Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 00:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f3a057549ec90a66eb3a338e3aacad87abd061c4567b78789d749cd35546545.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
9f3a057549ec90a66eb3a338e3aacad87abd061c4567b78789d749cd35546545.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
9f3a057549ec90a66eb3a338e3aacad87abd061c4567b78789d749cd35546545.exe
-
Size
416KB
-
MD5
a029c0f19cfa68752058bb78bda1c523
-
SHA1
38a7686f076e1d8d8e1f04990f58348ff0fb4a96
-
SHA256
9f3a057549ec90a66eb3a338e3aacad87abd061c4567b78789d749cd35546545
-
SHA512
399b78b0ad3b6955d75bd48aa053fd0e82d3725b8969c0d2d0b627e1cb39cfa67fc6006fba162be2ba16414aefa64c090971e6f255b0a6e71a3c7bcf1b06c780
-
SSDEEP
3072:iC7T24/t0YzawHDREoqAVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWP:bv2GGgEoqARs+HLlD0rN2ZwVht740PP
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljpncgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcbecl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmnjkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okpcoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmnam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkbaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egahen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdhcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdojgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jliaac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadfkhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokgcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcphnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlnpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqgmfkhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnofjfhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bniajoic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbafdlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkpahon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcmbgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknajh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mclebc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opglafab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idcacc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcifpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difnaqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfdddm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaqbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajgbkbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklgbadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcmbcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpifj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegabegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfejjgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppnnai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebmjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhakcfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojkco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfbngfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boogmgkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poklngnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akkoig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bflbigdb.exe -
Executes dropped EXE 64 IoCs
pid Process 2060 Egmojnlf.exe 2264 Ejkkfjkj.exe 2820 Eabcggll.exe 2620 Epecbd32.exe 2800 Ekjgpm32.exe 2892 Elldgehk.exe 1484 Egahen32.exe 1960 Enkpahon.exe 1712 Fffefjmi.exe 1056 Fheabelm.exe 2908 Flqmbd32.exe 3036 Fhgnge32.exe 2868 Ffkoai32.exe 2316 Fhikme32.exe 2372 Ffmkfifa.exe 2328 Filgbdfd.exe 1100 Fofpoo32.exe 1016 Fbdlkj32.exe 788 Fgadda32.exe 1924 Gnkmqkbi.exe 1988 Gkomjo32.exe 624 Gmpjagfa.exe 2524 Gegabegc.exe 1720 Gnpflj32.exe 1740 Gcmoda32.exe 1632 Giiglhjb.exe 2756 Gmecmg32.exe 1864 Gpcoib32.exe 2424 Gfmgelil.exe 320 Gjicfk32.exe 2532 Gljpncgc.exe 1412 Gbdhjm32.exe 2808 Hebdfind.exe 984 Hinqgg32.exe 1036 Hllmcc32.exe 2388 Hnkion32.exe 2920 Hfbaql32.exe 444 Hipmmg32.exe 1576 Hnmeen32.exe 1908 Hegnahjo.exe 2584 Hlafnbal.exe 1668 Hjdfjo32.exe 3016 Heikgh32.exe 2092 Hhhgcc32.exe 1648 Hlccdboi.exe 1500 Hnbopmnm.exe 2192 Hapklimq.exe 2660 Hdoghdmd.exe 2896 Hfmddp32.exe 1752 Hjipenda.exe 2784 Idadnd32.exe 2852 Ihmpobck.exe 2108 Ifoqjo32.exe 2120 Iinmfk32.exe 2764 Imiigiab.exe 2924 Iphecepe.exe 2344 Idcacc32.exe 2368 Ifampo32.exe 2284 Iipiljgf.exe 3064 Imleli32.exe 2664 Ipjahd32.exe 1212 Idfnicfl.exe 868 Ifdjeoep.exe 2932 Iegjqk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2588 9f3a057549ec90a66eb3a338e3aacad87abd061c4567b78789d749cd35546545.exe 2588 9f3a057549ec90a66eb3a338e3aacad87abd061c4567b78789d749cd35546545.exe 2060 Egmojnlf.exe 2060 Egmojnlf.exe 2264 Ejkkfjkj.exe 2264 Ejkkfjkj.exe 2820 Eabcggll.exe 2820 Eabcggll.exe 2620 Epecbd32.exe 2620 Epecbd32.exe 2800 Ekjgpm32.exe 2800 Ekjgpm32.exe 2892 Elldgehk.exe 