Analysis
-
max time kernel
51s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-10-2024 19:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502N.exe
-
Size
483KB
-
MD5
eaef90cfe3ca0dd7502fb6e071d5cb00
-
SHA1
6ba8892fcb0ebfa81cd9c601b95bf8241c031dc3
-
SHA256
0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502
-
SHA512
d9ce09fee97d995f927bc8e845d165b5f96284ada18495f800156c380ecfb10b273497098cddc61790d0f95c797a1728c3df005b13b8328a8f1dfd1b9fd69ac2
-
SSDEEP
6144:BboJDeVt5CRVrtv35CPXbo92ynn8sbeWDJk4sNnVCj:8RFbet4OnV
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imoilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjcblbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdofm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelfdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpkbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kceqjhiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpbdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecafd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggned32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohagbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiehm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfidjbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhfoldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflplbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daofpchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmdnfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlhjhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopkjhko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggpdnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehakigbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jglgpdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnmcfeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aodkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkeokjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhmcelc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfalqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idfdcijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgehno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcaepg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmeoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inlkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpojkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfndmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akncimmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljkaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohagbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gneijien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe -
Executes dropped EXE 64 IoCs
pid Process 2908 Dldhdc32.exe 2844 Dcnqanhd.exe 2744 Dacnbjml.exe 2672 Dgpfkakd.exe 2784 Dgbcpq32.exe 796 Dpjgifpa.exe 2676 Dnnhbjnk.exe 2292 Dpmdofno.exe 2504 Egiiapci.exe 1380 Ehjehh32.exe 1820 Eogjka32.exe 1604 Edccch32.exe 2480 Ehakigbo.exe 1748 Fbjpblip.exe 1124 Fkbdkb32.exe 296 Fnqqgm32.exe 972 Fqajihle.exe 1840 Fgkbeb32.exe 1996 Fmhjni32.exe 1008 Fcbbjcif.exe 576 Fjlkgn32.exe 1628 Fpicodoj.exe 2996 Fbgpkpnn.exe 2688 Glpdde32.exe 1664 Gehhmkko.exe 3012 Gmoqnhla.exe 2248 Gblifo32.exe 2748 Gejebk32.exe 1224 Gbnflo32.exe 2320 Gembhj32.exe 596 Ghkndf32.exe 1432 Gacbmk32.exe 2164 Ghmkjedk.exe 112 Gjlgfaco.exe 772 Gmjcblbb.exe 2136 Hfbhkb32.exe 2976 Hpkldg32.exe 2460 Hfedqagp.exe 3032 Hicqmmfc.exe 2572 Hfgafadm.exe 356 Hmaick32.exe 2464 Hldjnhce.exe 704 Hbnbkbja.exe 2772 Helngnie.exe 2032 Hmcfhkjg.exe 1892 Hpbbdfik.exe 2004 Heokmmgb.exe 3036 Hijgml32.exe 1936 Ilicig32.exe 2824 Ibckfa32.exe 1552 Ieagbm32.exe 1644 Ilkpogmm.exe 2628 Iahhgnkd.exe 536 Idfdcijh.exe 720 Ikpmpc32.exe 2052 Imoilo32.exe 1980 Iajemnia.exe 2232 Idiaii32.exe 1960 Iggned32.exe 2592 Ionefb32.exe 2920 Ippbnjni.exe 1836 Idknoi32.exe 1688 Ikefkcmo.exe 1252 Incbgnmc.exe -
Loads dropped DLL 64 IoCs
pid Process 2756 0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502N.exe 2756 0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502N.exe 2908 Dldhdc32.exe 2908 Dldhdc32.exe 2844 Dcnqanhd.exe 2844 Dcnqanhd.exe 2744 Dacnbjml.exe 2744 Dacnbjml.exe 2672 Dgpfkakd.exe 2672 Dgpfkakd.exe 2784 Dgbcpq32.exe 2784 Dgbcpq32.exe 796 Dpjgifpa.exe 796 Dpjgifpa.exe 2676 Dnnhbjnk.exe 2676 Dnnhbjnk.exe 2292 Dpmdofno.exe 2292 Dpmdofno.exe 2504 Egiiapci.exe 2504 Egiiapci.exe 1380 Ehjehh32.exe 1380 Ehjehh32.exe 1820 Eogjka32.exe 1820 Eogjka32.exe 1604 Edccch32.exe 1604 Edccch32.exe 2480 Ehakigbo.exe 2480 Ehakigbo.exe 1748 Fbjpblip.exe 1748 Fbjpblip.exe 1124 Fkbdkb32.exe 1124 Fkbdkb32.exe 296 Fnqqgm32.exe 296 Fnqqgm32.exe 972 Fqajihle.exe 972 Fqajihle.exe 1840 Fgkbeb32.exe 1840 Fgkbeb32.exe 1996 Fmhjni32.exe 1996 Fmhjni32.exe 1008 Fcbbjcif.exe 1008 Fcbbjcif.exe 576 Fjlkgn32.exe 576 Fjlkgn32.exe 1628 