Analysis
-
max time kernel
51s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-10-2024 21:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
434364667d60b7ac3a4a1023c5f116c1e93443df0c89ae4bb1e0dd3560cc723f.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
434364667d60b7ac3a4a1023c5f116c1e93443df0c89ae4bb1e0dd3560cc723f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
434364667d60b7ac3a4a1023c5f116c1e93443df0c89ae4bb1e0dd3560cc723f.exe
-
Size
512KB
-
MD5
a002565cc81b96dfbf799a9eab8f30d2
-
SHA1
b7b9f4304fab4c916a3223bd1d4c8b069baa443e
-
SHA256
434364667d60b7ac3a4a1023c5f116c1e93443df0c89ae4bb1e0dd3560cc723f
-
SHA512
4bcbe2feb55ad13d7a0af633c8b3ca055b1e0252c4612d022112a454201b71e1637822bd76d186ebcd8cc944c6781285e92a30583c80c4c24b9fb54cfc7e2e14
-
SSDEEP
6144:trpys4UUZ55tTDUZNSN58VU5tTO/ENURQPTlyl48pArv8kEVS1aHr:Di55t6NSN6G5t1sI5yl48pArv8o4L
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kknklg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmhljip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbkpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfdim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlmiojla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkomepon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkiiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbagdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hldpfnij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnafjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpdpkfga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpaoojjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdqpdja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgahe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclkcdpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omoehf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhfepfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldikbhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjnaehgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkglim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mognco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inffdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaaghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aogpmcmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omoehf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jigagocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlegic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgokcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcipqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmabmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhcokmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkocpjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeolkff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidoamch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hllffmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgodjico.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpaoape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldangbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knaqcabh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjeid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefboabg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpqlqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfijfdca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhndcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmojfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lelmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aioppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljjjmeie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigagocd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenmkngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhljnhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcohbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caepdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbnbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkiiom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhahb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigohejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjjdijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpqekkob.exe -
Executes dropped EXE 64 IoCs
pid Process 2260 Bmjhdi32.exe 3012 Bbgplq32.exe 3036 Cbnfmo32.exe 3024 Caepdk32.exe 1680 Dpmjjhmi.exe 2664 Dpdpkfga.exe 1376 Dpflqfeo.exe 984 Ehaaei32.exe 2972 Eopcmb32.exe 316 Ecbhfeip.exe 1096 Fcingdbh.exe 844 Fkdckgpc.exe 560 Gbcecpck.exe 1780 Gjnigb32.exe 1628 Gknfaehi.exe 2112 Gmaoomld.exe 2596 Hnjagdlj.exe 2400 Hhbfpj32.exe 2496 Iflmlfcn.exe 2488 Iiaoip32.exe 2200 Jpndkj32.exe 1512 Jaamhb32.exe 2016 Jacjna32.exe 1212 Jnjjcbiq.exe 1028 Kknklg32.exe 1740 Kcipqi32.exe 276 Klbdiokf.exe 2816 Knaqcabh.exe 2372 Kjhahb32.exe 2792 Kogffida.exe 2748 Lojclibo.exe 2692 Lkqdajhc.exe 2804 Ldihjo32.exe 2952 Lqpiopdh.exe 1924 Ljjjmeie.exe 2024 Mipgnbnn.exe 1912 Mpipkl32.exe 1460 Mmpmjpba.exe 2376 Mekanbol.exe 1452 Mpqekkob.exe 2340 Njjfli32.exe 1948 Ncbkenba.exe 2520 Nebgoa32.exe 2068 Naihdb32.exe 1700 Njammhei.exe 1768 Ndiaem32.exe 2076 Nlefjpid.exe 1364 Oemjbe32.exe 584 Ooeolkff.exe 2444 Opekenmh.exe 2900 Oimpnc32.exe 2892 Oahdce32.exe 2916 Omoehf32.exe 988 Pmabmf32.exe 2848 Pgjfflkf.exe 2252 Pcagkmaj.exe 308 Plildb32.exe 2984 Peapmhnk.exe 1724 Pgamgken.exe 2332 Plneoace.exe 2192 Qjbehfbo.exe 900 Adncoc32.exe 2316 Abachg32.exe 2352 Ahllda32.exe -
