Analysis
-
max time kernel
112s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe
-
Size
96KB
-
MD5
dfc9f9cbe57ac23c770b2da085fde310
-
SHA1
7e3a432aee82a842563220f605ba9916f99bfc37
-
SHA256
42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379
-
SHA512
a6e11183a478aa4d821aea2318c9721f31a92521dfa6206db2a9ffcf3b08fcb10f5dcbd2e6352b13465df32d4f8b0a05cd63b580d6141e1e396dc1105e9fc144
-
SSDEEP
1536:D3BQwKXcu97a0otU4BgwwiVk/ij2L0esBMu/HCmiDcg3MZRP3cEW3AE:rCwKXcEvot6wwicBFa6miEo
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgibeklf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoflpbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbbmmih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcikllja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeommfnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlgdecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfadeaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnofbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemcookp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgikklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgclpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enjcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgnjlfam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hphljkfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjclfmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhknigfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmdgmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcehpbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaiehjfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihefjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ommfibdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcmkamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnjbmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lejbhbpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjehlldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebccal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcqoec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpliec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaojiqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhqmogam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnqen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okbgkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amalcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgqokp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehbdif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhebij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdmaenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjqlbdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjeblf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mahinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piipibff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfeodoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfagjai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqbbig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjonpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lblflgqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngikaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbcjfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbfcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmcimq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhihepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poplqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boohgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbadcbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghqqpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmhjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjofljho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nihgndip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpekjie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdnmda32.exe -
Executes dropped EXE 64 IoCs