2892 Elldgehk.exe 1484 Egahen32.exe 1484 Egahen32.exe 1960 Enkpahon.exe 1960 Enkpahon.exe 1712 Fffefjmi.exe 1712 Fffefjmi.exe 1056 Fheabelm.exe 1056 Fheabelm.exe 2908 Flqmbd32.exe 2908 Flqmbd32.exe 3036 Fhgnge32.exe 3036 Fhgnge32.exe 2868 Ffkoai32.exe 2868 Ffkoai32.exe 2316 Fhikme32.exe 2316 Fhikme32.exe 2372 Ffmkfifa.exe 2372 Ffmkfifa.exe 2328 Filgbdfd.exe 2328 Filgbdfd.exe 1100 Fofpoo32.exe 1100 Fofpoo32.exe 1016 Fbdlkj32.exe 1016 Fbdlkj32.exe 788 Fgadda32.exe 788 Fgadda32.exe 1924 Gnkmqkbi.exe 1924 Gnkmqkbi.exe 1988 Gkomjo32.exe 1988 Gkomjo32.exe 624 Gmpjagfa.exe 624 Gmpjagfa.exe 2524 Gegabegc.exe 2524 Gegabegc.exe 1720 Gnpflj32.exe 1720 Gnpflj32.exe 1740 Gcmoda32.exe 1740 Gcmoda32.exe 1632 Giiglhjb.exe 1632 Giiglhjb.exe 2756 Gmecmg32.exe 2756 Gmecmg32.exe 1864 Gpcoib32.exe 1864 Gpcoib32.exe 2424 Gfmgelil.exe 2424 Gfmgelil.exe 320 Gjicfk32.exe 320 Gjicfk32.exe 2532 Gljpncgc.exe 2532 Gljpncgc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Okhdnm32.dll Opihgfop.exe File opened for modification C:\Windows\SysWOW64\Jjdofm32.exe Jckgicnp.exe File opened for modification C:\Windows\SysWOW64\Okgjodmi.exe Ogknoe32.exe File created C:\Windows\SysWOW64\Bljbql32.dll Plaimk32.exe File created C:\Windows\SysWOW64\Bkmhnjlh.exe Biolanld.exe File created C:\Windows\SysWOW64\Ebaijflc.dll Edfbaabj.exe File created C:\Windows\SysWOW64\Nogobaio.dll Kcmcoblm.exe File created C:\Windows\SysWOW64\Hopjqipp.dll Odjdmjgo.exe File created C:\Windows\SysWOW64\Qkibcg32.exe Qgmfchei.exe File created C:\Windows\SysWOW64\Kfnpea32.dll Ghajacmo.exe File created C:\Windows\SysWOW64\Njpeip32.dll Kgnbnpkp.exe File created C:\Windows\SysWOW64\Epnhci32.dll Ldjpbign.exe File created C:\Windows\SysWOW64\Olmcchlg.exe Ohagbj32.exe File opened for modification C:\Windows\SysWOW64\Oonldcih.exe Olophhjd.exe File created C:\Windows\SysWOW64\Lbijlpke.dll Giiglhjb.exe File opened for modification C:\Windows\SysWOW64\Ibmgpoia.exe Ipokcdjn.exe File created C:\Windows\SysWOW64\Idgglb32.exe Iahkpg32.exe File opened for modification C:\Windows\SysWOW64\Baojapfj.exe Bkbaii32.exe File created C:\Windows\SysWOW64\Fncpef32.exe Fjhcegll.exe File created C:\Windows\SysWOW64\Gonocmbi.exe Gdhkfd32.exe File created C:\Windows\SysWOW64\Iofjqboi.dll Jbqmhnbo.exe File created C:\Windows\SysWOW64\Nbngca32.dll Pjcmap32.exe File opened for modification C:\Windows\SysWOW64\Gfejjgli.exe Golbnm32.exe File created C:\Windows\SysWOW64\Akabgebj.exe Alnalh32.exe File created C:\Windows\SysWOW64\Fhgnge32.exe Flqmbd32.exe File opened for modification C:\Windows\SysWOW64\Ciohqa32.exe Ccbphk32.exe File opened for modification C:\Windows\SysWOW64\Fnacpffh.exe Fjegog32.exe File opened for modification C:\Windows\SysWOW64\Jimbkh32.exe Jeafjiop.exe File created C:\Windows\SysWOW64\Qjdaldla.dll Mbhlek32.exe File created C:\Windows\SysWOW64\Lcmfeo32.dll Befmfpbi.exe File created C:\Windows\SysWOW64\Lomgjb32.exe Kgfoie32.exe File created C:\Windows\SysWOW64\Omefkplm.exe Oijjka32.exe File created C:\Windows\SysWOW64\Gbdcic32.dll Hjacjifm.exe File created C:\Windows\SysWOW64\Ajcbch32.dll Hpnkbpdd.exe File created C:\Windows\SysWOW64\Ahmiofbn.dll Ddblgn32.exe File opened for modification C:\Windows\SysWOW64\Eelkeeah.exe Ecnoijbd.exe File created C:\Windows\SysWOW64\Khoqme32.dll Allefimb.exe File opened for modification C:\Windows\SysWOW64\Clojhf32.exe Ceebklai.exe File created C:\Windows\SysWOW64\Pmibbi32.dll Bjbeofpp.exe File opened for modification C:\Windows\SysWOW64\Qkibcg32.exe Qgmfchei.exe File created C:\Windows\SysWOW64\Lmhjag32.dll Gdkgkcpq.exe File opened for modification C:\Windows\SysWOW64\Hemqpf32.exe Hboddk32.exe File opened for modification C:\Windows\SysWOW64\Lqipkhbj.exe Lohccp32.exe File created C:\Windows\SysWOW64\Apedah32.exe Alihaioe.exe File opened for modification C:\Windows\SysWOW64\Kpcqnf32.exe Khlili32.exe File created C:\Windows\SysWOW64\Pphcfh32.dll Oaqbln32.exe File created C:\Windows\SysWOW64\Eknmhk32.exe Eaeipfei.exe File opened for modification C:\Windows\SysWOW64\Bhjlli32.exe Abpcooea.exe File created C:\Windows\SysWOW64\Iplkimih.dll Neqnqofm.exe File opened for modification C:\Windows\SysWOW64\Dpkibo32.exe Dmmmfc32.exe File created C:\Windows\SysWOW64\Gceailog.exe Goiehm32.exe File opened for modification C:\Windows\SysWOW64\Mmgfqh32.exe Mjhjdm32.exe File created C:\Windows\SysWOW64\Pknedeoi.dll Difnaqih.exe File created C:\Windows\SysWOW64\Fmqgqj32.dll Iigpli32.exe File created C:\Windows\SysWOW64\Pcbncfjd.exe Pdonhj32.exe File opened for modification C:\Windows\SysWOW64\Acnjnh32.exe Aobnniji.exe File opened for modification C:\Windows\SysWOW64\Ijehdl32.exe Idkpganf.exe File created C:\Windows\SysWOW64\Ahpifj32.exe Aebmjo32.exe File created C:\Windows\SysWOW64\Nenakoho.exe Nbpeoc32.exe File opened for modification C:\Windows\SysWOW64\Olmcchlg.exe Ohagbj32.exe File created C:\Windows\SysWOW64\Hpdelj32.dll Idadnd32.exe File created C:\Windows\SysWOW64\Hefhqhka.dll Nenakoho.exe File opened for