Analysis
-
max time kernel
117s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 07:55
Static task
static1
Behavioral task
behavioral1
Sample
15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05bN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05bN.exe
Resource
win10v2004-20241007-en
General
-
Target
15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05bN.exe
-
Size
359KB
-
MD5
a81e96bc134d4c009720e1ad0bfbfde0
-
SHA1
e95fd2508bc554e2e2cfd8fe2c9a65362401bbf1
-
SHA256
15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05b
-
SHA512
2e15c8f1d051fca2268dd14642004fa5538164b207293e753fe0becf442697706f75800754a6cab5d0174f18903aec03d28ffd8868d0fa8eed5d18878b5f85c5
-
SSDEEP
3072:v7oGO6BegZenCU0Fk0kQI8Va3CkfUVuyelbvP5lkzmQ1o0Otw44KmfpKivFM6Wpx:sGO6BeSU0Fkprba4Yb31/do
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofobgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmefad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joekimld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imlhebfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adleoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einlmkhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Einlmkhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjfik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmmcjjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egkehllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amafgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdjno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijimli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkopndcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llgljn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcggef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efffpjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlbpme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgfkchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biqfpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghddnnfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nladco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmepanje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcepqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgkiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobpfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaipghcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqobnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqapnjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpqcpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcageqgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhfjcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjlgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocfiif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jknicnpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Popgboae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acicla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgmpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqeomfgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knohpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgcjpkak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcodqkbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpboinpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdkkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpmimbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhogaamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padccpal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laodmoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlaomae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djlbkcfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcdbcloi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hginnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elgfkhpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgdmjlp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 308 Hmlkfo32.exe 2784 Hbidne32.exe 2796 Hghillnd.exe 2800 Imlhebfc.exe 2464 Jbpfnh32.exe 1732 Jjpdmi32.exe 2460 Kalipcmb.exe 600 Ldheebad.exe 2968 Lkdjglfo.exe 2020 Lnjldf32.exe 2604 Mdogedmh.exe 1272 Njnmbk32.exe 2100 Oeaqig32.exe 2216 Obgnhkkh.exe 1056 Popgboae.exe 2028 Acicla32.exe 2336 Aobpfb32.exe 2404 Bkknac32.exe 664 Bgdkkc32.exe 2560 Cgnnab32.exe 1028 Ckbpqe32.exe 2000 Djjjga32.exe 1816 Deondj32.exe 1660 Deakjjbk.exe 2724 Dahkok32.exe 1700 Emoldlmc.exe 2144 Edlafebn.exe 2156 Elgfkhpi.exe 3032 Eimcjl32.exe 2632 Fkcilc32.exe 396 Fijbco32.exe 2468 Gojhafnb.exe 2392 Gcgqgd32.exe 2908 Gdkjdl32.exe 2736 Hcepqh32.exe 3044 Hmpaom32.exe 1152 Hfhfhbce.exe 1600 Injqmdki.exe 2096 Iakino32.exe 2400 Jpbcek32.exe 2332 Jpgmpk32.exe 916 Jibnop32.exe 2396 Kapohbfp.exe 1532 Kenhopmf.exe 908 Kdbepm32.exe 1632 Lmmfnb32.exe 2168 Lpnopm32.exe 884 Lekghdad.exe 2960 Lcohahpn.exe 2852 Llgljn32.exe 2976 Ldbaopdj.exe 2928 Mgcjpkak.exe 2068 Mjdcbf32.exe 332 Mcodqkbi.exe 2980 Mhninb32.exe 2888 Nllbdp32.exe 3048 Nnokahip.exe 856 Nnahgh32.exe 1928 Ndnmialh.exe 2104 Ojpomh32.exe 1132 Oielnd32.exe 1740 Pndalkgf.exe 576 Pnfnajed.exe 1724 Pbdfgilj.exe -