pid Process 1812 Hdjedk32.exe 1728 Hlamfh32.exe 2624 Hlamfh32.exe 2492 Hkdmaenk.exe 2516 Hmcimq32.exe 3004 Hhhmki32.exe 2616 Hdonpjbi.exe 2500 Hgnjlfam.exe 2404 Hngbhp32.exe 2532 Hpfoekhm.exe 2716 Hgpgae32.exe 1372 Hnjonpgg.exe 1912 Hphljkfk.exe 276 Hgbdge32.exe 2784 Hjqpcq32.exe 2728 Ipkhpk32.exe 2852 Icidlf32.exe 2456 Iegaha32.exe 576 Ilaieljl.exe 2072 Ipmeej32.exe 1012 Ianambhc.exe 944 Iejnna32.exe 2036 Ilcfjkgj.exe 3036 Iobbfggm.exe 1668 Icnngeof.exe 1572 Ifljcanj.exe 1760 Ikibkhla.exe 852 Ingogcke.exe 2832 Idagdm32.exe 2856 Igpcpi32.exe 2368 Ikkoagjo.exe 2052 Iqhhin32.exe 2760 Ihopjl32.exe 2528 Jjqlbdog.exe 2900 Jnlhbb32.exe 2932 Jciaki32.exe 1496 Jgdmkhnp.exe 2344 Jkpilg32.exe 2680 Jqmadn32.exe 600 Jdhmel32.exe 2820 Jcknqicd.exe 2780 Jnqanbcj.exe 1944 Jobnej32.exe 3044 Jgiffg32.exe 1588 Jmfoon32.exe 912 Jodkkj32.exe 3040 Jjjohbgl.exe 924 Jmhkdnfp.exe 892 Jofhqiec.exe 1576 Kbedmedg.exe 1716 Kfqpmc32.exe 2520 Kiolio32.exe 620 Kmjhjndm.exe 2540 Koidficq.exe 2976 Kbgqbdbd.exe 2356 Kfcmcckn.exe 2180 Kefmnp32.exe 952 Kkpekjie.exe 2732 Kpkali32.exe 2704 Kbjmhd32.exe 2400 Kamncagl.exe 2720 Kicednho.exe 2136 Kkbbqjgb.exe 2860 Kjeblf32.exe -
Loads dropped DLL 64 IoCs
pid Process 1048 42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe 1048 42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe 1812 Hdjedk32.exe 1812 Hdjedk32.exe 1728 Hlamfh32.exe 1728 Hlamfh32.exe 2624 Hlamfh32.exe 2624 Hlamfh32.exe 2492 Hkdmaenk.exe 2492 Hkdmaenk.exe 2516 Hmcimq32.exe 2516 Hmcimq32.exe 3004 Hhhmki32.exe 3004 Hhhmki32.exe 2616 Hdonpjbi.exe 2616 Hdonpjbi.exe 2500 Hgnjlfam.exe 2500 Hgnjlfam.exe 2404 Hngbhp32.exe 2404 Hngbhp32.exe 2532 Hpfoekhm.exe 2532 Hpfoekhm.exe 2716 Hgpgae32.exe 2716 Hgpgae32.exe 1372 Hnjonpgg.exe 1372 Hnjonpgg.exe 1912 Hphljkfk.exe 1912 Hphljkfk.exe 276 Hgbdge32.exe 276 Hgbdge32.exe 2784 Hjqpcq32.exe 2784 Hjqpcq32.exe 2728 Ipkhpk32.exe 2728 Ipkhpk32.exe 2852 Icidlf32.exe 2852 Icidlf32.exe 2456 Iegaha32.exe 2456 Iegaha32.exe 576 Ilaieljl.exe 576 Ilaieljl.exe 2072 Ipmeej32.exe 2072 Ipmeej32.exe 1012 Ianambhc.exe 1012 Ianambhc.exe 944 Iejnna32.exe 944 Iejnna32.exe 2036 Ilcfjkgj.exe 2036 Ilcfjkgj.exe 3036 Iobbfggm.exe 3036 Iobbfggm.exe 1668 Icnngeof.exe 1668 Icnngeof.exe 1572 Ifljcanj.exe 1572 Ifljcanj.exe 1760 Ikibkhla.exe 1760 Ikibkhla.exe 852 Ingogcke.exe 852 Ingogcke.exe 2832 Idagdm32.exe 2832 Idagdm32.exe 2856 Igpcpi32.exe 2856 Igpcpi32.exe 2368 Ikkoagjo.exe 2368 Ikkoagjo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bgjoaane.dll Ingogcke.exe File opened for modification C:\Windows\SysWOW64\Fmicnhob.exe Fjkgampo.exe File created C:\Windows\SysWOW64\Hiffbl32.exe Hjdfgojp.exe File opened for modification C:\Windows\SysWOW64\Kbgqbdbd.exe Koidficq.exe File created C:\Windows\SysWOW64\Mhbakmgg.exe Mpkjjofe.exe File created C:\Windows\SysWOW64\Gdjopf32.dll Mdibpn32.exe File opened for modification C:\Windows\SysWOW64\Nppceo32.exe Nldgdpjf.exe File opened for modification C:\Windows\SysWOW64\Okbgkk32.exe Oggkklnk.exe File created C:\Windows\SysWOW64\Ekmghppe.dll Boadlk32.exe File created C:\Windows\SysWOW64\Enecegpg.dll Dgqokp32.exe File opened for modification C:\Windows\SysWOW64\Jhebij32.exe Jjbbmmih.exe File created C:\Windows\SysWOW64\Qabhbm32.dll Hjaiaolb.exe File opened for modification C:\Windows\SysWOW64\Hgpgae32.exe Hpfoekhm.exe File opened for modification C:\Windows\SysWOW64\Icnngeof.exe Iobbfggm.exe File created C:\Windows\SysWOW64\Lmmaoq32.exe Liaenblm.exe File created C:\Windows\SysWOW64\Fjmphgbf.dll Nldgdpjf.exe File opened for modification C:\Windows\SysWOW64\Nnofbg32.exe Nkpjfkhf.exe File opened for modification C:\Windows\SysWOW64\Edbonh32.exe Ebccal32.exe File created C:\Windows\SysWOW64\Madiaabn.dll Ffokan32.exe File opened for modification C:\Windows\SysWOW64\Hepdml32.exe Hbagaa32.exe File created C:\Windows\SysWOW64\Ipmeej32.exe Ilaieljl.exe File opened for modification C:\Windows\SysWOW64\Ogigpllh.exe Odkkdqmd.exe File opened for modification C:\Windows\SysWOW64\Qmmbhegc.exe Qnjbmh32.exe File opened for modification C:\Windows\SysWOW64\Gncblo32.exe Glefpd32.exe File created C:\Windows\SysWOW64\Hhnpih32.exe Hepdml32.exe File created C:\Windows\SysWOW64\Mgmccnme.dll Ifljcanj.exe File opened for modification C:\Windows\SysWOW64\Jjqlbdog.exe Ihopjl32.exe File opened for modification C:\Windows\SysWOW64\Kbedmedg.exe Jofhqiec.exe File created C:\Windows\SysWOW64\Nefncd32.exe Nnofbg32.exe File opened for modification C:\Windows\SysWOW64\Kefmnp32.exe Kfcmcckn.exe File opened for modification C:\Windows\SysWOW64\Ebccal32.exe Eoefea32.exe File created C:\Windows\SysWOW64\Jcjffc32.exe Jookedhp.exe File opened for modification C:\Windows\SysWOW64\Hdjedk32.exe 42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe File created C:\Windows\SysWOW64\Ildmebbg.dll Lfbibfmi.exe File created C:\Windows\SysWOW64\Apiljn32.dll