Analysis
-
max time kernel
83s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28-10-2024 13:30
Behavioral task
behavioral1
Sample
4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe
-
Size
337KB
-
MD5
e402788ef9a92585e825bf3421ce3e50
-
SHA1
de094a54b222787e6491b3706143db1900dd4a82
-
SHA256
4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bb
-
SHA512
7db6314eff4bbc897943b0393ac4036f90dbe324f359b32b2e47cd22c9d680de898708a9530e348afee788c6c5fed5f3ff17d48ab62df89d0678e9c2ee3e602a
-
SSDEEP
3072:JNMxMLsLgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:bMKLsL1+fIyG5jZkCwi8r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihhjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgpjpnhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcingdbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbkkbpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkoojip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cialng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhaaogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migdig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjkfglom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pegpamoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcahga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiegpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noplmlok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjljpjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kplfmfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghpngkhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkhcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbdobc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haejcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejejkhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekkpqnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekpmad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eonfgbhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbihmcqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkbpgeai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahllda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glajmppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpccgppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oofpgolq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlbnja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkigfdjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgkeol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmnmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfklolh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgcaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbejj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oenmkngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amiioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkkhmadd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdeall32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebiifka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihaldgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgfciee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egkehllh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioaobjin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khmnio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knodnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddoopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agaifnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbilmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gomhkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhkbqea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahpahel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heamno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qicoleno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Medligko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Benpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgdflb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajedn32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2944 Qjdgpcmd.exe 2756 Qpaohjkk.exe 3052 Qijdqp32.exe 2864 Ahfgbkpl.exe 2692 Aejglo32.exe 2224 Bmjekahk.exe 1888 Bdfjnkne.exe 2580 Cggcofkf.exe 2912 Ckkenikc.exe 2232 Dajgfboj.exe 2848 Ddjphm32.exe 808 Dlhaaogd.exe 2328 Enngdgim.exe 2168 Egkehllh.exe 2312 Eqcjaa32.exe 948 Fbipdi32.exe 840 Fblljhbo.exe 1868 Fnejdiep.exe 932 Ghmnmo32.exe 716 Gecklbih.exe 2244 Gajlac32.exe 508 Gpoibp32.exe 2504 Gihnkejd.exe 928 