Loads dropped DLL 64 IoCs
pid Process 328 15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05bN.exe 328 15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05bN.exe 308 Hmlkfo32.exe 308 Hmlkfo32.exe 2784 Hbidne32.exe 2784 Hbidne32.exe 2796 Hghillnd.exe 2796 Hghillnd.exe 2800 Imlhebfc.exe 2800 Imlhebfc.exe 2464 Jbpfnh32.exe 2464 Jbpfnh32.exe 1732 Jjpdmi32.exe 1732 Jjpdmi32.exe 2460 Kalipcmb.exe 2460 Kalipcmb.exe 600 Ldheebad.exe 600 Ldheebad.exe 2968 Lkdjglfo.exe 2968 Lkdjglfo.exe 2020 Lnjldf32.exe 2020 Lnjldf32.exe 2604 Mdogedmh.exe 2604 Mdogedmh.exe 1272 Njnmbk32.exe 1272 Njnmbk32.exe 2100 Oeaqig32.exe 2100 Oeaqig32.exe 2216 Obgnhkkh.exe 2216 Obgnhkkh.exe 1056 Popgboae.exe 1056 Popgboae.exe 2028 Acicla32.exe 2028 Acicla32.exe 2336 Aobpfb32.exe 2336 Aobpfb32.exe 2404 Bkknac32.exe 2404 Bkknac32.exe 664 Bgdkkc32.exe 664 Bgdkkc32.exe 2560 Cgnnab32.exe 2560 Cgnnab32.exe 1028 Ckbpqe32.exe 1028 Ckbpqe32.exe 2000 Djjjga32.exe 2000 Djjjga32.exe 1816 Deondj32.exe 1816 Deondj32.exe 1660 Deakjjbk.exe 1660 Deakjjbk.exe 2724 Dahkok32.exe 2724 Dahkok32.exe 1700 Emoldlmc.exe 1700 Emoldlmc.exe 2144 Edlafebn.exe 2144 Edlafebn.exe 2156 Elgfkhpi.exe 2156 Elgfkhpi.exe 3032 Eimcjl32.exe 3032 Eimcjl32.exe 2632 Fkcilc32.exe 2632 Fkcilc32.exe 396 Fijbco32.exe 396 Fijbco32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dmddik32.dll Mllhne32.exe File created C:\Windows\SysWOW64\Jaeieh32.dll Pfeeff32.exe File created C:\Windows\SysWOW64\Aljmbknm.exe Qmepanje.exe File opened for modification C:\Windows\SysWOW64\Cggcofkf.exe Beggec32.exe File created C:\Windows\SysWOW64\Gojhafnb.exe Fijbco32.exe File created C:\Windows\SysWOW64\Dehdbhgg.dll Haemloni.exe File opened for modification C:\Windows\SysWOW64\Edeclabl.exe Djlbkcfn.exe File created C:\Windows\SysWOW64\Acicla32.exe Popgboae.exe File created C:\Windows\SysWOW64\Kkifia32.dll Edlafebn.exe File created C:\Windows\SysWOW64\Mcodqkbi.exe Mjdcbf32.exe File opened for modification C:\Windows\SysWOW64\Mhninb32.exe Mcodqkbi.exe File created C:\Windows\SysWOW64\Fppmcmah.exe Fejifdab.exe File created C:\Windows\SysWOW64\Nedmeekj.dll Deakjjbk.exe File created C:\Windows\SysWOW64\Qaofgc32.exe Pfeeff32.exe File opened for modification C:\Windows\SysWOW64\Ocfiif32.exe Ojkhjabc.exe File created C:\Windows\SysWOW64\Ojdjqp32.exe Oomjng32.exe File created C:\Windows\SysWOW64\Ddlffnae.dll Jndflk32.exe File opened for modification C:\Windows\SysWOW64\Kenhopmf.exe Kapohbfp.exe File opened for modification C:\Windows\SysWOW64\Hkjnenbp.exe Gleqdb32.exe File created C:\Windows\SysWOW64\Fhhofe32.dll Cgdciiod.exe File opened for modification C:\Windows\SysWOW64\Ljcbcngi.exe Lnlaomae.exe File created C:\Windows\SysWOW64\Miapbpmb.exe Mcggef32.exe File created C:\Windows\SysWOW64\Ajnqphhe.exe Ahngomkd.exe File created C:\Windows\SysWOW64\Cgdciiod.exe Cpjklo32.exe File created C:\Windows\SysWOW64\Maoalb32.exe Miapbpmb.exe File created C:\Windows\SysWOW64\Knohpo32.exe Jkopndcb.exe File created C:\Windows\SysWOW64\Kjmihjfj.dll Ioiidfon.exe File opened for modification C:\Windows\SysWOW64\Bbfnchfb.exe Binikb32.exe File opened for modification C:\Windows\SysWOW64\Kmhhae32.exe Kikokf32.exe File created C:\Windows\SysWOW64\Ooggpiek.exe Ofobgc32.exe File opened for modification C:\Windows\SysWOW64\Egflml32.exe Ebicee32.exe File created C:\Windows\SysWOW64\Dqobnf32.exe Dgfmep32.exe File created C:\Windows\SysWOW64\Efmckpko.exe Ehhfjcff.exe File opened for modification C:\Windows\SysWOW64\Lpanne32.exe Lfhiepbn.exe File created C:\Windows\SysWOW64\Jqeomfgc.exe Jgmjdaqb.exe File created C:\Windows\SysWOW64\Cgnnab32.exe Bgdkkc32.exe File created C:\Windows\SysWOW64\Pdjlfgfl.dll Hghdjn32.exe File opened for modification C:\Windows\SysWOW64\Emoldlmc.exe Dahkok32.exe File created C:\Windows\SysWOW64\Liblfl32.exe Lcedne32.exe File created C:\Windows\SysWOW64\Mknlhcol.dll Liblfl32.exe File opened for modification C:\Windows\SysWOW64\Qgfkchmp.exe Pjbjjc32.exe File created C:\Windows\SysWOW64\Hkjnenbp.exe Gleqdb32.exe File created C:\Windows\SysWOW64\Ilgjhena.exe Ijimli32.exe File opened for modification C:\Windows\SysWOW64\Kalipcmb.exe Jjpdmi32.exe File created C:\Windows\SysWOW64\Jidbmpjh.dll Nqpmimbe.exe File created C:\Windows\SysWOW64\Kokahpfn.dll Pmmqmpdm.exe File created C:\Windows\SysWOW64\Aicfgn32.exe Abgaeddg.exe File opened for modification C:\Windows\SysWOW64\Jbpfnh32.exe Imlhebfc.exe File created C:\Windows\SysWOW64\Idokma32.exe Iijfoh32.exe File created C:\Windows\SysWOW64\Acbbhobn.dll Dcokpa32.exe File created C:\Windows\SysWOW64\Cncolfcl.exe Cdkkcp32.exe File