Npbpjn32.exe File created C:\Windows\SysWOW64\Nnhcin32.dll Edkbdf32.exe File created C:\Windows\SysWOW64\Gdpkdf32.exe Gabohk32.exe File created C:\Windows\SysWOW64\Ppepdplg.dll Gadkmj32.exe File created C:\Windows\SysWOW64\Gfcqkafl.exe Ghqqpd32.exe File opened for modification C:\Windows\SysWOW64\Acnqen32.exe Amdhidqk.exe File opened for modification C:\Windows\SysWOW64\Dpggnfap.exe Cadfbi32.exe File created C:\Windows\SysWOW64\Hbokkagk.exe Hpqoofhg.exe File created C:\Windows\SysWOW64\Jcknqicd.exe Jdhmel32.exe File opened for modification C:\Windows\SysWOW64\Nlkmeo32.exe Nimaic32.exe File opened for modification C:\Windows\SysWOW64\Bjclfmfe.exe Blplkp32.exe File created C:\Windows\SysWOW64\Fbelmlah.dll Ejcaanfg.exe File created C:\Windows\SysWOW64\Fnoiqpqk.exe Fpliec32.exe File opened for modification C:\Windows\SysWOW64\Lhiodnob.exe Lejbhbpn.exe File created C:\Windows\SysWOW64\Ddjjlj32.dll Mahinb32.exe File created C:\Windows\SysWOW64\Aepcmk32.dll Mhbakmgg.exe File created C:\Windows\SysWOW64\Cdfjhc32.dll Ikcbfb32.exe File created C:\Windows\SysWOW64\Chkgnh32.dll Necandjo.exe File created C:\Windows\SysWOW64\Bjkkkd32.dll Peoanckj.exe File created C:\Windows\SysWOW64\Njfoghho.dll Amdhidqk.exe File opened for modification C:\Windows\SysWOW64\Bjehlldb.exe Bfjmkn32.exe File created C:\Windows\SysWOW64\Fdkfbo32.dll Clphjc32.exe File opened for modification C:\Windows\SysWOW64\Ghqqpd32.exe Gdedoegh.exe File opened for modification C:\Windows\SysWOW64\Cehlbihg.exe Ccjpfmic.exe File created C:\Windows\SysWOW64\Ceajdhdn.dll Doqmjaac.exe File opened for modification C:\Windows\SysWOW64\Hhqmogam.exe Hinlck32.exe File created C:\Windows\SysWOW64\Iobbfggm.exe Ilcfjkgj.exe File opened for modification C:\Windows\SysWOW64\Blplkp32.exe Bdiciboh.exe File opened for modification C:\Windows\SysWOW64\Cmkkhfmn.exe Beccgi32.exe File created C:\Windows\SysWOW64\Eogckqkk.exe Eligoe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4436 4292 WerFault.exe 476 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icidlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idagdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkoemji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpfiekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilneef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnhegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiedc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkpie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idlgohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koidficq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmjplag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoflpbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlamfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamncagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobgah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbcjfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkpchmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qedjib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjmpfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkjjofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmeknakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpfoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidhcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedmhlqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbcdfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfoekhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncblo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gadkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikibkhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjhjndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkokjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macpcccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogqlgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngikaijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkldli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjndh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpiqel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgehfodh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihopjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhlaaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jobnej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjonpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhkdnfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgibeklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkglenej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqmjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjaiaolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohhfbkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgiffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmmbhegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfadeaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liohhbno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oamohenq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aliejq32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcqoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnqanbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akekgimh.dll" Lneghd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhhkhlk.dll" Lhiodnob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpbadcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icidlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igmppcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhgpq32.dll" Gfcqkafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoflpbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilaieljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnngeof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Macpcccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkfpmm32.dll" Fcqoec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edkbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hijeld32.dll" Ianambhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkpekjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beccgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmelnghf.dll" Dhiacg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gadkmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnhlgoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haiagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilcfjkgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfnpgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgidhgbh.dll" Bgablmfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eligoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pidgnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eojpqpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjfni32.dll" Fjmdgmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omccmkee.dll" Glefpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hngbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Condfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flqmddah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mojmbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckgapo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmpepjid.dll" Hinlck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgiffg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnkjn32.dll" Jmhkdnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfkao32.dll" Mhmhpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mojmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmicnhob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcfmkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdbloobc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkldli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjibdoi.dll" Poplqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqdend32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifljcanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcdnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apphpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpjndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhcfhci.dll" Pbohmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbcjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckeekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eggajb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlhbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnpkd32.dll" Kejfio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkneko32.dll" Oqibjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpliec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclkhpln.dll" Ipmeej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajelmiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbkgfki.dll" Dfmbmkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jookedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkpilg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbijgg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 