Fpicodoj.exe 1628 Fpicodoj.exe 2996 Fbgpkpnn.exe 2996 Fbgpkpnn.exe 2688 Glpdde32.exe 2688 Glpdde32.exe 1664 Gehhmkko.exe 1664 Gehhmkko.exe 3012 Gmoqnhla.exe 3012 Gmoqnhla.exe 2248 Gblifo32.exe 2248 Gblifo32.exe 2748 Gejebk32.exe 2748 Gejebk32.exe 1224 Gbnflo32.exe 1224 Gbnflo32.exe 2320 Gembhj32.exe 2320 Gembhj32.exe 596 Ghkndf32.exe 596 Ghkndf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mhlpem32.dll Nfcbldmm.exe File created C:\Windows\SysWOW64\Ohhmcinf.exe Oanefo32.exe File opened for modification C:\Windows\SysWOW64\Gcbabpcf.exe Gbadjg32.exe File opened for modification C:\Windows\SysWOW64\Dhhhbg32.exe Dcllbhdn.exe File created C:\Windows\SysWOW64\Ibodnd32.dll Process not Found File created C:\Windows\SysWOW64\Ippbnjni.exe Ionefb32.exe File opened for modification C:\Windows\SysWOW64\Qjkjle32.exe Qcqaok32.exe File created C:\Windows\SysWOW64\Khoebi32.exe Kfpifm32.exe File created C:\Windows\SysWOW64\Mkndhabp.exe Lhpglecl.exe File created C:\Windows\SysWOW64\Fbnbckhg.dll Cgoelh32.exe File opened for modification C:\Windows\SysWOW64\Jdhifooi.exe Jjpdmi32.exe File created C:\Windows\SysWOW64\Kneoni32.dll Process not Found File created C:\Windows\SysWOW64\Knmamp32.exe Kgbipf32.exe File opened for modification C:\Windows\SysWOW64\Fbmfkkbm.exe Fqlicclo.exe File created C:\Windows\SysWOW64\Panaeb32.exe Popeif32.exe File created C:\Windows\SysWOW64\Jpbcek32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kcijeg32.exe Knmamp32.exe File created C:\Windows\SysWOW64\Mkhngh32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Aggpdnpj.exe Affdle32.exe File created C:\Windows\SysWOW64\Emclhigi.dll Phhjblpa.exe File created C:\Windows\SysWOW64\Fgfdie32.exe Fplllkdc.exe File opened for modification C:\Windows\SysWOW64\Iggned32.exe Idiaii32.exe File created C:\Windows\SysWOW64\Kjoifb32.exe Kceqjhiq.exe File opened for modification C:\Windows\SysWOW64\Abmdafpp.exe Akcldl32.exe File opened for modification C:\Windows\SysWOW64\Bmphhc32.exe Bjallg32.exe File opened for modification C:\Windows\SysWOW64\Qkibcg32.exe Qdojgmfe.exe File created C:\Windows\SysWOW64\Jlkglm32.exe Jjkkbjln.exe File created C:\Windows\SysWOW64\Ojeobm32.exe Process not Found File created C:\Windows\SysWOW64\Anljck32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mbpipp32.exe Mndmoaog.exe File opened for modification C:\Windows\SysWOW64\Boljgg32.exe Bmnnkl32.exe File opened for modification C:\Windows\SysWOW64\Ojeobm32.exe Process not Found File created C:\Windows\SysWOW64\Ljodek32.dll Chnbcpmn.exe File opened for modification C:\Windows\SysWOW64\Achjibcl.exe Akabgebj.exe File created C:\Windows\SysWOW64\Gimfed32.dll Edaalk32.exe File created C:\Windows\SysWOW64\Ipmqgmcd.exe Imodkadq.exe File opened for modification C:\Windows\SysWOW64\Nlcibc32.exe Nidmfh32.exe File created C:\Windows\SysWOW64\Dbdehdfc.exe Ddaemh32.exe File created C:\Windows\SysWOW64\Cdiedagc.dll Opfegp32.exe File created C:\Windows\SysWOW64\Gpggei32.exe Process not Found File created C:\Windows\SysWOW64\Aoadmo32.dll 0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502N.exe File opened for modification C:\Windows\SysWOW64\Hnjbeh32.exe Hfcjdkpg.exe File created C:\Windows\SysWOW64\Mdghaf32.exe Mbhlek32.exe File created C:\Windows\SysWOW64\Ljldnhid.exe Lkicbk32.exe File created C:\Windows\SysWOW64\Jkbolo32.dll Process not Found File created C:\Windows\SysWOW64\Qfomeb32.dll Process not Found File created C:\Windows\SysWOW64\Foafdoag.exe Fkejcq32.exe File opened for modification C:\Windows\SysWOW64\Fggmldfp.exe Process not Found File created C:\Windows\SysWOW64\Npngheao.dll Eogjka32.exe File created C:\Windows\SysWOW64\Oaffbqaa.exe Oionacqo.exe File created C:\Windows\SysWOW64\Innmlblo.dll Fdpkbf32.exe File created C:\Windows\SysWOW64\Foehfmaf.dll Ppkhhjei.exe File created C:\Windows\SysWOW64\Bmcopp32.dll Bgqcjlhp.exe File opened for modification C:\Windows\SysWOW64\Cfehhn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Akncimmh.exe Aipfmane.exe File created C:\Windows\SysWOW64\Ocgcbd32.dll Bmkomchi.exe File created C:\Windows\SysWOW64\Ajqljc32.exe Agbpnh32.exe File opened for modification C:\Windows\SysWOW64\Mobfgdcl.exe Mqpflg32.exe File created C:\Windows\SysWOW64\Pifbjn32.exe Pcljmdmj.exe File created C:\Windows\SysWOW64\Jlfnangf.exe Jelfdc32.exe File created C:\Windows\SysWOW64\Ckeqga32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gmmfaa32.exe Gjojef32.exe File opened for modification C:\Windows\SysWOW64\Kdmban32.exe Kfibhjlj.exe File created C:\Windows\SysWOW64\Enkpahon.exe Egahen32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3832 3140 Process not Found 1285 