created C:\Windows\SysWOW64\Lfhiepbn.exe Liblfl32.exe File created C:\Windows\SysWOW64\Lecaooal.dll Aljmbknm.exe File opened for modification C:\Windows\SysWOW64\Hcepqh32.exe Gdkjdl32.exe File created C:\Windows\SysWOW64\Dilmaf32.dll Bahelebm.exe File created C:\Windows\SysWOW64\Cdkkcp32.exe Bhdjno32.exe File opened for modification C:\Windows\SysWOW64\Cncolfcl.exe Cdkkcp32.exe File opened for modification C:\Windows\SysWOW64\Ebicee32.exe Edeclabl.exe File created C:\Windows\SysWOW64\Dahkok32.exe Deakjjbk.exe File opened for modification C:\Windows\SysWOW64\Glbdnbpk.exe Gefolhja.exe File opened for modification C:\Windows\SysWOW64\Neibanod.exe Nkaane32.exe File created C:\Windows\SysWOW64\Fejifdab.exe Fladmn32.exe File opened for modification C:\Windows\SysWOW64\Fejifdab.exe Fladmn32.exe File created C:\Windows\SysWOW64\Jalcdhla.dll Popgboae.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1380 1832 WerFault.exe 308 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adleoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfidqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egflml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macjgadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naimepkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiockd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgnhkkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofobgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelmbifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfjfik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmmjjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdjno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoifiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdciiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcggef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gedbfimc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmgifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnlaomae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popgboae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaipghcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaanh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdkfmjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicfgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhgggim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpmmpam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojhafnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkjdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oielnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmckpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joblkegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnokahip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkfdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdankjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefolhja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noepdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlkfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kalipcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmfnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnddg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhogaamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldheebad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palpneop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjdaqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqeomfgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfiaojkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdjglfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkqiek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffjljmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjdcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caenkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldhgnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklopg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egkehllh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icgdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapohbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjgei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmafngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfkchmp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokahpfn.dll" Pmmqmpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkdjglfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfdhgca.dll" Bhmmcjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbghdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldheebad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pndalkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahpaj32.dll" Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikjkomn.dll" Fladmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaamhjgm.dll" Kfjfik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajjgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhdihjd.dll" Mcggef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojdjqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acicla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcodqkbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bahelebm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkjnenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deondj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Popgboae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnllhjif.dll" Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnokahip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjpdmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomjld32.dll" Embkbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchdgl32.dll" Lnjldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fppmcmah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Popgboae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmihjfj.dll" Ioiidfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miapbpmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeaokpb.dll" Ladgkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bimlibmn.dll" Oomjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobpfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfidqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geogecdd.dll" Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiffeloi.dll" Pjbjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnkffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkaane32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aicfgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffjljmla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kelmbifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgiked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpcpn32.dll" Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifjfmcm.dll" Ionehnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqnpad32.dll" Nmmjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhknil32.dll" Dqobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhefgd32.dll" Gefolhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhogaamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkman32.dll" Hghillnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kijmbnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pglojj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aankkqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjaglbok.dll" Lckflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll" Ndiomdde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll" Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bemkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghbhhnhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmnahilc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbdfgilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcbqe32.dll" Jgmjdaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgmjdaqb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 328 wrote to memory of 308 328 15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05bN.exe 31 PID 328 wrote to memory of 308 328 15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05bN.exe 31 PID 328 wrote to memory of 308 328 15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05bN.exe 31 PID 328 wrote to memory of 308 328 15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05bN.exe 31 PID 308 wrote to memory of 2784 308 Hmlkfo32.exe 32 PID 308 wrote to memory of 2784 308 Hmlkfo32.exe 32 PID 308 wrote to memory of 2784 308 Hmlkfo32.exe 32 PID 308 wrote to memory of 2784 308 Hmlkfo32.exe 32 PID 2784 wrote to memory of 2796 2784 Hbidne32.exe 33 PID 2784 wrote to memory of 2796 2784 Hbidne32.exe 33 PID 2784 wrote to memory of 2796 2784 Hbidne32.exe 33 PID 2784 wrote to memory of 2796 2784 Hbidne32.exe 33 PID 2796 wrote to memory of 2800 2796 Hghillnd.exe 34 PID 2796 wrote to memory of 2800 2796 Hghillnd.exe 34 PID 2796 wrote to memory of 2800 2796 Hghillnd.exe 34 PID 2796 wrote to memory of 2800 2796 Hghillnd.exe 34 PID 2800 wrote to memory of 2464 2800 Imlhebfc.exe 35 PID 2800 wrote to memory of 2464 2800 Imlhebfc.exe 35 PID 2800 wrote to memory of 2464 2800 Imlhebfc.exe 35 PID 2800 wrote to memory of 2464 2800 Imlhebfc.exe 35 PID 2464 wrote to memory of 1732 2464 Jbpfnh32.exe 36 PID 2464 wrote to memory of 1732 2464 Jbpfnh32.exe 36 PID 2464 wrote to memory of 1732 2464 Jbpfnh32.exe 36 PID 2464 wrote to memory of 1732 2464 Jbpfnh32.exe 36 PID 1732 wrote to memory of 2460 1732 Jjpdmi32.exe 37 PID 1732 wrote to memory of 2460 1732 Jjpdmi32.exe 37 PID 1732 wrote to memory of 2460 1732 Jjpdmi32.exe 37 PID 1732 wrote to memory of 