1812 1048 42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe 29 PID 1048 wrote to memory of 1812 1048 42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe 29 PID 1048 wrote to memory of 1812 1048 42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe 29 PID 1048 wrote to memory of 1812 1048 42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe 29 PID 1812 wrote to memory of 1728 1812 Hdjedk32.exe 30 PID 1812 wrote to memory of 1728 1812 Hdjedk32.exe 30 PID 1812 wrote to memory of 1728 1812 Hdjedk32.exe 30 PID 1812 wrote to memory of 1728 1812 Hdjedk32.exe 30 PID 1728 wrote to memory of 2624 1728 Hlamfh32.exe 31 PID 1728 wrote to memory of 2624 1728 Hlamfh32.exe 31 PID 1728 wrote to memory of 2624 1728 Hlamfh32.exe 31 PID 1728 wrote to memory of 2624 1728 Hlamfh32.exe 31 PID 2624 wrote to memory of 2492 2624 Hlamfh32.exe 32 PID 2624 wrote to memory of 2492 2624 Hlamfh32.exe 32 PID 2624 wrote to memory of 2492 2624 Hlamfh32.exe 32 PID 2624 wrote to memory of 2492 2624 Hlamfh32.exe 32 PID 2492 wrote to memory of 2516 2492 Hkdmaenk.exe 33 PID 2492 wrote to memory of 2516 2492 Hkdmaenk.exe 33 PID 2492 wrote to memory of 2516 2492 Hkdmaenk.exe 33 PID 2492 wrote to memory of 2516 2492 Hkdmaenk.exe 33 PID 2516 wrote to memory of 3004 2516 Hmcimq32.exe 34 PID 2516 wrote to memory of 3004 2516 Hmcimq32.exe 34 PID 2516 wrote to memory of 3004 2516 Hmcimq32.exe 34 PID 2516 wrote to memory of 3004 2516 Hmcimq32.exe 34 PID 3004 wrote to memory of 2616 3004 Hhhmki32.exe 35 PID 3004 wrote to memory of 2616 3004 Hhhmki32.exe 35 PID 3004 wrote to memory of 2616 3004 Hhhmki32.exe 35 PID 3004 wrote to memory of 2616 3004 Hhhmki32.exe 35 PID 2616 wrote to memory of 2500 2616 Hdonpjbi.exe 36 PID 2616 wrote to memory of 2500 2616 Hdonpjbi.exe 36 PID 2616 wrote to memory of 2500 2616 Hdonpjbi.exe 36 PID 2616 wrote to memory of 2500 2616 Hdonpjbi.exe 36 PID 2500 wrote to memory of 2404 2500 Hgnjlfam.exe 37 PID 2500 wrote to memory of 2404 2500 Hgnjlfam.exe 37 PID 2500 wrote to memory of 2404 2500 Hgnjlfam.exe 37 PID 2500 wrote to memory of 2404 2500 Hgnjlfam.exe 37 PID 2404 wrote to memory of 2532 2404 Hngbhp32.exe 38 PID 2404 wrote to memory of 2532 2404 Hngbhp32.exe 38 PID 2404 wrote to memory of 2532 2404 Hngbhp32.exe 38 PID 2404 wrote to memory of 2532 2404 Hngbhp32.exe 38 PID 2532 wrote to memory of 2716 2532 Hpfoekhm.exe 39 PID 2532 wrote to memory of 2716 2532 Hpfoekhm.exe 39 PID 2532 wrote to memory of 2716 2532 Hpfoekhm.exe 39 PID 2532 wrote to memory of 2716 2532 Hpfoekhm.exe 39 PID 2716 wrote to memory of 1372 2716 Hgpgae32.exe 40 PID 2716 wrote to memory of 1372 2716 Hgpgae32.exe 40 PID 2716 wrote to memory of 1372 2716 Hgpgae32.exe 40 PID 2716 wrote to memory of 1372 2716 Hgpgae32.exe 40 PID 1372 wrote to memory of 1912 1372 Hnjonpgg.exe 41 PID 1372 wrote to memory of 1912 1372 Hnjonpgg.exe 41 PID 1372 wrote to memory of 1912 1372 Hnjonpgg.exe 41 PID 1372 wrote to memory of 1912 1372 Hnjonpgg.exe 41 PID 1912 wrote to memory of 276 1912 Hphljkfk.exe 42 PID 1912 wrote to memory of 276 1912 Hphljkfk.exe 42 PID 1912 wrote to memory of 276 1912 Hphljkfk.exe 42 PID 1912 wrote to memory of 276 1912 Hphljkfk.exe 42 PID 276 wrote to memory of 2784 276 Hgbdge32.exe 43 PID 276 wrote to memory of 2784 276 Hgbdge32.exe 43 PID 276 wrote to memory of 2784 276 Hgbdge32.exe 43 PID 276 wrote to memory of 2784 276 Hgbdge32.exe 43 PID 2784 wrote to memory of 2728 2784 Hjqpcq32.exe 44 PID 2784 wrote to memory of 2728 2784 Hjqpcq32.exe 44 PID 2784 wrote to memory of 2728 2784 Hjqpcq32.exe 44 PID 2784 wrote to memory of 2728 2784 Hjqpcq32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe"C:\Users\Admin\AppData\Local\Temp\42371fdcf4368c20624e326b76ed8e5c3a38c24f7313e03a5cd4a75970f13379N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Hdjedk32.exeC:\Windows\system32\Hdjedk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Hlamfh32.exeC:\Windows\system32\Hlamfh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Hlamfh32.exeC:\Windows\system32\Hlamfh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Hkdmaenk.exeC:\Windows\system32\Hkdmaenk.