Heonpf32.exe 2180 Jkllnn32.exe 2732 Kfgjdlme.exe 2448 Kqmnadlk.exe 3064 Kjhopjqi.exe 2808 Kcpcho32.exe 1856 Kkkhmadd.exe 2816 Lbhmok32.exe 2348 Lckflc32.exe 2364 Lmckeidj.exe 392 Ljjhdm32.exe 2960 Mcbmmbhb.exe 2840 Mlmaad32.exe 1640 Monjcp32.exe 2368 Mkggnp32.exe 516 Mhkhgd32.exe 2076 Nmjmekan.exe 2444 Nhpabdqd.exe 1252 Nahfkigd.exe 2492 Nmogpj32.exe 924 Nmacej32.exe 2484 Oemhjlha.exe 1164 Oaciom32.exe 1716 Olimlf32.exe 2516 Oddbqhkf.exe 2304 Onmfin32.exe 2120 Ohbjgg32.exe 1564 Oajopl32.exe 2876 Ojfcdo32.exe 2936 Pgjdmc32.exe 2660 Pdndggcl.exe 2716 Pmiikipg.exe 2712 Pmkfqind.exe 2964 Pjofjm32.exe 2992 Qkbpgeai.exe 2720 Qekdpkgj.exe 1176 Aglmbfdk.exe 2412 Anfeop32.exe 604 Ajmfca32.exe 1688 Acejlfhl.exe 1124 Aaikfkgf.exe -
Loads dropped DLL 64 IoCs
pid Process 1852 4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe 1852 4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe 2944 Qjdgpcmd.exe 2944 Qjdgpcmd.exe 2756 Qpaohjkk.exe 2756 Qpaohjkk.exe 3052 Qijdqp32.exe 3052 Qijdqp32.exe 2864 Ahfgbkpl.exe 2864 Ahfgbkpl.exe 2692 Aejglo32.exe 2692 Aejglo32.exe 2224 Bmjekahk.exe 2224 Bmjekahk.exe 1888 Bdfjnkne.exe 1888 Bdfjnkne.exe 2580 Cggcofkf.exe 2580 Cggcofkf.exe 2912 Ckkenikc.exe 2912 Ckkenikc.exe 2232 Dajgfboj.exe 2232 Dajgfboj.exe 2848 Ddjphm32.exe 2848 Ddjphm32.exe 808 Dlhaaogd.exe 808 Dlhaaogd.exe 2328 Enngdgim.exe 2328 Enngdgim.exe 2168 Egkehllh.exe 2168 Egkehllh.exe 2312 Eqcjaa32.exe 2312 Eqcjaa32.exe 948 Fbipdi32.exe 948 Fbipdi32.exe 840 Fblljhbo.exe 840 Fblljhbo.exe 1868 Fnejdiep.exe 1868 Fnejdiep.exe 932 Ghmnmo32.exe 932 Ghmnmo32.exe 716 Gecklbih.exe 716 Gecklbih.exe 2244 Gajlac32.exe 2244 Gajlac32.exe 508 Gpoibp32.exe 508 Gpoibp32.exe 2504 Gihnkejd.exe 2504 Gihnkejd.exe 928 Heonpf32.exe 928 Heonpf32.exe 2180 Jkllnn32.exe 2180 Jkllnn32.exe 2732 Kfgjdlme.exe 2732 Kfgjdlme.exe 2448 Kqmnadlk.exe 2448 Kqmnadlk.exe 3064 Kjhopjqi.exe 3064 Kjhopjqi.exe 2808 Kcpcho32.exe 2808 Kcpcho32.exe 1856 Kkkhmadd.exe 1856 Kkkhmadd.exe 2816 Lbhmok32.exe 2816 Lbhmok32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qjdgpcmd.exe 4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe File created C:\Windows\SysWOW64\Cmboecje.dll Egkehllh.exe File created C:\Windows\SysWOW64\Claake32.exe Bfblmofp.exe File opened for modification C:\Windows\SysWOW64\Anfjpa32.exe Agmacgcc.exe File opened for modification C:\Windows\SysWOW64\Aolihc32.exe Ahpdficc.exe File created C:\Windows\SysWOW64\Alnndlmh.dll Gnocdb32.exe File created C:\Windows\SysWOW64\Pjbnmm32.exe Oiqaed32.exe File created C:\Windows\SysWOW64\Conhkl32.dll Dkookd32.exe File opened for modification C:\Windows\SysWOW64\Lfgbmf32.exe Llpajmkq.exe File created C:\Windows\SysWOW64\Mkggnp32.exe Monjcp32.exe File created C:\Windows\SysWOW64\Oddbqhkf.exe Olimlf32.exe File created C:\Windows\SysWOW64\Lmbadfdl.exe Lheilofe.exe File created C:\Windows\SysWOW64\Jjjohbgl.exe Jcpglhpo.exe File created C:\Windows\SysWOW64\Lpppjikm.dll 4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe File opened for modification C:\Windows\SysWOW64\Nahfkigd.exe Nhpabdqd.exe File created C:\Windows\SysWOW64\Pficpanm.dll Diencmcj.exe File opened for modification C:\Windows\SysWOW64\Khhndi32.exe Knbjgq32.exe File opened for modification C:\Windows\SysWOW64\Ejpipf32.exe Eiplecnc.exe File created C:\Windows\SysWOW64\Jnppei32.exe Jckkhplq.exe File created C:\Windows\SysWOW64\Liekddkh.exe Lqjfpbmm.exe File created C:\Windows\SysWOW64\Fhnfnajf.dll Nlgfqldf.exe File created C:\Windows\SysWOW64\Gohjnf32.exe Gadidabc.exe File opened for modification C:\Windows\SysWOW64\Knhoig32.exe Jgnflmia.exe File created C:\Windows\SysWOW64\Monilb32.dll Mmigdend.exe File created C:\Windows\SysWOW64\Qmmbhegc.exe Pgpjpnhk.exe File created C:\Windows\SysWOW64\Ccadla32.dll Mcbmmbhb.exe File created C:\Windows\SysWOW64\Dpdbdo32.exe Dijjgegh.exe File created C:\Windows\SysWOW64\Epblob32.dll Hcohbh32.exe File opened for modification C:\Windows\SysWOW64\Lmlnjcgg.exe Kfbemi32.exe File opened for modification C:\Windows\SysWOW64\Gmloigln.exe Gbfklolh.exe File opened for modification C:\Windows\SysWOW64\Cqcomn32.exe Cconcjae.exe File created C:\Windows\SysWOW64\Qechqj32.exe Pddlggin.exe File created C:\Windows\SysWOW64\Kclmbm32.exe Kmbeecaq.exe File created C:\Windows\SysWOW64\Geddoa32.exe Gphlgk32.exe File opened for modification C:\Windows\SysWOW64\Gikpjk32.exe Fnelmb32.exe File opened for modification C:\Windows\SysWOW64\Mfhabe32.exe Mlbmem32.exe File created C:\Windows\SysWOW64\Jcmnkl32.dll Gmloigln.exe File created C:\Windows\SysWOW64\Bfmkge32.dll Dgbgon32.exe File