Loads dropped DLL 64 IoCs
pid Process 2540 434364667d60b7ac3a4a1023c5f116c1e93443df0c89ae4bb1e0dd3560cc723f.exe 2540 434364667d60b7ac3a4a1023c5f116c1e93443df0c89ae4bb1e0dd3560cc723f.exe 2260 Bmjhdi32.exe 2260 Bmjhdi32.exe 3012 Bbgplq32.exe 3012 Bbgplq32.exe 3036 Cbnfmo32.exe 3036 Cbnfmo32.exe 3024 Caepdk32.exe 3024 Caepdk32.exe 1680 Dpmjjhmi.exe 1680 Dpmjjhmi.exe 2664 Dpdpkfga.exe 2664 Dpdpkfga.exe 1376 Dpflqfeo.exe 1376 Dpflqfeo.exe 984 Ehaaei32.exe 984 Ehaaei32.exe 2972 Eopcmb32.exe 2972 Eopcmb32.exe 316 Ecbhfeip.exe 316 Ecbhfeip.exe 1096 Fcingdbh.exe 1096 Fcingdbh.exe 844 Fkdckgpc.exe 844 Fkdckgpc.exe 560 Gbcecpck.exe 560 Gbcecpck.exe 1780 Gjnigb32.exe 1780 Gjnigb32.exe 1628 Gknfaehi.exe 1628 Gknfaehi.exe 2112 Gmaoomld.exe 2112 Gmaoomld.exe 2596 Hnjagdlj.exe 2596 Hnjagdlj.exe 2400 Hhbfpj32.exe 2400 Hhbfpj32.exe 2496 Iflmlfcn.exe 2496 Iflmlfcn.exe 2488 Iiaoip32.exe 2488 Iiaoip32.exe 2200 Jpndkj32.exe 2200 Jpndkj32.exe 1512 Jaamhb32.exe 1512 Jaamhb32.exe 2016 Jacjna32.exe 2016 Jacjna32.exe 1212 Jnjjcbiq.exe 1212 Jnjjcbiq.exe 1028 Kknklg32.exe 1028 Kknklg32.exe 1740 Kcipqi32.exe 1740 Kcipqi32.exe 276 Klbdiokf.exe 276 Klbdiokf.exe 2816 Knaqcabh.exe 2816 Knaqcabh.exe 2372 Kjhahb32.exe 2372 Kjhahb32.exe 2792 Kogffida.exe 2792 Kogffida.exe 2748 Lojclibo.exe 2748 Lojclibo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Djngjb32.dll Dmgokcja.exe File created C:\Windows\SysWOW64\Fggkpgmn.dll Jmqckf32.exe File opened for modification C:\Windows\SysWOW64\Kabobo32.exe Khjkiikl.exe File opened for modification C:\Windows\SysWOW64\Nbgakd32.exe Nlmiojla.exe File created C:\Windows\SysWOW64\Cbekip32.dll Lcnhcdkp.exe File created C:\Windows\SysWOW64\Bhoqqojp.dll Mjkmfn32.exe File created C:\Windows\SysWOW64\Jmlank32.dll Qhdabemb.exe File created C:\Windows\SysWOW64\Pdqfaiab.dll Behnkm32.exe File created C:\Windows\SysWOW64\Bpfhfjgq.exe Bnhljnhm.exe File created C:\Windows\SysWOW64\Lkjcqj32.dll Ffaeneno.exe File opened for modification C:\Windows\SysWOW64\Imcaijia.exe Ipoqofjh.exe File created C:\Windows\SysWOW64\Llfcik32.exe Lflklaoc.exe File opened for modification C:\Windows\SysWOW64\Kblooa32.exe Kmpfgklo.exe File opened for modification C:\Windows\SysWOW64\Mnfhfmhc.exe Mjkmfn32.exe File created C:\Windows\SysWOW64\Jpomnilc.exe Jffhec32.exe File opened for modification C:\Windows\SysWOW64\Fljhmmci.exe Flhkhnel.exe File created C:\Windows\SysWOW64\Hegjbnaa.dll Ncbfcq32.exe File created C:\Windows\SysWOW64\Bfiebedp.dll Pjlgna32.exe File opened for modification C:\Windows\SysWOW64\Hllffmbb.exe Hfanjcke.exe File created C:\Windows\SysWOW64\Jglahc32.dll Knaqcabh.exe File opened for modification C:\Windows\SysWOW64\Gdjpcj32.exe Gkaljdaf.exe File created C:\Windows\SysWOW64\Nfcfob32.exe Nqgngk32.exe File opened for modification C:\Windows\SysWOW64\Gljdlq32.exe Geplpfnh.exe File opened for modification C:\Windows\SysWOW64\Gjnigb32.exe Gbcecpck.exe File created C:\Windows\SysWOW64\Hcohbh32.exe Hldpfnij.exe File created C:\Windows\SysWOW64\Mmgcjqmc.dll Nloedjin.exe File created C:\Windows\SysWOW64\Bpbmbf32.dll Ikfdmogp.exe File opened for modification C:\Windows\SysWOW64\Qhdabemb.exe Qfedhb32.exe File created C:\Windows\SysWOW64\Dddmkkpb.exe Cdbqflae.exe File opened for modification C:\Windows\SysWOW64\Kkglim32.exe Kblhdkgk.exe File created C:\Windows\SysWOW64\Idoanhco.dll Cdmgkl32.exe File opened for modification C:\Windows\SysWOW64\Knbjgq32.exe Kommediq.exe File opened for modification C:\Windows\SysWOW64\Ljbmbpkb.exe Lomidgkl.exe File created C:\Windows\SysWOW64\Mgodjico.exe Mbbkabdh.exe File created C:\Windows\SysWOW64\Alahklnm.dll Phmiimlf.exe File created C:\Windows\SysWOW64\Iapcle32.dll Jacjna32.exe File created C:\Windows\SysWOW64\Dapnfb32.exe Djffihmp.exe File created C:\Windows\SysWOW64\Bhiglh32.exe Bncboo32.exe File opened for modification C:\Windows\SysWOW64\Olokighn.exe Oaiglnih.exe File created C:\Windows\SysWOW64\Kgqcam32.exe Kebgea32.exe File created C:\Windows\SysWOW64\Ljpqlqmd.exe Ldchdjom.exe File created C:\Windows\SysWOW64\Mfijfdca.exe Mnneabff.exe File opened for modification C:\Windows\SysWOW64\Nhffikob.exe Nloedjin.exe File created C:\Windows\SysWOW64\Cmolej32.dll Jmhpfl32.exe File created C:\Windows\SysWOW64\Modano32.exe Lelmei32.exe File opened for modification C:\Windows\SysWOW64\Omoehf32.exe Oahdce32.exe File created C:\Windows\SysWOW64\Ccjfigpf.dll Acemeo32.exe File opened for modification C:\Windows\SysWOW64\Khjkiikl.exe Kneflplf.exe File created C:\Windows\SysWOW64\Gljdlq32.exe Geplpfnh.exe File created C:\Windows\SysWOW64\Cgjjdijo.exe Pjfdpckc.exe File opened for modification C:\Windows\SysWOW64\Ehopnk32.exe Djkodg32.exe File opened for modification C:\Windows\SysWOW64\Mognco32.exe Modano32.exe File created C:\Windows\SysWOW64\Bkgchckl.exe Bhiglh32.exe File created C:\Windows\SysWOW64\Indnqb32.exe Imcaijia.exe File created C:\Windows\SysWOW64\Penkngdj.dll Joicje32.exe File created C:\Windows\SysWOW64\Fpkdca32.exe Pgbejj32.exe File created C:\Windows\SysWOW64\Jhjillah.dll Jbooen32.exe File opened for modification C:\Windows\SysWOW64\Iqdbqp32.exe Inffdd32.exe File created C:\Windows\SysWOW64\Kbnnmian.dll Knkbimbg.exe File created C:\Windows\SysWOW64\Llkamfnj.dll Plfjme32.exe File created C:\Windows\SysWOW64\Jfkldo32.dll Cgnpmg32.exe File created C:\Windows\SysWOW64\Hlpcgm32.dll Fbhfcf32.exe File opened for modification C:\Windows\SysWOW64\Gkaljdaf.exe Fkapkq32.exe File created C:\Windows\SysWOW64\Qpkihpnk.dll Jffhec32.exe -