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Hmcimq32.exeC:\Windows\system32\Hmcimq32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Hhhmki32.exeC:\Windows\system32\Hhhmki32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Hdonpjbi.exeC:\Windows\system32\Hdonpjbi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Hgnjlfam.exeC:\Windows\system32\Hgnjlfam.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Hngbhp32.exeC:\Windows\system32\Hngbhp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Hgpgae32.exeC:\Windows\system32\Hgpgae32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Hnjonpgg.exeC:\Windows\system32\Hnjonpgg.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Hgbdge32.exeC:\Windows\system32\Hgbdge32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Hjqpcq32.exeC:\Windows\system32\Hjqpcq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Ipkhpk32.exeC:\Windows\system32\Ipkhpk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Icidlf32.exeC:\Windows\system32\Icidlf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Iegaha32.exeC:\Windows\system32\Iegaha32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Ipmeej32.exeC:\Windows\system32\Ipmeej32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Iejnna32.exeC:\Windows\system32\Iejnna32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Iobbfggm.exeC:\Windows\system32\Iobbfggm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Icnngeof.exeC:\Windows\system32\Icnngeof.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Ifljcanj.exeC:\Windows\system32\Ifljcanj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Ikibkhla.exeC:\Windows\system32\Ikibkhla.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Ingogcke.exeC:\Windows\system32\Ingogcke.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Idagdm32.exeC:\Windows\system32\Idagdm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Igpcpi32.exeC:\Windows\system32\Igpcpi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Ikkoagjo.exeC:\Windows\system32\Ikkoagjo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe33⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ihopjl32.exeC:\Windows\system32\Ihopjl32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Jjqlbdog.exeC:\Windows\system32\Jjqlbdog.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Jnlhbb32.exeC:\Windows\system32\Jnlhbb32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Jciaki32.exeC:\Windows\system32\Jciaki32.exe37⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe38⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Jkpilg32.exeC:\Windows\system32\Jkpilg32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe40⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Jdhmel32.exeC:\Windows\system32\Jdhmel32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Jcknqicd.exeC:\Windows\system32\Jcknqicd.exe42⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Jnqanbcj.exeC:\Windows\system32\Jnqanbcj.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Jobnej32.exeC:\Windows\system32\Jobnej32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Jmfoon32.exeC:\Windows\system32\Jmfoon32.exe46⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe47⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Jjjohbgl.exeC:\Windows\system32\Jjjohbgl.exe48⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Jmhkdnfp.exeC:\Windows\system32\Jmhkdnfp.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Jofhqiec.exeC:\Windows\system32\Jofhqiec.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Kbedmedg.exeC:\Windows\system32\Kbedmedg.exe51⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Kfqpmc32.exeC:\Windows\system32\Kfqpmc32.exe52⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Kiolio32.exeC:\Windows\system32\Kiolio32.exe53⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Kmjhjndm.exeC:\Windows\system32\Kmjhjndm.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\Koidficq.exeC:\Windows\system32\Koidficq.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Kbgqbdbd.exeC:\Windows\system32\Kbgqbdbd.exe56⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Kfcmcckn.exeC:\Windows\system32\Kfcmcckn.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Kefmnp32.exeC:\Windows\system32\Kefmnp32.exe58⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe60⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe61⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe63⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Kkbbqjgb.exeC:\Windows\system32\Kkbbqjgb.exe64⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Kjeblf32.exeC:\Windows\system32\Kjeblf32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe66⤵PID:1460