2460 1732 Jjpdmi32.exe 37 PID 2460 wrote to memory of 600 2460 Kalipcmb.exe 38 PID 2460 wrote to memory of 600 2460 Kalipcmb.exe 38 PID 2460 wrote to memory of 600 2460 Kalipcmb.exe 38 PID 2460 wrote to memory of 600 2460 Kalipcmb.exe 38 PID 600 wrote to memory of 2968 600 Ldheebad.exe 39 PID 600 wrote to memory of 2968 600 Ldheebad.exe 39 PID 600 wrote to memory of 2968 600 Ldheebad.exe 39 PID 600 wrote to memory of 2968 600 Ldheebad.exe 39 PID 2968 wrote to memory of 2020 2968 Lkdjglfo.exe 40 PID 2968 wrote to memory of 2020 2968 Lkdjglfo.exe 40 PID 2968 wrote to memory of 2020 2968 Lkdjglfo.exe 40 PID 2968 wrote to memory of 2020 2968 Lkdjglfo.exe 40 PID 2020 wrote to memory of 2604 2020 Lnjldf32.exe 41 PID 2020 wrote to memory of 2604 2020 Lnjldf32.exe 41 PID 2020 wrote to memory of 2604 2020 Lnjldf32.exe 41 PID 2020 wrote to memory of 2604 2020 Lnjldf32.exe 41 PID 2604 wrote to memory of 1272 2604 Mdogedmh.exe 42 PID 2604 wrote to memory of 1272 2604 Mdogedmh.exe 42 PID 2604 wrote to memory of 1272 2604 Mdogedmh.exe 42 PID 2604 wrote to memory of 1272 2604 Mdogedmh.exe 42 PID 1272 wrote to memory of 2100 1272 Njnmbk32.exe 43 PID 1272 wrote to memory of 2100 1272 Njnmbk32.exe 43 PID 1272 wrote to memory of 2100 1272 Njnmbk32.exe 43 PID 1272 wrote to memory of 2100 1272 Njnmbk32.exe 43 PID 2100 wrote to memory of 2216 2100 Oeaqig32.exe 44 PID 2100 wrote to memory of 2216 2100 Oeaqig32.exe 44 PID 2100 wrote to memory of 2216 2100 Oeaqig32.exe 44 PID 2100 wrote to memory of 2216 2100 Oeaqig32.exe 44 PID 2216 wrote to memory of 1056 2216 Obgnhkkh.exe 45 PID 2216 wrote to memory of 1056 2216 Obgnhkkh.exe 45 PID 2216 wrote to memory of 1056 2216 Obgnhkkh.exe 45 PID 2216 wrote to memory of 1056 2216 Obgnhkkh.exe 45 PID 1056 wrote to memory of 2028 1056 Popgboae.exe 46 PID 1056 wrote to memory of 2028 1056 Popgboae.exe 46 PID 1056 wrote to memory of 2028 1056 Popgboae.exe 46 PID 1056 wrote to memory of 2028 1056 Popgboae.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05bN.exe"C:\Users\Admin\AppData\Local\Temp\15eedfb1300cb2166671fbad85cab1afb844253b2b2d362711c24e72454cb05bN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Kalipcmb.exeC:\Windows\system32\Kalipcmb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Mdogedmh.exeC:\Windows\system32\Mdogedmh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Njnmbk32.exeC:\Windows\system32\Njnmbk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Oeaqig32.exeC:\Windows\system32\Oeaqig32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Acicla32.exeC:\Windows\system32\Acicla32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Aobpfb32.exeC:\Windows\system32\Aobpfb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Bkknac32.exeC:\Windows\system32\Bkknac32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Cgnnab32.exeC:\Windows\system32\Cgnnab32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Ckbpqe32.exeC:\Windows\system32\Ckbpqe32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Djjjga32.exeC:\Windows\system32\Djjjga32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Deondj32.exeC:\Windows\system32\Deondj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Deakjjbk.exeC:\Windows\system32\Deakjjbk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Emoldlmc.exeC:\Windows\system32\Emoldlmc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Edlafebn.exeC:\Windows\system32\Edlafebn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Eimcjl32.exeC:\Windows\system32\Eimcjl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Fkcilc32.exeC:\Windows\system32\Fkcilc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Fijbco32.exeC:\Windows\system32\Fijbco32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Gojhafnb.exeC:\Windows\system32\Gojhafnb.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Gcgqgd32.exeC:\Windows\system32\Gcgqgd32.exe34⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Gdkjdl32.exeC:\Windows\system32\Gdkjdl32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Hcepqh32.exeC:\Windows\system32\Hcepqh32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Hmpaom32.exeC:\Windows\system32\Hmpaom32.exe37⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Hfhfhbce.exeC:\Windows\system32\Hfhfhbce.exe38⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Injqmdki.exeC:\Windows\system32\Injqmdki.exe39⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Iakino32.exeC:\Windows\system32\Iakino32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Jpbcek32.exeC:\Windows\system32\Jpbcek32.exe41⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Jpgmpk32.exeC:\Windows\system32\Jpgmpk32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe43⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Kapohbfp.exeC:\Windows\system32\Kapohbfp.