Program crash 1 IoCs
pid pid_target Process 5068 5044 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpmjpba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npfhjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmiimlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabcbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djffihmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdndl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlgna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbfpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbmbpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbljfdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmojfcdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkocpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccnmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniglajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joicje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbooen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqemlbqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpngkhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopcmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijenpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagdgaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbhmehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjfpokk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahgejhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkchdiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmnhhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbhibio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdbqflae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mllhpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbagdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadece32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldndng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfanjcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcipqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mekanbol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iflhjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cclkcdpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djaedbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgabhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kneflplf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfhfmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caepdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpajdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefeaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaljdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblbpnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjnaehgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfcaegj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmdjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmofbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgdmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdigakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inffdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcpgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naihdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfijfdca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldikbhfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioochn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgokcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfqbol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhahcjcf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilmgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaaghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejina32.dll" Ophanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnmploa.dll" Jidppaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kloqiijm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbgakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iclfccmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfiebedp.dll" Pjlgna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibnodj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fblpnepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giakoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpomnilc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbhnpplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpmbjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efdmohmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocglmcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfiqjo32.dll" Bgijbede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdhjg32.dll" Lgphke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lednal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnnhjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onggom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imgija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdnine.dll" Ppogok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjkmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfgiimk.dll" Eeijpdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igdndl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpkckneh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paebkkhn.dll" Cbnfmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdgane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkocglhl.dll" Gcdmikma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioochn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdolga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahgejhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomekckd.dll" Aeokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahllda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgflnkja.dll" Iniglajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhbc32.dll" Jhndcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjfdpckc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbcecpck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihlbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijenpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebmjihqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onggom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealejn32.dll" Hllffmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndiaem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epmahmcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpdibapb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefjafkp.dll" Mgglcqdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chfffk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fooghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnjagdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmpbiao.dll" Plildb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmepa32.dll" Acjfpokk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baakem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgodjico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mljgmiaq.dll" Ipimic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaopnk32.dll" Keodflee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpiogfm.dll" Dpmjjhmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjbehfbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bclcfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibbffq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igoagpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldangbhd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2260 2540 434364667d60b7ac3a4a1023c5f116c1e93443df0c89ae4bb1e0dd3560cc723f.exe 29 PID 2540 wrote to memory of 2260 2540 434364667d60b7ac3a4a1023c5f116c1e93443df0c89ae4bb1e0dd3560cc723f.exe 29 PID 2540 wrote to memory of 2260 2540 434364667d60b7ac3a4a1023c5f116c1e93443df0c89ae4bb1e0dd3560cc723f.exe 29 PID 2540 wrote to memory of 2260 2540 434364667d60b7ac3a4a1023c5f116c1e93443df0c89ae4bb1e0dd3560cc723f.exe 29 PID 2260 wrote to memory of 3012 2260 Bmjhdi32.exe 265 PID 2260 wrote to memory of 3012 2260 Bmjhdi32.exe 265 PID 2260 wrote to memory of 3012 2260 Bmjhdi32.exe 265 PID 2260 wrote to memory of 3012 2260 Bmjhdi32.exe 265 PID 3012 wrote to memory of 3036 3012 Bbgplq32.exe 31 PID 3012 wrote to memory of 3036 3012 Bbgplq32.exe 31 PID 3012 wrote to memory of 3036 3012 Bbgplq32.exe 31 PID 3012 wrote to memory of 3036 3012 Bbgplq32.exe 31 PID 3036 wrote to memory of 3024 3036 Cbnfmo32.exe 32 PID 3036 wrote to memory of 3024 3036 Cbnfmo32.exe 32 PID 3036 wrote to memory of 3024 3036 Cbnfmo32.exe 32 PID 3036 wrote to memory of 3024 3036 Cbnfmo32.exe 32 PID 3024 wrote to memory of 1680 3024 Caepdk32.exe 33 PID 3024 wrote to memory of 1680 3024 Caepdk32.exe 33 PID 3024 wrote to memory of 1680 3024 Caepdk32.exe 33 PID 3024 wrote to memory of 1680 3024 Caepdk32.exe 33 PID 1680 wrote to memory of 2664 1680 Dpmjjhmi.exe 34 PID 1680 wrote to memory of 2664 1680 Dpmjjhmi.exe 34 PID 1680 wrote to memory of 2664 1680 Dpmjjhmi.exe 34 PID 1680 wrote to memory of 2664 1680 Dpmjjhmi.exe 34 PID 2664 wrote to memory of 1376 2664 Dpdpkfga.exe 303 PID 2664 wrote to memory of 1376 2664 Dpdpkfga.exe 303 PID 2664 wrote to memory of 1376 2664 Dpdpkfga.exe 303 PID 2664 wrote to memory of 1376 2664 Dpdpkfga.exe 303 PID 1376 wrote to memory of 984 1376 Dpflqfeo.exe 280 PID 1376 wrote to memory of 984 1376 Dpflqfeo.exe 280 PID 1376 wrote to memory of 984 1376 Dpflqfeo.exe 280 PID 1376 wrote to memory of 984 1376 Dpflqfeo.exe 280 PID 984 wrote to memory of 2972 984 Ehaaei32.exe 313 PID 