-
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1388 -
C:\Windows\SysWOW64\Kejfio32.exeC:\Windows\system32\Kejfio32.exe68⤵
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Kjgoaflj.exeC:\Windows\system32\Kjgoaflj.exe70⤵PID:1324
-
C:\Windows\SysWOW64\Knckbe32.exeC:\Windows\system32\Knckbe32.exe71⤵PID:1764
-
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe72⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Kgkokjjd.exeC:\Windows\system32\Kgkokjjd.exe74⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Kfnpgg32.exeC:\Windows\system32\Kfnpgg32.exe75⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Lneghd32.exeC:\Windows\system32\Lneghd32.exe76⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Lmhhcaik.exeC:\Windows\system32\Lmhhcaik.exe77⤵PID:2664
-
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe78⤵PID:1008
-
C:\Windows\SysWOW64\Lhnlqjha.exeC:\Windows\system32\Lhnlqjha.exe79⤵PID:1700
-
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe80⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe81⤵PID:2792
-
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Lbgmah32.exeC:\Windows\system32\Lbgmah32.exe83⤵PID:3056
-
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe84⤵
- Drops file in System32 directory
PID:696 -
C:\Windows\SysWOW64\Liaenblm.exeC:\Windows\system32\Liaenblm.exe85⤵
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Lmmaoq32.exeC:\Windows\system32\Lmmaoq32.exe86⤵PID:2972
-
C:\Windows\SysWOW64\Ldgikklb.exeC:\Windows\system32\Ldgikklb.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe88⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe89⤵
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Llbnpm32.exeC:\Windows\system32\Llbnpm32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Lpmjplag.exeC:\Windows\system32\Lpmjplag.exe91⤵
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Lblflgqk.exeC:\Windows\system32\Lblflgqk.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Lfgbmf32.exeC:\Windows\system32\Lfgbmf32.exe93⤵PID:2428
-
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Lhiodnob.exeC:\Windows\system32\Lhiodnob.exe95⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Lppgfkpd.exeC:\Windows\system32\Lppgfkpd.exe96⤵PID:1640
-
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Lbncbgoh.exeC:\Windows\system32\Lbncbgoh.exe98⤵PID:2192
-
C:\Windows\SysWOW64\Memonbnl.exeC:\Windows\system32\Memonbnl.exe99⤵PID:928
-
C:\Windows\SysWOW64\Mhkkjnmo.exeC:\Windows\system32\Mhkkjnmo.exe100⤵PID:756
-
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe101⤵PID:3048
-
C:\Windows\SysWOW64\Moecghdl.exeC:\Windows\system32\Moecghdl.exe102⤵PID:3000
-
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Mdbloobc.exeC:\Windows\system32\Mdbloobc.exe104⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Mhmhpm32.exeC:\Windows\system32\Mhmhpm32.exe105⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Mkldli32.exeC:\Windows\system32\Mkldli32.exe106⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Mogqlgbi.exeC:\Windows\system32\Mogqlgbi.exe107⤵
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Meaiia32.exeC:\Windows\system32\Meaiia32.exe108⤵PID:2188
-
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe109⤵PID:3064
-
C:\Windows\SysWOW64\Mgbeqjpd.exeC:\Windows\system32\Mgbeqjpd.exe110⤵PID:1956
-
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe111⤵PID:768
-
C:\Windows\SysWOW64\Mojmbg32.exeC:\Windows\system32\Mojmbg32.exe112⤵
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Mpkjjofe.exeC:\Windows\system32\Mpkjjofe.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Mhbakmgg.exeC:\Windows\system32\Mhbakmgg.exe115⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Mgebfi32.exeC:\Windows\system32\Mgebfi32.exe116⤵PID:2420
-
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe117⤵PID:2804
-
C:\Windows\SysWOW64\Majfcb32.exeC:\Windows\system32\Majfcb32.exe118⤵PID:1052
-
C:\Windows\SysWOW64\Mdibpn32.exeC:\Windows\system32\Mdibpn32.exe119⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe120⤵PID:1328
-
C:\Windows\SysWOW64\Mkcjlhdh.exeC:\Windows\system32\Mkcjlhdh.exe121⤵PID:2580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-