml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohfbpgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpccmhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edplhjhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feenjgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egohdegl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcali32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhqcgnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcpoedn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqklkbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojcpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplmliko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgdhkem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpqggh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pififb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqgmmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafdcbge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfldgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjggal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egaejeej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllhpkfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcclncbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqfbpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgeqmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhegig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgomnai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbnajqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojemig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkbbmqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimcma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchfib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpapnfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbkpab.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndgfpbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jidinqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhenai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbgeaba.dll" Mohidbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmhijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmhijd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niojoeel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqklkbbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haodle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdaih32.dll" Kemooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khlaie32.dll" Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjpjgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ockdmmoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obnehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmnkgfc.dll" Ibcjqgnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcclncbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqoefand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paoinm32.dll" Fqeioiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpmhdmea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jihbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpkcqhdh.dll" Doccpcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihgqfld.dll" Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncepolj.dll" Gijmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iacngdgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lebijnak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll" Nblolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laiipofp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mapppn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlofcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhegig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofdhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpek32.dll" Lllagh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcgdhkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpepbgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieagmcmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilkoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmknd32.dll" Jhifomdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pekihfdc.dll" Jimldogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbgbnkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlppno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahokfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhmnagf.dll" Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nndbpeal.dll" Glfmgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibegfglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlgoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhlclpe.dll" Kiphjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noppeaed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmcpoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnndji32.dll" Omopjcjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doccpcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klambq32.dll" Fgjhpcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecgicmp.dll" Fbgbnkfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feenjgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipkdek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jihbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lepleocn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egaejeej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpmomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhapb32.dll" Nhegig32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3156 wrote to memory of 2236 3156 28cf9ca537f5bf7e52822e16c09415beb5dbdd93d9eb015bceed0f5677d0c389.exe 86 PID 3156 wrote to memory of 2236 3156 28cf9ca537f5bf7e52822e16c09415beb5dbdd93d9eb015bceed0f5677d0c389.exe 86 PID 3156 wrote to memory of 2236 3156 28cf9ca537f5bf7e52822e16c09415beb5dbdd93d9eb015bceed0f5677d0c389.exe 86 PID 2236 wrote to memory of 4996 