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Kenhopmf.exeC:\Windows\system32\Kenhopmf.exe45⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe46⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe48⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe49⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe50⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Llgljn32.exeC:\Windows\system32\Llgljn32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Ldbaopdj.exeC:\Windows\system32\Ldbaopdj.exe52⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Mjdcbf32.exeC:\Windows\system32\Mjdcbf32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Mcodqkbi.exeC:\Windows\system32\Mcodqkbi.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe56⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe57⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe59⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Ndnmialh.exeC:\Windows\system32\Ndnmialh.exe60⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe61⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe64⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe66⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe67⤵PID:2524
-
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe68⤵PID:1568
-
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe71⤵PID:2824
-
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe72⤵PID:1300
-
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe75⤵PID:640
-
C:\Windows\SysWOW64\Cbghhj32.exeC:\Windows\system32\Cbghhj32.exe76⤵PID:820
-
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe77⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Dqobnf32.exeC:\Windows\system32\Dqobnf32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Dcokpa32.exeC:\Windows\system32\Dcokpa32.exe79⤵
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:448 -
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe81⤵PID:1540
-
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe82⤵PID:1284
-
C:\Windows\SysWOW64\Ehhfjcff.exeC:\Windows\system32\Ehhfjcff.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe84⤵
- System Location Discovery: System Language Discovery
PID:584 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe86⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe87⤵PID:2940
-
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe88⤵PID:2804
-
C:\Windows\SysWOW64\Gmidlmcd.exeC:\Windows\system32\Gmidlmcd.exe89⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Gkmefaan.exeC:\Windows\system32\Gkmefaan.exe90⤵PID:2988
-
C:\Windows\SysWOW64\Gpmjcg32.exeC:\Windows\system32\Gpmjcg32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe92⤵PID:3012
-
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe93⤵PID:900
-
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe94⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe95⤵
- System Location Discovery: System Language Discovery
PID:904 -
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe96⤵PID:2164
-
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe97⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Iqapnjli.exeC:\Windows\system32\Iqapnjli.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:992 -
C:\Windows\SysWOW64\Ioiidfon.exeC:\Windows\system32\Ioiidfon.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Icfbkded.exeC:\Windows\system32\Icfbkded.exe100⤵PID:2840
-
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe101⤵PID:2880
-
C:\Windows\SysWOW64\Joblkegc.exeC:\Windows\system32\Joblkegc.exe102⤵
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe103⤵PID:1276
-
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe104⤵PID:2892
-
C:\Windows\SysWOW64\Kfidqb32.exeC:\Windows\system32\Kfidqb32.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe106⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe108⤵
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe109⤵PID:1844
-
C:\Windows\SysWOW64\Laodmoep.exeC:\Windows\system32\Laodmoep.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1668 -
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe111⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Llkbcl32.exeC:\Windows\system32\Llkbcl32.exe112⤵PID:2660
-
C:\Windows\SysWOW64\Mcggef32.exeC:\Windows\system32\Mcggef32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe115⤵PID:3028
-
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe116⤵PID:2136
-
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe117⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Nklopg32.exeC:\Windows\system32\Nklopg32.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Njalacon.exeC:\Windows\system32\Njalacon.exe119⤵PID:2588
-
C:\Windows\SysWOW64\Nladco32.exeC:\Windows\system32\Nladco32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1520 -
C:\Windows\SysWOW64\Nqpmimbe.exeC:\Windows\system32\Nqpmimbe.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-