opened for modification C:\Windows\SysWOW64\Nnknqpgi.exe Njmejaqb.exe File opened for modification C:\Windows\SysWOW64\Cnbfkccn.exe Ccmanjch.exe File created C:\Windows\SysWOW64\Bdpgai32.exe Bkgchckl.exe File created C:\Windows\SysWOW64\Klkegf32.dll Jgnflmia.exe File opened for modification C:\Windows\SysWOW64\Fblljhbo.exe Fbipdi32.exe File created C:\Windows\SysWOW64\Emomop32.dll Bebiifka.exe File created C:\Windows\SysWOW64\Imhgkp32.dll Jmmmbg32.exe File created C:\Windows\SysWOW64\Afmhjhpn.dll Ehjbaooe.exe File opened for modification C:\Windows\SysWOW64\Kbmahjbk.exe Kidlodkj.exe File opened for modification C:\Windows\SysWOW64\Mkhocj32.exe Mcafbm32.exe File created C:\Windows\SysWOW64\Nmiinh32.dll Fhnjdfcl.exe File created C:\Windows\SysWOW64\Nqamaeii.exe Mnqdpj32.exe File opened for modification C:\Windows\SysWOW64\Mcafbm32.exe Mapjjdjb.exe File opened for modification C:\Windows\SysWOW64\Cpadpg32.exe Cghpgbce.exe File created C:\Windows\SysWOW64\Hehgjl32.dll Gbeaip32.exe File created C:\Windows\SysWOW64\Lcneklck.exe Ljeabf32.exe File created C:\Windows\SysWOW64\Biikne32.exe Bbocak32.exe File created C:\Windows\SysWOW64\Dbpmba32.dll Jbkhcg32.exe File created C:\Windows\SysWOW64\Bnielf32.dll Ahomlb32.exe File created C:\Windows\SysWOW64\Kdlhgmlg.dll Ejbhno32.exe File created C:\Windows\SysWOW64\Bqopmbed.exe Akbgdkgm.exe File opened for modification C:\Windows\SysWOW64\Bbolge32.exe Bgihjl32.exe File created C:\Windows\SysWOW64\Dijjgegh.exe Dflnkjhe.exe File created C:\Windows\SysWOW64\Cblpaffb.dll Bdpgai32.exe File created C:\Windows\SysWOW64\Eqejjj32.exe Egmeadbk.exe File opened for modification C:\Windows\SysWOW64\Nijdcdgn.exe Nihgndip.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4976 1572 Process not Found 1242 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heijidbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eocieq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjphm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqaph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbopn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmapna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmlal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjpnjheg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majdkifd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eonfgbhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfkefad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didgig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghkppbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdohdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clheeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifljcanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffgjma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbieing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllakpdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpnga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deajlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmfin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppgfkpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnohmog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbabf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaqmkpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnpjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaikfkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqhiab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplbpaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcbhlki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibklddof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgeabi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqoaefke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjbaooe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djffihmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlecmkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpcho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iofhmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cligkdlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebbeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajlac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaeneno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphlgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgfdhbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caqfiloi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbpmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjekahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkaaolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmnhhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haejcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icmlnmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjfbllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfpmonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmnadlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidhfgpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeameodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gadidabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgpgjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imifpagp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Menfel32.dll" Jlddpkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oonopkmp.dll" Johlpoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Claake32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilhnjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdejeo32.dll" Fljhmmci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocdohdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkolmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkhocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gecklbih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acejlfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpbilmop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpegka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdndggcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apapcnaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekqpj32.dll" Elkbipdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lolbjahp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehopnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiplecnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbfehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnkqlae.dll" Ggmjkapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dijgnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maabcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhnnpolk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpabfbj.dll" Olimlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liekddkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqoaefke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbkenba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahomlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkgjae32.dll" Heijidbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kciifc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khhndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kghkppbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiccle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgobpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bepjjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heamno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npceanij.dll" Qicoleno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklgei32.dll" Bgkeol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhjppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Benpik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhpabdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efnnjm32.dll" Dmljnfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcafbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhckloge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifodbcn.dll" Ajjeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heonpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhniebne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffnacpc.dll" Eehndm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeifinb.dll" Hbkpfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceoagcld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmacej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppmhmhh.dll" Eibgbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadedfd.dll" Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnjbfhqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnbfkccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkpaokgq.dll" Ocdnloph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipoqofjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abachg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllakpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kanhdp32.dll" Kcnilhap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekdie32.dll" Nakeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomihp32.dll" Cqcomn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmelfeqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpiaec32.dll" Pejnpe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 