984 wrote to memory of 2972 984 Ehaaei32.exe 313 PID 984 wrote to memory of 2972 984 Ehaaei32.exe 313 PID 984 wrote to memory of 2972 984 Ehaaei32.exe 313 PID 2972 wrote to memory of 316 2972 Eopcmb32.exe 347 PID 2972 wrote to memory of 316 2972 Eopcmb32.exe 347 PID 2972 wrote to memory of 316 2972 Eopcmb32.exe 347 PID 2972 wrote to memory of 316 2972 Eopcmb32.exe 347 PID 316 wrote to memory of 1096 316 Ecbhfeip.exe 39 PID 316 wrote to memory of 1096 316 Ecbhfeip.exe 39 PID 316 wrote to memory of 1096 316 Ecbhfeip.exe 39 PID 316 wrote to memory of 1096 316 Ecbhfeip.exe 39 PID 1096 wrote to memory of 844 1096 Fcingdbh.exe 40 PID 1096 wrote to memory of 844 1096 Fcingdbh.exe 40 PID 1096 wrote to memory of 844 1096 Fcingdbh.exe 40 PID 1096 wrote to memory of 844 1096 Fcingdbh.exe 40 PID 844 wrote to memory of 560 844 Fkdckgpc.exe 334 PID 844 wrote to memory of 560 844 Fkdckgpc.exe 334 PID 844 wrote to memory of 560 844 Fkdckgpc.exe 334 PID 844 wrote to memory of 560 844 Fkdckgpc.exe 334 PID 560 wrote to memory of 1780 560 Gbcecpck.exe 42 PID 560 wrote to memory of 1780 560 Gbcecpck.exe 42 PID 560 wrote to memory of 1780 560 Gbcecpck.exe 42 PID 560 wrote to memory of 1780 560 Gbcecpck.exe 42 PID 1780 wrote to memory of 1628 1780 Gjnigb32.exe 43 PID 1780 wrote to memory of 1628 1780 Gjnigb32.exe 43 PID 1780 wrote to memory of 1628 1780 Gjnigb32.exe 43 PID 1780 wrote to memory of 1628 1780 Gjnigb32.exe 43 PID 1628 wrote to memory of 2112 1628 Gknfaehi.exe 44 PID 1628 wrote to memory of 2112 1628 Gknfaehi.exe 44 PID 1628 wrote to memory of 2112 1628 Gknfaehi.exe 44 PID 1628 wrote to memory of 2112 1628 Gknfaehi.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\434364667d60b7ac3a4a1023c5f116c1e93443df0c89ae4bb1e0dd3560cc723f.exe"C:\Users\Admin\AppData\Local\Temp\434364667d60b7ac3a4a1023c5f116c1e93443df0c89ae4bb1e0dd3560cc723f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Bmjhdi32.exeC:\Windows\system32\Bmjhdi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Bbgplq32.exeC:\Windows\system32\Bbgplq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Cbnfmo32.exeC:\Windows\system32\Cbnfmo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Caepdk32.exeC:\Windows\system32\Caepdk32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Dpmjjhmi.exeC:\Windows\system32\Dpmjjhmi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Dpflqfeo.exeC:\Windows\system32\Dpflqfeo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Ehaaei32.exeC:\Windows\system32\Ehaaei32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Eopcmb32.exeC:\Windows\system32\Eopcmb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ecbhfeip.exeC:\Windows\system32\Ecbhfeip.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Fcingdbh.exeC:\Windows\system32\Fcingdbh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Fkdckgpc.exeC:\Windows\system32\Fkdckgpc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Gbcecpck.exeC:\Windows\system32\Gbcecpck.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Gjnigb32.exeC:\Windows\system32\Gjnigb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Gknfaehi.exeC:\Windows\system32\Gknfaehi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Gmaoomld.exeC:\Windows\system32\Gmaoomld.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Hnjagdlj.exeC:\Windows\system32\Hnjagdlj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Hhbfpj32.exeC:\Windows\system32\Hhbfpj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Iflmlfcn.exeC:\Windows\system32\Iflmlfcn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Iiaoip32.exeC:\Windows\system32\Iiaoip32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Jaamhb32.exeC:\Windows\system32\Jaamhb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Jacjna32.exeC:\Windows\system32\Jacjna32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Kknklg32.exeC:\Windows\system32\Kknklg32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Kcipqi32.exeC:\Windows\system32\Kcipqi32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Klbdiokf.exeC:\Windows\system32\Klbdiokf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Kjhahb32.exeC:\Windows\system32\Kjhahb32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Kogffida.exeC:\Windows\system32\Kogffida.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Lojclibo.exeC:\Windows\system32\Lojclibo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Lkqdajhc.exeC:\Windows\system32\Lkqdajhc.exe33⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ldihjo32.exeC:\Windows\system32\Ldihjo32.exe34⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Lqpiopdh.exeC:\Windows\system32\Lqpiopdh.exe35⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Ljjjmeie.exeC:\Windows\system32\Ljjjmeie.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Mipgnbnn.exeC:\Windows\system32\Mipgnbnn.exe37⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Mpipkl32.exeC:\Windows\system32\Mpipkl32.exe38⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Mmpmjpba.exeC:\Windows\system32\Mmpmjpba.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Mpqekkob.exeC:\Windows\system32\Mpqekkob.