2236 Dnajppda.exe 87 PID 2236 wrote to memory of 4996 2236 Dnajppda.exe 87 PID 2236 wrote to memory of 4996 2236 Dnajppda.exe 87 PID 4996 wrote to memory of 4740 4996 Dqpfmlce.exe 88 PID 4996 wrote to memory of 4740 4996 Dqpfmlce.exe 88 PID 4996 wrote to memory of 4740 4996 Dqpfmlce.exe 88 PID 4740 wrote to memory of 2240 4740 Dgjoif32.exe 89 PID 4740 wrote to memory of 2240 4740 Dgjoif32.exe 89 PID 4740 wrote to memory of 2240 4740 Dgjoif32.exe 89 PID 2240 wrote to memory of 2456 2240 Dndgfpbo.exe 90 PID 2240 wrote to memory of 2456 2240 Dndgfpbo.exe 90 PID 2240 wrote to memory of 2456 2240 Dndgfpbo.exe 90 PID 2456 wrote to memory of 1492 2456 Dqbcbkab.exe 91 PID 2456 wrote to memory of 1492 2456 Dqbcbkab.exe 91 PID 2456 wrote to memory of 1492 2456 Dqbcbkab.exe 91 PID 1492 wrote to memory of 4956 1492 Dglkoeio.exe 92 PID 1492 wrote to memory of 4956 1492 Dglkoeio.exe 92 PID 1492 wrote to memory of 4956 1492 Dglkoeio.exe 92 PID 4956 wrote to memory of 396 4956 Doccpcja.exe 93 PID 4956 wrote to memory of 396 4956 Doccpcja.exe 93 PID 4956 wrote to memory of 396 4956 Doccpcja.exe 93 PID 396 wrote to memory of 1472 396 Ebaplnie.exe 94 PID 396 wrote to memory of 1472 396 Ebaplnie.exe 94 PID 396 wrote to memory of 1472 396 Ebaplnie.exe 94 PID 1472 wrote to memory of 4652 1472 Edplhjhi.exe 96 PID 1472 wrote to memory of 4652 1472 Edplhjhi.exe 96 PID 1472 wrote to memory of 4652 1472 Edplhjhi.exe 96 PID 4652 wrote to memory of 1216 4652 Egohdegl.exe 97 PID 4652 wrote to memory of 1216 4652 Egohdegl.exe 97 PID 4652 wrote to memory of 1216 4652 Egohdegl.exe 97 PID 1216 wrote to memory of 2720 1216 Eoepebho.exe 98 PID 1216 wrote to memory of 2720 1216 Eoepebho.exe 98 PID 1216 wrote to memory of 2720 1216 Eoepebho.exe 98 PID 2720 wrote to memory of 4552 2720 Enhpao32.exe 99 PID 2720 wrote to memory of 4552 2720 Enhpao32.exe 99 PID 2720 wrote to memory of 4552 2720 Enhpao32.exe 99 PID 4552 wrote to memory of 116 4552 Eqgmmk32.exe 100 PID 4552 wrote to memory of 116 4552 Eqgmmk32.exe 100 PID 4552 wrote to memory of 116 4552 Eqgmmk32.exe 100 PID 116 wrote to memory of 2584 116 Egaejeej.exe 102 PID 116 wrote to memory of 2584 116 Egaejeej.exe 102 PID 116 wrote to memory of 2584 116 Egaejeej.exe 102 PID 2584 wrote to memory of 3856 2584 Eohmkb32.exe 103 PID 2584 wrote to memory of 3856 2584 Eohmkb32.exe 103 PID 2584 wrote to memory of 3856 2584 Eohmkb32.exe 103 PID 3856 wrote to memory of 2568 3856 Ebfign32.exe 104 PID 3856 wrote to memory of 2568 3856 Ebfign32.exe 104 PID 3856 wrote to memory of 2568 3856 Ebfign32.exe 104 PID 2568 wrote to memory of 1192 2568 Edeeci32.exe 105 PID 2568 wrote to memory of 1192 2568 Edeeci32.exe 105 PID 2568 wrote to memory of 1192 2568 Edeeci32.exe 105 PID 1192 wrote to memory of 2160 1192 Ekonpckp.exe 106 PID 1192 wrote to memory of 2160 1192 Ekonpckp.exe 106 PID 1192 wrote to memory of 2160 1192 Ekonpckp.exe 106 PID 2160 wrote to memory of 4076 2160 Eqlfhjig.exe 108 PID 2160 wrote to memory of 4076 2160 Eqlfhjig.exe 108 PID 2160 wrote to memory of 4076 2160 Eqlfhjig.exe 108 PID 4076 wrote to memory of 1084 4076 Egened32.exe 109 PID 4076 wrote to memory of 1084 4076 Egened32.exe 109 PID 4076 wrote to memory of 1084 4076 Egened32.exe 109 PID 1084 wrote to memory of 1964 1084 Enpfan32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\28cf9ca537f5bf7e52822e16c09415beb5dbdd93d9eb015bceed0f5677d0c389.exe"C:\Users\Admin\AppData\Local\Temp\28cf9ca537f5bf7e52822e16c09415beb5dbdd93d9eb015bceed0f5677d0c389.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Dqpfmlce.exeC:\Windows\system32\Dqpfmlce.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Dndgfpbo.exeC:\Windows\system32\Dndgfpbo.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Dqbcbkab.exeC:\Windows\system32\Dqbcbkab.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Doccpcja.exeC:\Windows\system32\Doccpcja.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Edplhjhi.exeC:\Windows\system32\Edplhjhi.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Eoepebho.exeC:\Windows\system32\Eoepebho.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Eqgmmk32.exeC:\Windows\system32\Eqgmmk32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Eohmkb32.exeC:\Windows\system32\Eohmkb32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4892 -
C:\Windows\SysWOW64\Eghkjdoa.exeC:\Windows\system32\Eghkjdoa.exe25⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4376 -
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Fqppci32.exeC:\Windows\system32\Fqppci32.exe28⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4308 -
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe31⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe33⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Fkhpfbce.exeC:\Windows\system32\Fkhpfbce.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Fqeioiam.exeC:\Windows\system32\Fqeioiam.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Feqeog32.exeC:\Windows\system32\Feqeog32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe38⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Fniihmpf.exeC:\Windows\system32\Fniihmpf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Fecadghc.exeC:\Windows\system32\Fecadghc.exe40⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe41⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Fganqbgg.exeC:\Windows\system32\Fganqbgg.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Fohfbpgi.exeC:\Windows\system32\Fohfbpgi.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Windows\SysWOW64\Fbgbnkfm.exeC:\Windows\system32\Fbgbnkfm.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\Feenjgfq.exeC:\Windows\system32\Feenjgfq.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Fgcjfbed.exeC:\Windows\system32\Fgcjfbed.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Gokbgpeg.exeC:\Windows\system32\Gokbgpeg.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\Gbiockdj.exeC:\Windows\system32\Gbiockdj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe49⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ggfglb32.exeC:\Windows\system32\Ggfglb32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Gbkkik32.exeC:\Windows\system32\Gbkkik32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Gghdaa32.exeC:\Windows\system32\Gghdaa32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Gpolbo32.exeC:\Windows\system32\Gpolbo32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe56⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Geldkfpi.exeC:\Windows\system32\Geldkfpi.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Gndick32.exeC:\Windows\system32\Gndick32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3904 -