2944 1852 4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe 30 PID 1852 wrote to memory of 2944 1852 4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe 30 PID 1852 wrote to memory of 2944 1852 4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe 30 PID 1852 wrote to memory of 2944 1852 4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe 30 PID 2944 wrote to memory of 2756 2944 Qjdgpcmd.exe 31 PID 2944 wrote to memory of 2756 2944 Qjdgpcmd.exe 31 PID 2944 wrote to memory of 2756 2944 Qjdgpcmd.exe 31 PID 2944 wrote to memory of 2756 2944 Qjdgpcmd.exe 31 PID 2756 wrote to memory of 3052 2756 Qpaohjkk.exe 32 PID 2756 wrote to memory of 3052 2756 Qpaohjkk.exe 32 PID 2756 wrote to memory of 3052 2756 Qpaohjkk.exe 32 PID 2756 wrote to memory of 3052 2756 Qpaohjkk.exe 32 PID 3052 wrote to memory of 2864 3052 Qijdqp32.exe 33 PID 3052 wrote to memory of 2864 3052 Qijdqp32.exe 33 PID 3052 wrote to memory of 2864 3052 Qijdqp32.exe 33 PID 3052 wrote to memory of 2864 3052 Qijdqp32.exe 33 PID 2864 wrote to memory of 2692 2864 Ahfgbkpl.exe 34 PID 2864 wrote to memory of 2692 2864 Ahfgbkpl.exe 34 PID 2864 wrote to memory of 2692 2864 Ahfgbkpl.exe 34 PID 2864 wrote to memory of 2692 2864 Ahfgbkpl.exe 34 PID 2692 wrote to memory of 2224 2692 Aejglo32.exe 35 PID 2692 wrote to memory of 2224 2692 Aejglo32.exe 35 PID 2692 wrote to memory of 2224 2692 Aejglo32.exe 35 PID 2692 wrote to memory of 2224 2692 Aejglo32.exe 35 PID 2224 wrote to memory of 1888 2224 Bmjekahk.exe 36 PID 2224 wrote to memory of 1888 2224 Bmjekahk.exe 36 PID 2224 wrote to memory of 1888 2224 Bmjekahk.exe 36 PID 2224 wrote to memory of 1888 2224 Bmjekahk.exe 36 PID 1888 wrote to memory of 2580 1888 Bdfjnkne.exe 37 PID 1888 wrote to memory of 2580 1888 Bdfjnkne.exe 37 PID 1888 wrote to memory of 2580 1888 Bdfjnkne.exe 37 PID 1888 wrote to memory of 2580 1888 Bdfjnkne.exe 37 PID 2580 wrote to memory of 2912 2580 Cggcofkf.exe 38 PID 2580 wrote to memory of 2912 2580 Cggcofkf.exe 38 PID 2580 wrote to memory of 2912 2580 Cggcofkf.exe 38 PID 2580 wrote to memory of 2912 2580 Cggcofkf.exe 38 PID 2912 wrote to memory of 2232 2912 Ckkenikc.exe 39 PID 2912 wrote to memory of 2232 2912 Ckkenikc.exe 39 PID 2912 wrote to memory of 2232 2912 Ckkenikc.exe 39 PID 2912 wrote to memory of 2232 2912 Ckkenikc.exe 39 PID 2232 wrote to memory of 2848 2232 Dajgfboj.exe 40 PID 2232 wrote to memory of 2848 2232 Dajgfboj.exe 40 PID 2232 wrote to memory of 2848 2232 Dajgfboj.exe 40 PID 2232 wrote to memory of 2848 2232 Dajgfboj.exe 40 PID 2848 wrote to memory of 808 2848 Ddjphm32.exe 41 PID 2848 wrote to memory of 808 2848 Ddjphm32.exe 41 PID 2848 wrote to memory of 808 2848 Ddjphm32.exe 41 PID 2848 wrote to memory of 808 2848 Ddjphm32.exe 41 PID 808 wrote to memory of 2328 808 Dlhaaogd.exe 42 PID 808 wrote to memory of 2328 808 Dlhaaogd.exe 42 PID 808 wrote to memory of 2328 808 Dlhaaogd.exe 42 PID 808 wrote to memory of 2328 808 Dlhaaogd.exe 42 PID 2328 wrote to memory of 2168 2328 Enngdgim.exe 43 PID 2328 wrote to memory of 2168 2328 Enngdgim.exe 43 PID 2328 wrote to memory of 2168 2328 Enngdgim.exe 43 PID 2328 wrote to memory of 2168 2328 Enngdgim.exe 43 PID 2168 wrote to memory of 2312 2168 Egkehllh.exe 44 PID 2168 wrote to memory of 2312 2168 Egkehllh.exe 44 PID 2168 wrote to memory of 2312 2168 Egkehllh.exe 44 PID 2168 wrote to memory of 2312 2168 Egkehllh.exe 44 PID 2312 wrote to memory of 948 2312 Eqcjaa32.exe 45 PID 2312 wrote to memory of 948 2312 Eqcjaa32.exe 45 PID 2312 wrote to memory of 948 2312 Eqcjaa32.exe 45 PID 2312 wrote to memory of 948 2312 Eqcjaa32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe"C:\Users\Admin\AppData\Local\Temp\4b612f56ccc60fcdc2719f0bc8c5235d995068575979ef387579d59a893f60bbN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Qjdgpcmd.exeC:\Windows\system32\Qjdgpcmd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Qpaohjkk.exeC:\Windows\system32\Qpaohjkk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ahfgbkpl.exeC:\Windows\system32\Ahfgbkpl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Aejglo32.exeC:\Windows\system32\Aejglo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Bdfjnkne.exeC:\Windows\system32\Bdfjnkne.