Analysis
-
max time kernel
41s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 21:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe
-
Size
352KB
-
MD5
e1e565d7631aba0ab7b543b4e8686560
-
SHA1
2116acee81a1cda634216c9aa3efb8d4d537032c
-
SHA256
0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34e
-
SHA512
a8d33df6816e66a8f51b04efb7935f21f1571ac9f35440733581edd4bab570a8198861ead586b4e2eac4b6470ce308c62c0e12c7ffe79d2ccb4bda1889b08dd1
-
SSDEEP
6144:p9kLpr1ItvLUErOU7amYBAYpd0ucyEWJrj1mKZHPSv/rpwMBhpNFdFf52SCaH:pYrCZYE6YYBHpd0uD319ZvSntnhp3520
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdlclo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kheofahm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iljifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdeall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjkehhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchokq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odanqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oipcnieb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjeihl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgiibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcoffd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgfpbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnpnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmpcdfem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhnmfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmiljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fghngimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iabhdefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afbpnlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqnillbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikoehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiljcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnnhcknd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmoaoikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjhgidjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpjga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmqgec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbghkfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdonjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceoooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgnhhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckhbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akbelbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfppgohb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmecokhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjddnjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndmeecmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojghf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edelakoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileoknhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjaddii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbilhkig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdhqpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdlfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Codgbqmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekjgbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpcmlnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phmfpddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afpchl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbljgpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmecokhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhmkbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjppmlhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqjhjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baecehhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgalhgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gllpflng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjiobnbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcackdio.exe -
Executes dropped EXE 64 IoCs
pid Process 2904 Ckhbnb32.exe 2840 Cmfnjnin.exe 2816 Cojghf32.exe 2452 Cpidai32.exe 2280 Dkcebg32.exe 2768 Dlbaljhn.exe 1488 Doamhe32.exe 580 Dkhnmfle.exe 2012 Djmknb32.exe 848 Dgalhgpg.exe 2428 Enkdda32.exe 1740 Edelakoq.exe 2372 Eqnillbb.exe 2180 Ebofcd32.exe 2416 Ekjgbi32.exe 1192 Ffpkob32.exe 2040 Fqilppic.exe 2080 Fgcdlj32.exe 2656 Fjaqhe32.exe 2208 Fcjeakfd.exe 1000 Feiaknmg.exe 2660 Fghngimj.exe 2152 Fnafdc32.exe 1528 Fpcblkje.exe 2644 Fjhgidjk.exe 2252 Fmgcepio.exe 2820 Gindjqnc.exe 2844 Gllpflng.exe 3008 Gcchgini.exe 2864 Gmlmpo32.exe 2732 Gegaeabe.exe 2240 Gbkaneao.exe 2060 Ghgjflof.exe 1672 Gjffbhnj.exe 2956 Gdnkkmej.exe 1068 Hmgodc32.exe 3040 Hengep32.exe 2228 Hmiljb32.exe 2224 Hjmmcgha.exe 1388 Hagepa32.exe 952 Hdeall32.exe 2484 Hfdmhh32.exe 1356 Hibidc32.exe 1588 Hlqfqo32.exe 1332 Hbknmicj.exe 2200 Heijidbn.exe 2632 Hpoofm32.exe 1508 Ioaobjin.exe 2972 Iekgod32.exe 2796 Ihjcko32.exe 2916 Ileoknhh.exe 2236 Iabhdefo.exe 2764 Ihlpqonl.exe 2720 Ilhlan32.exe 2256 Iofhmi32.exe 3004 Ieppjclf.exe 2980 Ihnmfoli.exe 1472 Iljifm32.exe 2096 Ioheci32.exe 2668 Iagaod32.exe 2232 Ihqilnig.exe 1628 Ikoehj32.exe 936 Iainddpg.exe 892 Idgjqook.exe -