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmibgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmepkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnhngjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmqgmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mijamjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqnoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqgmfkhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcnakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiepea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjafd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjmijme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjlheehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoiiijcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcpbigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelfdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjpom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjjma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfnomde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjfae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckahkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjdaqgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnpkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjoifb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfglep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jialfgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjoqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdkii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbeiefff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdiondb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmeolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbdodnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbffoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbnkigh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedlag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niedqnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffhkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdefgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmijfmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeclebja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjgifpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdiefffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjkiogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gneijien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfiaojk.dll" Gcmoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpolbgp.dll" Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll" Cbffoabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meicnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbkpeake.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nckkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfmddp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeiojhn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbmaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfifa32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpijbip.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbcmpfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjkjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naolaobc.dll" Elcpbigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhonngce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhocpkj.dll" Nledoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpbj32.dll" Dgbcpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcabof32.dll" Ippbnjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqonbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpnmgdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjplgd32.dll" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmadbjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhjblpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpgka32.dll" Fabaocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mplfpn32.dll" Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhpglecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll" Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnehm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmecdp32.dll" Phbgcnig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elooehob.dll" Kdefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nijnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjigmkld.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmdmmalf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Micklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndlbd32.dll" Ingkdeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hapklimq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daajeb32.dll" Nhdhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagjihoe.dll" Pgbdodnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekmfne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcllk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kncofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgojdj32.dll" Gnkoid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jonbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedcmfgb.dll" Kdpcikdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjafd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpqkajf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbdee32.dll" Mlkail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ancefgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibemb32.dll" Fkhibino.