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Dajgfboj.exeC:\Windows\system32\Dajgfboj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Ddjphm32.exeC:\Windows\system32\Ddjphm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Enngdgim.exeC:\Windows\system32\Enngdgim.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Eqcjaa32.exeC:\Windows\system32\Eqcjaa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Fbipdi32.exeC:\Windows\system32\Fbipdi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Fblljhbo.exeC:\Windows\system32\Fblljhbo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Fnejdiep.exeC:\Windows\system32\Fnejdiep.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Ghmnmo32.exeC:\Windows\system32\Ghmnmo32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Gecklbih.exeC:\Windows\system32\Gecklbih.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:716 -
C:\Windows\SysWOW64\Gajlac32.exeC:\Windows\system32\Gajlac32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Gpoibp32.exeC:\Windows\system32\Gpoibp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:508 -
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Heonpf32.exeC:\Windows\system32\Heonpf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Kfgjdlme.exeC:\Windows\system32\Kfgjdlme.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Kqmnadlk.exeC:\Windows\system32\Kqmnadlk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Kjhopjqi.exeC:\Windows\system32\Kjhopjqi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Kcpcho32.exeC:\Windows\system32\Kcpcho32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Kkkhmadd.exeC:\Windows\system32\Kkkhmadd.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Lbhmok32.exeC:\Windows\system32\Lbhmok32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Lckflc32.exeC:\Windows\system32\Lckflc32.exe33⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Lmckeidj.exeC:\Windows\system32\Lmckeidj.exe34⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Ljjhdm32.exeC:\Windows\system32\Ljjhdm32.exe35⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Mcbmmbhb.exeC:\Windows\system32\Mcbmmbhb.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Mlmaad32.exeC:\Windows\system32\Mlmaad32.exe37⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Monjcp32.exeC:\Windows\system32\Monjcp32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Mkggnp32.exeC:\Windows\system32\Mkggnp32.exe39⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Mhkhgd32.exeC:\Windows\system32\Mhkhgd32.exe40⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\Nmjmekan.exeC:\Windows\system32\Nmjmekan.exe41⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Nhpabdqd.exeC:\Windows\system32\Nhpabdqd.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Nahfkigd.exeC:\Windows\system32\Nahfkigd.exe43⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Nmogpj32.exeC:\Windows\system32\Nmogpj32.exe44⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Nmacej32.exeC:\Windows\system32\Nmacej32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Oemhjlha.exeC:\Windows\system32\Oemhjlha.exe46⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Oaciom32.exeC:\Windows\system32\Oaciom32.exe47⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Olimlf32.exeC:\Windows\system32\Olimlf32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Oddbqhkf.exeC:\Windows\system32\Oddbqhkf.exe49⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Onmfin32.exeC:\Windows\system32\Onmfin32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Ohbjgg32.exeC:\Windows\system32\Ohbjgg32.exe51⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Oajopl32.exeC:\Windows\system32\Oajopl32.exe52⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ojfcdo32.exeC:\Windows\system32\Ojfcdo32.exe53⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Pgjdmc32.exeC:\Windows\system32\Pgjdmc32.exe54⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Pdndggcl.exeC:\Windows\system32\Pdndggcl.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Pmiikipg.exeC:\Windows\system32\Pmiikipg.exe56⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Pmkfqind.exeC:\Windows\system32\Pmkfqind.exe57⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Pjofjm32.exeC:\Windows\system32\Pjofjm32.exe58⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Qkbpgeai.exeC:\Windows\system32\Qkbpgeai.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Qekdpkgj.exeC:\Windows\system32\Qekdpkgj.exe60⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Aglmbfdk.exeC:\Windows\system32\Aglmbfdk.exe61⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Anfeop32.exeC:\Windows\system32\Anfeop32.exe62⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ajmfca32.exeC:\Windows\system32\Ajmfca32.exe63⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Acejlfhl.exeC:\Windows\system32\Acejlfhl.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Aaikfkgf.exeC:\Windows\system32\Aaikfkgf.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Windows\SysWOW64\Aidpjm32.exeC:\Windows\system32\Aidpjm32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Aiflpm32.exeC:\Windows\system32\Aiflpm32.exe67⤵PID:1080