Loads dropped DLL 64 IoCs
pid Process 2308 0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe 2308 0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe 2904 Ckhbnb32.exe 2904 Ckhbnb32.exe 2840 Cmfnjnin.exe 2840 Cmfnjnin.exe 2816 Cojghf32.exe 2816 Cojghf32.exe 2452 Cpidai32.exe 2452 Cpidai32.exe 2280 Dkcebg32.exe 2280 Dkcebg32.exe 2768 Dlbaljhn.exe 2768 Dlbaljhn.exe 1488 Doamhe32.exe 1488 Doamhe32.exe 580 Dkhnmfle.exe 580 Dkhnmfle.exe 2012 Djmknb32.exe 2012 Djmknb32.exe 848 Dgalhgpg.exe 848 Dgalhgpg.exe 2428 Enkdda32.exe 2428 Enkdda32.exe 1740 Edelakoq.exe 1740 Edelakoq.exe 2372 Eqnillbb.exe 2372 Eqnillbb.exe 2180 Ebofcd32.exe 2180 Ebofcd32.exe 2416 Ekjgbi32.exe 2416 Ekjgbi32.exe 1192 Ffpkob32.exe 1192 Ffpkob32.exe 2040 Fqilppic.exe 2040 Fqilppic.exe 2080 Fgcdlj32.exe 2080 Fgcdlj32.exe 2656 Fjaqhe32.exe 2656 Fjaqhe32.exe 2208 Fcjeakfd.exe 2208 Fcjeakfd.exe 1000 Feiaknmg.exe 1000 Feiaknmg.exe 2660 Fghngimj.exe 2660 Fghngimj.exe 2152 Fnafdc32.exe 2152 Fnafdc32.exe 1528 Fpcblkje.exe 1528 Fpcblkje.exe 2644 Fjhgidjk.exe 2644 Fjhgidjk.exe 2252 Fmgcepio.exe 2252 Fmgcepio.exe 2820 Gindjqnc.exe 2820 Gindjqnc.exe 2844 Gllpflng.exe 2844 Gllpflng.exe 3008 Gcchgini.exe 3008 Gcchgini.exe 2864 Gmlmpo32.exe 2864 Gmlmpo32.exe 2732 Gegaeabe.exe 2732 Gegaeabe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Coiqmp32.exe Chohqebq.exe File opened for modification C:\Windows\SysWOW64\Ihlpqonl.exe Iabhdefo.exe File created C:\Windows\SysWOW64\Iagaod32.exe Ioheci32.exe File opened for modification C:\Windows\SysWOW64\Olopjddf.exe Oipcnieb.exe File created C:\Windows\SysWOW64\Podbgo32.exe Pdonjf32.exe File created C:\Windows\SysWOW64\Phocfd32.exe Paekijkb.exe File opened for modification C:\Windows\SysWOW64\Pqjhjf32.exe Pjppmlhm.exe File created C:\Windows\SysWOW64\Hhedee32.dll Bcackdio.exe File created C:\Windows\SysWOW64\Ogihnoda.dll Fghngimj.exe File created C:\Windows\SysWOW64\Hjlnkheo.dll Iabhdefo.exe File created C:\Windows\SysWOW64\Npffaq32.exe Nljjqbfp.exe File opened for modification C:\Windows\SysWOW64\Qnnhcknd.exe Pgdpgqgg.exe File created C:\Windows\SysWOW64\Mepmffng.dll Codgbqmc.exe File opened for modification C:\Windows\SysWOW64\Fcjeakfd.exe Fjaqhe32.exe File created C:\Windows\SysWOW64\Fnafdc32.exe Fghngimj.exe File created C:\Windows\SysWOW64\Fmgcepio.exe Fjhgidjk.exe File opened for modification C:\Windows\SysWOW64\Ljbkig32.exe Lbkchj32.exe File opened for modification C:\Windows\SysWOW64\Ninjjf32.exe Nfpnnk32.exe File created C:\Windows\SysWOW64\Afhggc32.dll Nkdpmn32.exe File opened for modification C:\Windows\SysWOW64\Dpofpg32.exe Diencmcj.exe File created C:\Windows\SysWOW64\Dlkcdc32.dll Fcjeakfd.exe File created C:\Windows\SysWOW64\Gegaeabe.exe Gmlmpo32.exe File created C:\Windows\SysWOW64\Mhmkph32.dll Heijidbn.exe File created C:\Windows\SysWOW64\Baajji32.exe Bnbnnm32.exe File opened for modification C:\Windows\SysWOW64\Cbnfmo32.exe Cldnqe32.exe File created C:\Windows\SysWOW64\Dkekmp32.exe Dgiomabc.exe File created C:\Windows\SysWOW64\Enlhahnp.dll Cojghf32.exe File opened for modification C:\Windows\SysWOW64\Ljpnch32.exe Lcffgnnc.exe File created C:\Windows\SysWOW64\Okgfkeda.dll Lbbiii32.exe File created C:\Windows\SysWOW64\Foibjlda.dll Mhckloge.exe File opened for modification C:\Windows\SysWOW64\Ogmngn32.exe Oaqeogll.exe File created C:\Windows\SysWOW64\Bcmjpd32.exe Aaondi32.exe File opened for modification C:\Windows\SysWOW64\Bcackdio.exe Bmhkojab.exe File created C:\Windows\SysWOW64\Nkpbdj32.dll Dmecokhm.exe File created C:\Windows\SysWOW64\Fjaqhe32.exe Fgcdlj32.exe File created C:\Windows\SysWOW64\Gijllcml.dll Hlqfqo32.exe File created C:\Windows\SysWOW64\Qkgjae32.dll Hpoofm32.exe File created C:\Windows\SysWOW64\Ljbkig32.exe Lbkchj32.exe File created C:\Windows\SysWOW64\Mhckloge.exe Mchokq32.exe File opened for modification C:\Windows\SysWOW64\Cldnqe32.exe Cejfckie.exe File opened for modification C:\Windows\SysWOW64\Cmjdcm32.exe Cogdhpkp.exe File created C:\Windows\SysWOW64\Aaondi32.exe Anpahn32.exe File opened for modification C:\Windows\SysWOW64\Gmlmpo32.exe Gcchgini.exe File created C:\Windows\SysWOW64\Lmhnej32.dll Hbknmicj.exe File created C:\Windows\SysWOW64\Eejnjgnc.dll Ieppjclf.exe File created C:\Windows\SysWOW64\Ioheci32.exe Iljifm32.exe File opened for modification C:\Windows\SysWOW64\Nphbfplf.exe Nlmffa32.exe File opened for modification C:\Windows\SysWOW64\Qjeihl32.exe Qdhqpe32.exe File created C:\Windows\SysWOW64\Jcoimalh.dll Acpjga32.exe File created C:\Windows\SysWOW64\Bjiobnbn.exe Bcoffd32.exe File opened for modification C:\Windows\SysWOW64\Bjiobnbn.exe Bcoffd32.exe File opened for modification C:\Windows\SysWOW64\Fgcdlj32.exe Fqilppic.exe File opened for modification C:\Windows\SysWOW64\Hagepa32.exe Hjmmcgha.exe File opened for modification C:\Windows\SysWOW64\Ieppjclf.exe Iofhmi32.exe File created