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Ggmmlamj.exeC:\Windows\system32\Ggmmlamj.exe62⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Gpdennml.exeC:\Windows\system32\Gpdennml.exe63⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Gngeik32.exeC:\Windows\system32\Gngeik32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe65⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4072 -
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe67⤵PID:4268
-
C:\Windows\SysWOW64\Hlkfbocp.exeC:\Windows\system32\Hlkfbocp.exe68⤵PID:3732
-
C:\Windows\SysWOW64\Hnibokbd.exeC:\Windows\system32\Hnibokbd.exe69⤵PID:2524
-
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4836 -
C:\Windows\SysWOW64\Hecjke32.exeC:\Windows\system32\Hecjke32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4660 -
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe72⤵
- System Location Discovery: System Language Discovery
PID:3208 -
C:\Windows\SysWOW64\Hpioin32.exeC:\Windows\system32\Hpioin32.exe73⤵
- Drops file in System32 directory
PID:4324 -
C:\Windows\SysWOW64\Hbgkei32.exeC:\Windows\system32\Hbgkei32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1176 -
C:\Windows\SysWOW64\Hajkqfoe.exeC:\Windows\system32\Hajkqfoe.exe75⤵PID:4260
-
C:\Windows\SysWOW64\Hhdcmp32.exeC:\Windows\system32\Hhdcmp32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3680 -
C:\Windows\SysWOW64\Hlppno32.exeC:\Windows\system32\Hlppno32.exe77⤵
- Modifies registry class
PID:4896 -
C:\Windows\SysWOW64\Hicpgc32.exeC:\Windows\system32\Hicpgc32.exe78⤵PID:2580
-
C:\Windows\SysWOW64\Hhfpbpdo.exeC:\Windows\system32\Hhfpbpdo.exe79⤵PID:3824
-
C:\Windows\SysWOW64\Hpmhdmea.exeC:\Windows\system32\Hpmhdmea.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Haodle32.exeC:\Windows\system32\Haodle32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Hejqldci.exeC:\Windows\system32\Hejqldci.exe82⤵PID:1856
-
C:\Windows\SysWOW64\Hppeim32.exeC:\Windows\system32\Hppeim32.exe83⤵PID:3540
-
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5132 -
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe85⤵PID:5176
-
C:\Windows\SysWOW64\Ilfennic.exeC:\Windows\system32\Ilfennic.exe86⤵PID:5220
-
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe87⤵
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe88⤵PID:5308
-
C:\Windows\SysWOW64\Ibcjqgnm.exeC:\Windows\system32\Ibcjqgnm.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Ieagmcmq.exeC:\Windows\system32\Ieagmcmq.exe90⤵
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Iimcma32.exeC:\Windows\system32\Iimcma32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\Ilkoim32.exeC:\Windows\system32\Ilkoim32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Ipgkjlmg.exeC:\Windows\system32\Ipgkjlmg.exe93⤵PID:5528
-
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe95⤵
- System Location Discovery: System Language Discovery
PID:5616 -
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe96⤵PID:5660
-
C:\Windows\SysWOW64\Iolhkh32.exeC:\Windows\system32\Iolhkh32.exe97⤵PID:5704
-
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe98⤵PID:5752
-
C:\Windows\SysWOW64\Iefphb32.exeC:\Windows\system32\Iefphb32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe100⤵PID:5840
-
C:\Windows\SysWOW64\Ipkdek32.exeC:\Windows\system32\Ipkdek32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Iamamcop.exeC:\Windows\system32\Iamamcop.exe102⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Jidinqpb.exeC:\Windows\system32\Jidinqpb.exe103⤵
- Modifies registry class
PID:6016 -
C:\Windows\SysWOW64\Jlbejloe.exeC:\Windows\system32\Jlbejloe.exe104⤵PID:6064
-
C:\Windows\SysWOW64\Jpnakk32.exeC:\Windows\system32\Jpnakk32.exe105⤵PID:6108
-
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe106⤵PID:4472
-
C:\Windows\SysWOW64\Jifecp32.exeC:\Windows\system32\Jifecp32.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5152 -
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5248 -
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe109⤵
- Drops file in System32 directory
PID:5324 -
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe110⤵PID:5380
-
C:\Windows\SysWOW64\Jaajhb32.exeC:\Windows\system32\Jaajhb32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5460 -
C:\Windows\SysWOW64\Jihbip32.exeC:\Windows\system32\Jihbip32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5512 -
C:\Windows\SysWOW64\Jhkbdmbg.exeC:\Windows\system32\Jhkbdmbg.exe113⤵
- Drops file in System32 directory
PID:5600 -
C:\Windows\SysWOW64\Jlgoek32.exeC:\Windows\system32\Jlgoek32.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Joekag32.exeC:\Windows\system32\Joekag32.exe115⤵PID:5736
-
C:\Windows\SysWOW64\Jadgnb32.exeC:\Windows\system32\Jadgnb32.exe116⤵
- Drops file in System32 directory
PID:5808 -
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe117⤵
- Modifies registry class
PID:5876 -
C:\Windows\SysWOW64\Jafdcbge.exeC:\Windows\system32\Jafdcbge.exe118⤵
- System Location Discovery: System Language Discovery
PID:5956 -
C:\Windows\SysWOW64\Jimldogg.exeC:\Windows\system32\Jimldogg.exe119⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6120 -
C:\Windows\SysWOW64\Jojdlfeo.exeC:\Windows\system32\Jojdlfeo.exe121⤵PID:5168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-