-
C:\Windows\SysWOW64\Bfjmia32.exeC:\Windows\system32\Bfjmia32.exe68⤵PID:1860
-
C:\Windows\SysWOW64\Bpbabf32.exeC:\Windows\system32\Bpbabf32.exe69⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Bepjjn32.exeC:\Windows\system32\Bepjjn32.exe70⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Bnhncclq.exeC:\Windows\system32\Bnhncclq.exe71⤵PID:2036
-
C:\Windows\SysWOW64\Bhpclica.exeC:\Windows\system32\Bhpclica.exe72⤵PID:2132
-
C:\Windows\SysWOW64\Bojkib32.exeC:\Windows\system32\Bojkib32.exe73⤵PID:2744
-
C:\Windows\SysWOW64\Bdgcaj32.exeC:\Windows\system32\Bdgcaj32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe75⤵PID:2652
-
C:\Windows\SysWOW64\Bhelghol.exeC:\Windows\system32\Bhelghol.exe76⤵PID:2772
-
C:\Windows\SysWOW64\Ecjibgdh.exeC:\Windows\system32\Ecjibgdh.exe77⤵PID:2392
-
C:\Windows\SysWOW64\Fqilppic.exeC:\Windows\system32\Fqilppic.exe78⤵PID:2748
-
C:\Windows\SysWOW64\Fgeabi32.exeC:\Windows\system32\Fgeabi32.exe79⤵
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe81⤵PID:2424
-
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe82⤵PID:2008
-
C:\Windows\SysWOW64\Glaiak32.exeC:\Windows\system32\Glaiak32.exe83⤵PID:692
-
C:\Windows\SysWOW64\Giejkp32.exeC:\Windows\system32\Giejkp32.exe84⤵PID:2088
-
C:\Windows\SysWOW64\Gekkpqnp.exeC:\Windows\system32\Gekkpqnp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Hlecmkel.exeC:\Windows\system32\Hlecmkel.exe86⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Hhlcal32.exeC:\Windows\system32\Hhlcal32.exe87⤵PID:2284
-
C:\Windows\SysWOW64\Hfaqbh32.exeC:\Windows\system32\Hfaqbh32.exe88⤵PID:2892
-
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe90⤵PID:3024
-
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe93⤵PID:3008
-
C:\Windows\SysWOW64\Iabhdefo.exeC:\Windows\system32\Iabhdefo.exe94⤵PID:2924
-
C:\Windows\SysWOW64\Iofhmi32.exeC:\Windows\system32\Iofhmi32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe96⤵PID:2156
-
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe97⤵PID:2468
-
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe98⤵PID:1904
-
C:\Windows\SysWOW64\Jdjgfomh.exeC:\Windows\system32\Jdjgfomh.exe99⤵PID:2268
-
C:\Windows\SysWOW64\Jjgonf32.exeC:\Windows\system32\Jjgonf32.exe100⤵PID:2256
-
C:\Windows\SysWOW64\Jgkphj32.exeC:\Windows\system32\Jgkphj32.exe101⤵PID:2916
-
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe102⤵PID:2500
-
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe103⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe104⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Jcdmbk32.exeC:\Windows\system32\Jcdmbk32.exe105⤵PID:2724
-
C:\Windows\SysWOW64\Jllakpdk.exeC:\Windows\system32\Jllakpdk.exe106⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Kfdfdf32.exeC:\Windows\system32\Kfdfdf32.exe107⤵PID:2636
-
C:\Windows\SysWOW64\Kkaolm32.exeC:\Windows\system32\Kkaolm32.exe108⤵PID:2952
-
C:\Windows\SysWOW64\Kfgcieii.exeC:\Windows\system32\Kfgcieii.exe109⤵PID:428
-
C:\Windows\SysWOW64\Koogbk32.exeC:\Windows\system32\Koogbk32.exe110⤵PID:2472
-
C:\Windows\SysWOW64\Khglkqfj.exeC:\Windows\system32\Khglkqfj.exe111⤵PID:876
-
C:\Windows\SysWOW64\Kqcqpc32.exeC:\Windows\system32\Kqcqpc32.exe112⤵PID:1972
-
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe113⤵PID:1772
-
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe114⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe115⤵PID:3040
-
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe116⤵PID:2480
-
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe117⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Liekddkh.exeC:\Windows\system32\Liekddkh.exe118⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Lbmpnjai.exeC:\Windows\system32\Lbmpnjai.exe119⤵PID:1748
-
C:\Windows\SysWOW64\Lndqbk32.exeC:\Windows\system32\Lndqbk32.exe120⤵PID:1376
-
C:\Windows\SysWOW64\Lgmekpmn.exeC:\Windows\system32\Lgmekpmn.exe121⤵PID:2004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-