C:\Windows\SysWOW64\Pjmbgjea.dll Cbljgpja.exe File created C:\Windows\SysWOW64\Ebkilnbk.dll Dlbaljhn.exe File created C:\Windows\SysWOW64\Phkfglid.dll Gllpflng.exe File created C:\Windows\SysWOW64\Fkihmn32.dll Gcchgini.exe File created C:\Windows\SysWOW64\Hibidc32.exe Hfdmhh32.exe File opened for modification C:\Windows\SysWOW64\Lbmpnjai.exe Loocanbe.exe File opened for modification C:\Windows\SysWOW64\Lpapgnpb.exe Lighjd32.exe File opened for modification C:\Windows\SysWOW64\Ajgfnk32.exe Qgiibp32.exe File opened for modification C:\Windows\SysWOW64\Cdapjglj.exe Ceoooj32.exe File created C:\Windows\SysWOW64\Djbfepid.dll Denknngk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3188 3152 WerFault.exe 274 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioaobjin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgfpbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgoebmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdfni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmngn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmomnlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqjfpbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphbfplf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibpdico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqanke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cddlpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbkig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljjqbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebofcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiaogio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhaefepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileoknhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpnch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmoaoikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfnjnin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmqgec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmngof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabncj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggbgadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbaljhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnlpaln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkckblgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkebkjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhmkbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbilhkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cldnqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgonf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafmngde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfgcieii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olopjddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkobgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgfnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhkojab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celbik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiaknmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioheci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgjqook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milaecdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipcnieb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobeao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbelbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjgbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihlpqonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phocfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollcee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ophoecoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcedg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codgbqmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmofeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doamhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plcied32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpidai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edelakoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblangpk.dll" Jcmgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddpfjgq.dll" Npffaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anpahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbnfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceoooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkpbdj32.dll" Dmecokhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpcblkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imgmggec.dll" Jbijcgbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloimaiq.dll" Kkaolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgcdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpalfabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oobiclmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgelak32.dll" Anndbnao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqgpc32.dll" Dhaefepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblehg32.dll" Dlfgehqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmjje32.dll" Cmfnjnin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlhmkbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oacbdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hncklnkp.dll" Qdhqpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdapjglj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckhbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edelakoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcbociq.dll" Jkabmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaqeogll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiljcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcoffd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcophb32.dll" Chohqebq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgmammj.dll" Dgiomabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djmknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeghhnb.dll" Ekjgbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ileoknhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nomphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbco32.dll" Nhfdqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khglkqfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcamln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkdpmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmoaoikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cojghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmgcepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iljifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedqakci.dll" Anpahn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmfnjnin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbkaneao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkdoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgkic32.dll" Kjkehhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moeodd32.dll" Ljpnch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lighjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oibpdico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fniiae32.dll" Dggbgadf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjilde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mchokq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djmknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekjgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lddcfl32.dll" Fnafdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilhlan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqfcla32.dll" Lijepc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nomphm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phocfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmldji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhaefepn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dilddl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2904 2308 0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe 30 PID 2308 wrote to memory of 2904 2308 0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe 30 PID 2308 wrote to memory of 2904 2308 0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe 30 PID 2308 wrote to memory of 2904 2308 0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe 30 PID 2904 wrote to memory of 2840 2904 Ckhbnb32.exe 31 PID 2904 wrote to memory of 2840 2904 Ckhbnb32.exe 31 PID 2904 wrote to memory of 2840 2904 Ckhbnb32.exe 31 PID 2904 wrote to memory of 2840 2904 Ckhbnb32.exe 31 PID 2840 wrote to memory of 2816 2840 Cmfnjnin.exe 32 PID 2840 wrote to memory of 2816 2840 Cmfnjnin.exe 32 PID 2840 wrote to memory of 2816 2840 Cmfnjnin.exe 32 PID 2840 wrote to memory of 2816 2840 Cmfnjnin.exe 32 PID 2816 wrote to memory of 2452 2816 Cojghf32.exe 33 PID 2816 wrote to memory of 2452 2816 Cojghf32.exe 33 PID 2816 wrote to memory of 2452 2816 Cojghf32.exe 33 PID 2816 wrote to memory of 2452 2816 Cojghf32.exe 33 PID 2452 wrote to memory of 2280 2452 Cpidai32.exe 34 PID 2452 wrote to memory of 2280 2452 Cpidai32.exe 34 PID 2452 wrote to memory of 2280 2452 Cpidai32.exe 34 PID 2452 wrote to memory of 2280 2452 Cpidai32.exe 34 PID 2280 wrote to memory of 2768 2280 Dkcebg32.exe 35 PID 2280 wrote to memory of 2768 2280 Dkcebg32.exe 35 PID 2280 wrote to memory of 2768 2280 Dkcebg32.exe 35 PID 2280 wrote to memory of 2768 2280 Dkcebg32.exe 35 PID 2768 wrote to memory of 1488 2768 Dlbaljhn.exe 36 PID 2768 wrote to memory of 1488 2768 Dlbaljhn.exe 36 PID 2768 wrote to memory of 1488 2768 Dlbaljhn.exe 36 PID 2768 wrote to memory of 1488 2768 Dlbaljhn.exe 36 PID 1488 wrote to memory of 580 1488 Doamhe32.exe 37 PID 1488 wrote to memory of 580 1488 Doamhe32.exe 37 PID 1488 wrote to memory of 580 1488 Doamhe32.exe 37 PID 1488 wrote to memory of 580 1488 Doamhe32.exe 37 PID 580 wrote to memory of 2012 580 Dkhnmfle.exe 38 PID 580 wrote to memory of 2012 580 Dkhnmfle.exe 38 PID 580 wrote to memory of 2012 580 Dkhnmfle.exe 38 PID 580 wrote to