modification C:\Windows\SysWOW64\Caifjn32.exe Ckmnbg32.exe File created C:\Windows\SysWOW64\Nhndalhm.dll Akkoig32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6788 6756 WerFault.exe 598 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkocj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkleabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfmllbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldebkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckjhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhgcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookpodkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajqljc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcphnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehdan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncpef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabcggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbpnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbagipfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgkii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdjgoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljpncgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlafnbal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngnfnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgalkcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcpgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palepb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpcihcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nameek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoghakb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofadnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmeen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omefkplm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknajh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggicgopd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoagccfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcqcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegjqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ielclkhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nigafnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofgii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egahen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejmfqan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adlcfjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poklngnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnnaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhlek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idfnicfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajeeeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegnahjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnclmoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhhgkib.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkabpebk.dll" Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfgkgmk.dll" Pcdkif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phfmllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlelhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncehag32.dll" Aijbfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npmphinm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odhhgkib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alacdcjm.dll" Panaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkaghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Panaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbnfb32.dll" Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkcje32.dll" Fnofjfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaeoe32.dll" Iinmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjfikeqd.dll" Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcaiilc.dll" Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olmcchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Panaeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgmahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnmcb32.dll" Ijehdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alihaioe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npmphinm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kielkojm.dll" Mbbfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qppkfhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjklenpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgmeid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnpflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hllmcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdcmbgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll" Paknelgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fheabelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpihdl32.dll" Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeqncja.dll" Hqfaldbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcmoda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmcchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" Opihgfop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmclka32.dll" Ifoqjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nallalep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgdibkam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcbecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnnoic32.dll" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpenkfbe.dll" Epecbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lclicpkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfbaql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgpgjepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcbch32.dll" Hpnkbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplkimih.dll" Neqnqofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akiobk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddfebnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoggnnm.dll" Ffmkfifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaeipfei.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2060 2588 9f3a057549ec90a66eb3a338e3aacad87abd061c4567b78789d749cd35546545.exe 30 PID 2588 wrote to memory of 2060 2588 9f3a057549ec90a66eb3a338e3aacad87abd061c4567b78789d749cd35546545.exe 30 PID 2588 wrote to memory of 2060 2588 9f3a057549ec90a66eb3a338e3aacad87abd061c4567b78789d749cd35546545.exe 30 PID 2588 wrote to memory of 2060 2588 9f3a057549ec90a66eb3a338e3aacad87abd061c4567b78789d749cd35546545.exe 30 PID 2060 wrote to memory of 2264 2060 Egmojnlf.exe 31 PID 2060 wrote to memory of 2264 2060 Egmojnlf.exe 31 PID 2060 wrote to memory of 2264 2060 Egmojnlf.exe 31 PID 2060 wrote to memory of 2264 2060 Egmojnlf.exe 31 PID 2264 wrote to memory of 2820 2264 Ejkkfjkj.exe 32 PID 2264 wrote to memory of 2820 2264 Ejkkfjkj.exe 32 PID 2264 wrote to memory of 2820 2264 Ejkkfjkj.exe 32 PID 2264 wrote to memory of 2820 2264 Ejkkfjkj.exe 32 PID 2820 wrote to memory of 2620 2820 Eabcggll.exe 33 PID 2820 wrote to memory of 2620 2820 Eabcggll.exe 33 PID 2820 wrote to memory of 2620 2820 Eabcggll.exe 33 PID 2820 wrote to memory of 2620 2820 Eabcggll.exe 33 PID 2620 wrote to memory of 2800 2620 Epecbd32.exe 34 PID 2620 wrote to memory of 2800 2620 Epecbd32.exe 34 PID 2620 wrote to memory of 2800 2620 Epecbd32.exe 34 PID 2620 wrote to memory of 2800 2620 Epecbd32.exe 34 PID 2800 wrote to memory of 2892 2800 Ekjgpm32.exe 35 PID 2800 wrote to memory of 2892 2800 Ekjgpm32.exe 35 PID 2800 wrote to memory of 2892 2800 Ekjgpm32.exe 35 PID 2800 wrote to memory of 2892 2800 Ekjgpm32.exe 35 PID 2892 wrote to memory of 1484 2892 Elldgehk.exe 36 PID 2892 wrote to memory of 1484 2892 Elldgehk.exe 36 PID 2892 wrote to memory of 1484 2892 Elldgehk.exe 36 PID 2892 wrote to memory of 1484 2892 Elldgehk.exe 36 PID 1484 wrote to memory of 1960 1484 Egahen32.exe 37 PID 1484 wrote to memory of 1960 1484 Egahen32.exe 37 PID 1484 wrote to memory of 1960 1484 Egahen32.exe 37 PID 1484 wrote to memory of 1960 1484 Egahen32.exe 37 PID 1960 wrote to memory of 1712 1960 Enkpahon.exe 38 PID 1960 wrote to memory of 1712 1960 Enkpahon.exe 38 PID 1960 wrote to memory of 1712 1960 Enkpahon.exe 38 PID 1960 wrote to memory of 1712 1960 Enkpahon.exe 38 PID 1712 wrote to memory of 1056 1712 Fffefjmi.exe 39 PID 1712 wrote to memory of 1056 1712 Fffefjmi.exe 39 PID 1712 wrote to memory of 1056 1712 Fffefjmi.exe 39 PID 1712 wrote to memory of 1056 1712 Fffefjmi.exe 39 PID 1056 wrote to memory of 2908 1056 Fheabelm.exe 40 PID 1056 wrote to memory of 2908 1056 Fheabelm.exe 40 PID 1056 wrote to memory of 2908 1056 Fheabelm.exe 40 PID 1056 wrote to memory of 2908 1056 Fheabelm.exe 40 PID 2908 wrote to memory of 3036 2908 Flqmbd32.exe 41 PID 2908 wrote to memory of 3036 2908 Flqmbd32.exe 41 PID 2908 wrote to memory of 3036 2908 Flqmbd32.exe 41 PID 2908 wrote to memory of 3036 2908 Flqmbd32.exe 41 PID 3036 wrote to memory of 2868 3036 Fhgnge32.exe 42 PID 3036 wrote to memory of 2868 3036 Fhgnge32.exe 42 PID 3036 wrote to memory of 2868 3036 Fhgnge32.exe 42 PID 3036 wrote to memory of 2868 3036 Fhgnge32.exe 42 PID 2868 wrote to memory of 2316 2868 Ffkoai32.exe 43 PID 2868 wrote to memory of 2316 2868 Ffkoai32.exe 43 PID 2868 wrote to memory of 2316 2868 Ffkoai32.exe 43 PID 2868 wrote to memory of 2316 2868 Ffkoai32.exe 43 PID 2316 wrote to memory of 2372 2316 Fhikme32.exe 44 PID 2316 wrote to memory of 2372 2316 Fhikme32.exe 44 PID 2316 wrote to memory of 2372 2316 Fhikme32.exe 44 PID 2316 wrote to memory of 2372 2316 Fhikme32.exe 44 PID 2372 wrote to memory of 2328 2372 Ffmkfifa.exe 45 PID 2372 wrote to memory of 2328 2372 Ffmkfifa.exe 45 PID 2372 wrote to memory of 2328 2372 Ffmkfifa.exe 45 PID 2372 wrote to memory of 2328 2372 Ffmkfifa.