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmakmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eniclh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2908 2756 0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502N.exe 30 PID 2756 wrote to memory of 2908 2756 0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502N.exe 30 PID 2756 wrote to memory of 2908 2756 0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502N.exe 30 PID 2756 wrote to memory of 2908 2756 0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502N.exe 30 PID 2908 wrote to memory of 2844 2908 Dldhdc32.exe 31 PID 2908 wrote to memory of 2844 2908 Dldhdc32.exe 31 PID 2908 wrote to memory of 2844 2908 Dldhdc32.exe 31 PID 2908 wrote to memory of 2844 2908 Dldhdc32.exe 31 PID 2844 wrote to memory of 2744 2844 Dcnqanhd.exe 32 PID 2844 wrote to memory of 2744 2844 Dcnqanhd.exe 32 PID 2844 wrote to memory of 2744 2844 Dcnqanhd.exe 32 PID 2844 wrote to memory of 2744 2844 Dcnqanhd.exe 32 PID 2744 wrote to memory of 2672 2744 Dacnbjml.exe 33 PID 2744 wrote to memory of 2672 2744 Dacnbjml.exe 33 PID 2744 wrote to memory of 2672 2744 Dacnbjml.exe 33 PID 2744 wrote to memory of 2672 2744 Dacnbjml.exe 33 PID 2672 wrote to memory of 2784 2672 Dgpfkakd.exe 34 PID 2672 wrote to memory of 2784 2672 Dgpfkakd.exe 34 PID 2672 wrote to memory of 2784 2672 Dgpfkakd.exe 34 PID 2672 wrote to memory of 2784 2672 Dgpfkakd.exe 34 PID 2784 wrote to memory of 796 2784 Dgbcpq32.exe 35 PID 2784 wrote to memory of 796 2784 Dgbcpq32.exe 35 PID 2784 wrote to memory of 796 2784 Dgbcpq32.exe 35 PID 2784 wrote to memory of 796 2784 Dgbcpq32.exe 35 PID 796 wrote to memory of 2676 796 Dpjgifpa.exe 36 PID 796 wrote to memory of 2676 796 Dpjgifpa.exe 36 PID 796 wrote to memory of 2676 796 Dpjgifpa.exe 36 PID 796 wrote to memory of 2676 796 Dpjgifpa.exe 36 PID 2676 wrote to memory of 2292 2676 Dnnhbjnk.exe 37 PID 2676 wrote to memory of 2292 2676 Dnnhbjnk.exe 37 PID 2676 wrote to memory of 2292 2676 Dnnhbjnk.exe 37 PID 2676 wrote to memory of 2292 2676 Dnnhbjnk.exe 37 PID 2292 wrote to memory of 2504 2292 Dpmdofno.exe 38 PID 2292 wrote to memory of 2504 2292 Dpmdofno.exe 38 PID 2292 wrote to memory of 2504 2292 Dpmdofno.exe 38 PID 2292 wrote to memory of 2504 2292 Dpmdofno.exe 38 PID 2504 wrote to memory of 1380 2504 Egiiapci.exe 39 PID 2504 wrote to memory of 1380 2504 Egiiapci.exe 39 PID 2504 wrote to memory of 1380 2504 Egiiapci.exe 39 PID 2504 wrote to memory of 1380 2504 Egiiapci.exe 39 PID 1380 wrote to memory of 1820 1380 Ehjehh32.exe 40 PID 1380 wrote to memory of 1820 1380 Ehjehh32.exe 40 PID 1380 wrote to memory of 1820 1380 Ehjehh32.exe 40 PID 1380 wrote to memory of 1820 1380 Ehjehh32.exe 40 PID 1820 wrote to memory of 1604 1820 Eogjka32.exe 41 PID 1820 wrote to memory of 1604 1820 Eogjka32.exe 41 PID 1820 wrote to memory of 1604 1820 Eogjka32.exe 41 PID 1820 wrote to memory of 1604 1820 Eogjka32.exe 41 PID 1604 wrote to memory of 2480 1604 Edccch32.exe 42 PID 1604 wrote to memory of 2480 1604 Edccch32.exe 42 PID 1604 wrote to memory of 2480 1604 Edccch32.exe 42 PID 1604 wrote to memory of 2480 1604 Edccch32.exe 42 PID 2480 wrote to memory of 1748 2480 Ehakigbo.exe 43 PID 2480 wrote to memory of 1748 2480 Ehakigbo.exe 43 PID 2480 wrote to memory of 1748 2480 Ehakigbo.exe 43 PID 2480 wrote to memory of 1748 2480 Ehakigbo.exe 43 PID 1748 wrote to memory of 1124 1748 Fbjpblip.exe 44 PID 1748 wrote to memory of 1124 1748 Fbjpblip.exe 44 PID 1748 wrote to memory of 1124 1748 Fbjpblip.exe 44 PID 1748 wrote to memory of 1124 1748 Fbjpblip.exe 44 PID 1124 wrote to memory of 296 1124 Fkbdkb32.exe 45 PID 1124 wrote to memory of 296 1124 Fkbdkb32.exe 45 PID 1124 wrote to memory of 296 1124 Fkbdkb32.exe 45 PID 1124 wrote to memory of 296 1124 Fkbdkb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502N.exe"C:\Users\Admin\AppData\Local\Temp\0f381b7c514f10062324090b383c33dd79954fdb9c39b8f189ffa85981949502N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Ehjehh32.exeC:\Windows\system32\Ehjehh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:296 -
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe33⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe34⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe35⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe37⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe38⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe39⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe40⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe41⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe42⤵