memory of 2012 580 Dkhnmfle.exe 38 PID 2012 wrote to memory of 848 2012 Djmknb32.exe 39 PID 2012 wrote to memory of 848 2012 Djmknb32.exe 39 PID 2012 wrote to memory of 848 2012 Djmknb32.exe 39 PID 2012 wrote to memory of 848 2012 Djmknb32.exe 39 PID 848 wrote to memory of 2428 848 Dgalhgpg.exe 40 PID 848 wrote to memory of 2428 848 Dgalhgpg.exe 40 PID 848 wrote to memory of 2428 848 Dgalhgpg.exe 40 PID 848 wrote to memory of 2428 848 Dgalhgpg.exe 40 PID 2428 wrote to memory of 1740 2428 Enkdda32.exe 41 PID 2428 wrote to memory of 1740 2428 Enkdda32.exe 41 PID 2428 wrote to memory of 1740 2428 Enkdda32.exe 41 PID 2428 wrote to memory of 1740 2428 Enkdda32.exe 41 PID 1740 wrote to memory of 2372 1740 Edelakoq.exe 42 PID 1740 wrote to memory of 2372 1740 Edelakoq.exe 42 PID 1740 wrote to memory of 2372 1740 Edelakoq.exe 42 PID 1740 wrote to memory of 2372 1740 Edelakoq.exe 42 PID 2372 wrote to memory of 2180 2372 Eqnillbb.exe 43 PID 2372 wrote to memory of 2180 2372 Eqnillbb.exe 43 PID 2372 wrote to memory of 2180 2372 Eqnillbb.exe 43 PID 2372 wrote to memory of 2180 2372 Eqnillbb.exe 43 PID 2180 wrote to memory of 2416 2180 Ebofcd32.exe 44 PID 2180 wrote to memory of 2416 2180 Ebofcd32.exe 44 PID 2180 wrote to memory of 2416 2180 Ebofcd32.exe 44 PID 2180 wrote to memory of 2416 2180 Ebofcd32.exe 44 PID 2416 wrote to memory of 1192 2416 Ekjgbi32.exe 45 PID 2416 wrote to memory of 1192 2416 Ekjgbi32.exe 45 PID 2416 wrote to memory of 1192 2416 Ekjgbi32.exe 45 PID 2416 wrote to memory of 1192 2416 Ekjgbi32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe"C:\Users\Admin\AppData\Local\Temp\0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Ckhbnb32.exeC:\Windows\system32\Ckhbnb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Cojghf32.exeC:\Windows\system32\Cojghf32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Dlbaljhn.exeC:\Windows\system32\Dlbaljhn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Doamhe32.exeC:\Windows\system32\Doamhe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Dkhnmfle.exeC:\Windows\system32\Dkhnmfle.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Djmknb32.exeC:\Windows\system32\Djmknb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Dgalhgpg.exeC:\Windows\system32\Dgalhgpg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Enkdda32.exeC:\Windows\system32\Enkdda32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Edelakoq.exeC:\Windows\system32\Edelakoq.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192 -
C:\Windows\SysWOW64\Fqilppic.exeC:\Windows\system32\Fqilppic.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Fgcdlj32.exeC:\Windows\system32\Fgcdlj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Fcjeakfd.exeC:\Windows\system32\Fcjeakfd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Feiaknmg.exeC:\Windows\system32\Feiaknmg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\Fghngimj.exeC:\Windows\system32\Fghngimj.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Fnafdc32.exeC:\Windows\system32\Fnafdc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Fpcblkje.exeC:\Windows\system32\Fpcblkje.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Fjhgidjk.exeC:\Windows\system32\Fjhgidjk.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Fmgcepio.exeC:\Windows\system32\Fmgcepio.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Gllpflng.exeC:\Windows\system32\Gllpflng.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Gcchgini.exeC:\Windows\system32\Gcchgini.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Gmlmpo32.exeC:\Windows\system32\Gmlmpo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Gegaeabe.exeC:\Windows\system32\Gegaeabe.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Ghgjflof.exeC:\Windows\system32\Ghgjflof.exe34⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Gjffbhnj.exeC:\Windows\system32\Gjffbhnj.exe35⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe36⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Hmgodc32.exeC:\Windows\system32\Hmgodc32.exe37⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe38⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Hmiljb32.exeC:\Windows\system32\Hmiljb32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Hjmmcgha.exeC:\Windows\system32\Hjmmcgha.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Hagepa32.exeC:\Windows\system32\Hagepa32.exe41⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Hfdmhh32.exeC:\Windows\system32\Hfdmhh32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Hibidc32.exeC:\Windows\system32\Hibidc32.exe44⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Hlqfqo32.exeC:\Windows\system32\Hlqfqo32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Hpoofm32.exeC:\Windows\system32\Hpoofm32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Iekgod32.exeC:\Windows\system32\Iekgod32.exe50⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Ihjcko32.exeC:\Windows\system32\Ihjcko32.exe51⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Iabhdefo.exeC:\Windows\system32\Iabhdefo.