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Njjfli32.exeC:\Windows\system32\Njjfli32.exe42⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ncbkenba.exeC:\Windows\system32\Ncbkenba.exe43⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Nebgoa32.exeC:\Windows\system32\Nebgoa32.exe44⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe46⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Nlefjpid.exeC:\Windows\system32\Nlefjpid.exe48⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe49⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Opekenmh.exeC:\Windows\system32\Opekenmh.exe51⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Oimpnc32.exeC:\Windows\system32\Oimpnc32.exe52⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Oahdce32.exeC:\Windows\system32\Oahdce32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Pmabmf32.exeC:\Windows\system32\Pmabmf32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Pgjfflkf.exeC:\Windows\system32\Pgjfflkf.exe56⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe57⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Peapmhnk.exeC:\Windows\system32\Peapmhnk.exe59⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe60⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe61⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe63⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe64⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe67⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Achikonn.exeC:\Windows\system32\Achikonn.exe68⤵PID:1704
-
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe69⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Bclcfnih.exeC:\Windows\system32\Bclcfnih.exe72⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe73⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Gkaljdaf.exeC:\Windows\system32\Gkaljdaf.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe75⤵PID:2996
-
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe76⤵
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Ipoqofjh.exeC:\Windows\system32\Ipoqofjh.exe78⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Imcaijia.exeC:\Windows\system32\Imcaijia.exe79⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Indnqb32.exeC:\Windows\system32\Indnqb32.exe80⤵PID:928
-
C:\Windows\SysWOW64\Ihlbih32.exeC:\Windows\system32\Ihlbih32.exe81⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Ibbffq32.exeC:\Windows\system32\Ibbffq32.exe82⤵
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Iniglajj.exeC:\Windows\system32\Iniglajj.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Jffhec32.exeC:\Windows\system32\Jffhec32.exe85⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe86⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Jhfepfme.exeC:\Windows\system32\Jhfepfme.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Jigagocd.exeC:\Windows\system32\Jigagocd.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Jmejmm32.exeC:\Windows\system32\Jmejmm32.exe90⤵PID:2860
-
C:\Windows\SysWOW64\Jgmofbpk.exeC:\Windows\system32\Jgmofbpk.exe91⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Jhahcjcf.exeC:\Windows\system32\Jhahcjcf.exe93⤵
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Kbflqccl.exeC:\Windows\system32\Kbflqccl.exe94⤵PID:1728
-
C:\Windows\SysWOW64\Kloqiijm.exeC:\Windows\system32\Kloqiijm.exe95⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe96⤵
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe97⤵PID:2172
-
C:\Windows\SysWOW64\Kneflplf.exeC:\Windows\system32\Kneflplf.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Khjkiikl.exeC:\Windows\system32\Khjkiikl.exe99⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Kabobo32.exeC:\Windows\system32\Kabobo32.exe100⤵PID:2552
-
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe101⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Ldchdjom.exeC:\Windows\system32\Ldchdjom.exe102⤵
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Ljpqlqmd.exeC:\Windows\system32\Ljpqlqmd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Lomidgkl.exeC:\Windows\system32\Lomidgkl.exe104⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe105⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Lbnbfb32.exeC:\Windows\system32\Lbnbfb32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe107⤵PID:2940
-
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe108⤵
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe109⤵PID:1632
-
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe110⤵
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Mgodjico.exeC:\Windows\system32\Mgodjico.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe112⤵PID:2168
-
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe113⤵PID:2264
-
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe116⤵
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe119⤵PID:1776
-
C:\Windows\SysWOW64\Nbbhpegc.exeC:\Windows\system32\Nbbhpegc.exe120⤵PID:1020
-
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe121⤵
- System Location Discovery: System Language Discovery
PID:1092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-