- Executes dropped EXE
PID:356 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe43⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe44⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe45⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe46⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe47⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe48⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe49⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe50⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe51⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe52⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe53⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe54⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe56⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe58⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe63⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe64⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe65⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe67⤵PID:1028
-
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe68⤵
- System Location Discovery: System Language Discovery
PID:572 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe69⤵PID:1428
-
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe70⤵PID:1920
-
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe71⤵PID:2304
-
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe72⤵PID:1548
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe73⤵PID:2916
-
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe74⤵PID:2608
-
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe75⤵PID:1912
-
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe76⤵PID:2000
-
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe77⤵PID:2064
-
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe78⤵
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe79⤵PID:2036
-
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe80⤵PID:1940
-
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe81⤵PID:2204
-
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe82⤵PID:1956
-
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe83⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe84⤵PID:2300
-
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe85⤵PID:1452
-
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe86⤵PID:2884
-
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe87⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe88⤵PID:908
-
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe89⤵PID:2732
-
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe90⤵PID:2632
-
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe91⤵PID:2728
-
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:528 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe94⤵PID:2968
-
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe95⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe96⤵
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe97⤵PID:2268
-
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe98⤵PID:1700
-
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe100⤵PID:2288
-
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe101⤵PID:924
-
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:304 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe103⤵PID:2576
-
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe104⤵PID:2560
-
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe105⤵PID:2708
-
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe106⤵PID:2624
-
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe107⤵PID:332
-
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe108⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe109⤵PID:2520
-
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe110⤵PID:2960
-
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe111⤵PID:3024
-
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe112⤵PID:2500
-
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe113⤵PID:2016
-
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe114⤵
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe115⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe116⤵PID:2512
-
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe117⤵PID:2964
-
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe118⤵PID:2216
-
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe119⤵PID:1040
-
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe120⤵PID:1816
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe121⤵PID:2984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-