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Ihlpqonl.exeC:\Windows\system32\Ihlpqonl.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Ilhlan32.exeC:\Windows\system32\Ilhlan32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Iofhmi32.exeC:\Windows\system32\Iofhmi32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Ieppjclf.exeC:\Windows\system32\Ieppjclf.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe58⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Ioheci32.exeC:\Windows\system32\Ioheci32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe61⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe62⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe64⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Idgjqook.exeC:\Windows\system32\Idgjqook.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe66⤵PID:1660
-
C:\Windows\SysWOW64\Jkabmi32.exeC:\Windows\system32\Jkabmi32.exe67⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Jpnkep32.exeC:\Windows\system32\Jpnkep32.exe68⤵
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe69⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe70⤵
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Jjgonf32.exeC:\Windows\system32\Jjgonf32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe73⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe74⤵PID:2740
-
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe75⤵PID:2788
-
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe76⤵PID:2056
-
C:\Windows\SysWOW64\Jjkiie32.exeC:\Windows\system32\Jjkiie32.exe77⤵PID:2908
-
C:\Windows\SysWOW64\Jpeafo32.exeC:\Windows\system32\Jpeafo32.exe78⤵PID:2264
-
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe79⤵
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Jkobgm32.exeC:\Windows\system32\Jkobgm32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Jbijcgbc.exeC:\Windows\system32\Jbijcgbc.exe81⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:680 -
C:\Windows\SysWOW64\Kkaolm32.exeC:\Windows\system32\Kkaolm32.exe83⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Kbkgig32.exeC:\Windows\system32\Kbkgig32.exe84⤵PID:1920
-
C:\Windows\SysWOW64\Kfgcieii.exeC:\Windows\system32\Kfgcieii.exe85⤵
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Kheofahm.exeC:\Windows\system32\Kheofahm.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe87⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Knbgnhfd.exeC:\Windows\system32\Knbgnhfd.exe88⤵PID:408
-
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe89⤵PID:2944
-
C:\Windows\SysWOW64\Khglkqfj.exeC:\Windows\system32\Khglkqfj.exe90⤵
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe91⤵PID:2444
-
C:\Windows\SysWOW64\Kdnlpaln.exeC:\Windows\system32\Kdnlpaln.exe92⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Kcamln32.exeC:\Windows\system32\Kcamln32.exe93⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024 -
C:\Windows\SysWOW64\Kdqifajl.exeC:\Windows\system32\Kdqifajl.exe96⤵PID:2540
-
C:\Windows\SysWOW64\Kgoebmip.exeC:\Windows\system32\Kgoebmip.exe97⤵
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Lcffgnnc.exeC:\Windows\system32\Lcffgnnc.exe98⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Ljpnch32.exeC:\Windows\system32\Ljpnch32.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe100⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Lbkchj32.exeC:\Windows\system32\Lbkchj32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Ljbkig32.exeC:\Windows\system32\Ljbkig32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Loocanbe.exeC:\Windows\system32\Loocanbe.exe104⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Lbmpnjai.exeC:\Windows\system32\Lbmpnjai.exe105⤵PID:2728
-
C:\Windows\SysWOW64\Lelljepm.exeC:\Windows\system32\Lelljepm.exe106⤵PID:3044
-
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Lpapgnpb.exeC:\Windows\system32\Lpapgnpb.exe108⤵PID:1624
-
C:\Windows\SysWOW64\Lbplciof.exeC:\Windows\system32\Lbplciof.exe109⤵PID:2144
-
C:\Windows\SysWOW64\Lijepc32.exeC:\Windows\system32\Lijepc32.exe110⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Lpcmlnnp.exeC:\Windows\system32\Lpcmlnnp.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe112⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Milaecdp.exeC:\Windows\system32\Milaecdp.exe113⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Mjmnmk32.exeC:\Windows\system32\Mjmnmk32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Mbdfni32.exeC:\Windows\system32\Mbdfni32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe116⤵PID:3000
-
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe117⤵PID:1748
-
C:\Windows\SysWOW64\Mmngof32.exeC:\Windows\system32\Mmngof32.exe118⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Mchokq32.exeC:\Windows\system32\Mchokq32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe120⤵
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Mjbghkfi.exeC:\Windows\system32\Mjbghkfi.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-