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f3a057549ec90a66eb3a338e3aacad87abd061c4567b78789d749cd35546545.exe"C:\Users\Admin\AppData\Local\Temp\9f3a057549ec90a66eb3a338e3aacad87abd061c4567b78789d749cd35546545.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:788 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe33⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe34⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe35⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe37⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe39⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe43⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe44⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe46⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe47⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe48⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe49⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe50⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe51⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe53⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe56⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe57⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe59⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe60⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe61⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe62⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe64⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe66⤵PID:2888
-
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe67⤵PID:2392
-
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe68⤵PID:668
-
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe69⤵PID:1584
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe70⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe71⤵
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe72⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe73⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe74⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe75⤵PID:700
-
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe76⤵PID:1396
-
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe77⤵PID:3052
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe78⤵PID:1428
-
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe80⤵PID:2056
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe81⤵PID:792
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe82⤵PID:2268
-
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe83⤵PID:1204
-
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe84⤵PID:2848
-
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe85⤵PID:3028
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe86⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe88⤵PID:2292
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe89⤵PID:1948
-
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe90⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe91⤵PID:844
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe92⤵PID:2912
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe93⤵PID:1672
-
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe94⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe95⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe96⤵PID:828
-
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe97⤵PID:1656
-
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe98⤵PID:2716
-
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe99⤵PID:2624
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe100⤵PID:3004
-
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe101⤵PID:2700
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe102⤵PID:2676
-
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe103⤵PID:2788
-
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe104⤵PID:1432
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:552 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe106⤵PID:2052
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe107⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe108⤵PID:2940
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe109⤵PID:2752
-
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe110⤵PID:2580
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe111⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe112⤵PID:2636
-
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe113⤵PID:1224
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe114⤵PID:2980
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe115⤵PID:1868
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe116⤵PID:2508
-
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe117⤵PID:3008
-
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe118⤵PID:2492
-
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe119⤵PID:3032
-
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe120⤵
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe121⤵PID:2348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-