Analysis
-
max time kernel
90s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 09:13
Static task
static1
Behavioral task
behavioral1
Sample
175127c941331b62f6059ee3a46553d7cfa1fa0fe5f1f71869f518c39b672b23N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
175127c941331b62f6059ee3a46553d7cfa1fa0fe5f1f71869f518c39b672b23N.exe
Resource
win10v2004-20241007-en
General
-
Target
175127c941331b62f6059ee3a46553d7cfa1fa0fe5f1f71869f518c39b672b23N.exe
-
Size
64KB
-
MD5
d98e49b4dd933933b8f636a074fc9ba0
-
SHA1
336d5ca674009f8d54bd209209a7b9dff270d63a
-
SHA256
175127c941331b62f6059ee3a46553d7cfa1fa0fe5f1f71869f518c39b672b23
-
SHA512
e78cf69cb83aed2792bf2221c12fa5d699511bb2ac6ba5d6f355187efd090467af9e259eeeb18246f01bbb4409ce34d826ede7324c0b80b83d17d651a58bc1cf
-
SSDEEP
768:N5J8s156dTIG+SD4zUcuc89vaUGD8mNX4KeoQ2k/1H5v66XJ1IwEGp9ThfzyYsHv:N5ZrWZwqGhXUh9XUwXfzwv
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnfnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cckhlhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plcfokfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odpghiqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkehhlef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaigab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liddljan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhdfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfhefc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbedmedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpecddpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpflenm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgfcbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmkpibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpkfng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahamdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glaejokn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjefcgpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlpmjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dclikp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnlcoage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkiikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjqlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okamjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eilodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikmmqg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qegpbaqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcqlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klniao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejnnbpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhhcpkmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjamhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcljjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flfbfken.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphgpnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfgnbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ellhffim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aioppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fngjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nogmkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcjiaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehiojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikibkhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behpcefk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megmpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmhgjahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemeod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgfoee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcppbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffiebc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clphjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddeifgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fidkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gledgkfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjlbcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbdghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlljiklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjpmqjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obngnphg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkphcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlpbbmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgmkn32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2920 Jecnpg32.exe 2900 Kbgnil32.exe 2464 Klapha32.exe 1576 Kdmdlc32.exe 1144 Kacakgip.exe 2736 Lbgkhoml.exe 952 Licpki32.exe 1048 Lejppj32.exe 1356 Laqadknn.exe 2468 Modano32.exe 1664 Mpjgag32.exe 976 Mpmdff32.exe 1820 Mlcekgbb.exe 2348 Nlfaag32.exe 2508 Nfqbol32.exe 1756 Ncdciq32.exe 280 Nfeljlqh.exe 2456 Oblmom32.exe 1020 Odjikh32.exe 552 Oncndnlq.exe 1740 Oqcffi32.exe 2028 Ofqonp32.exe 2316 Oafclh32.exe 2488 Ofcldoef.exe 1592 Ofehiocd.exe 2536 Plbaafak.exe 2396 Pembpkfi.exe 2928 Pbqbioeb.exe 2640 Pligbekc.exe 1660 Phphgf32.exe 2692 Qechqj32.exe 2708 Qjqqianh.exe 2272 Aamekk32.exe 1708 Abnbccia.exe 3020 Adnomfqc.exe 2968 Alicahno.exe 848 Afngoand.exe 2424 Aioppl32.exe 1836 Bhfjgh32.exe 1988 Bdmklico.exe 1684 Bjjcdp32.exe 2212 Bjlpjp32.exe 272 Colegflh.exe 2096 Cfemdp32.exe 3064 Cpkaai32.exe 1380 Cclkcdpl.exe 916 Chickknc.exe 1300 Cobkhe32.exe 2556 Cfmceomm.exe 2408 Cnhhia32.exe 2380 Chmlfj32.exe 2940 Dklibf32.exe 2880 Dqiakm32.exe 2824 Dknehe32.exe 2660 Djaedbnj.exe 2036 Dfhficcn.exe 1188 Dmaoem32.exe 580 Dfjcncak.exe 2948 Dqpgll32.exe 2572 Dbadcdgp.exe 824 Diklpn32.exe 1872 Dcppmg32.exe 2200 Eimien32.exe 2164 Ebemnc32.exe -
Loads dropped DLL 64 IoCs
pid Process 572 175127c941331b62f6059ee3a46553d7cfa1fa0fe5f1f71869f518c39b672b23N.exe 572 175127c941331b62f6059ee3a46553d7cfa1fa0fe5f1f71869f518c39b672b23N.exe 2920 Jecnpg32.exe 2920 Jecnpg32.exe 2900 Kbgnil32.exe 2900 Kbgnil32.exe 2464 Klapha32.exe 2464 Klapha32.exe 1576 Kdmdlc32.exe 1576 Kdmdlc32.exe 1144 Kacakgip.exe 1144 Kacakgip.exe 2736 Lbgkhoml.exe 2736 Lbgkhoml.exe 952 Licpki32.exe 952 Licpki32.exe 1048 Lejppj32.exe 1048 Lejppj32.exe 1356 Laqadknn.exe 1356 Laqadknn.exe 2468 Modano32.exe 2468 Modano32.exe 1664 Mpjgag32.exe 1664 Mpjgag32.exe 976 Mpmdff32.exe 976 Mpmdff32.exe 1820 Mlcekgbb.exe 1820 Mlcekgbb.exe 2348 Nlfaag32.exe 2348 Nlfaag32.exe 2508 Nfqbol32.exe 2508 Nfqbol32.exe 1756 Ncdciq32.exe 1756 Ncdciq32.exe 280 Nfeljlqh.exe 280 Nfeljlqh.exe 2456 Oblmom32.exe 2456 Oblmom32.exe 1020 Odjikh32.exe 1020 Odjikh32.exe 552 Oncndnlq.exe 552 Oncndnlq.exe 1740 Oqcffi32.exe 1740 Oqcffi32.exe 2028 Ofqonp32.exe 2028 Ofqonp32.exe 2316 Oafclh32.exe 2316 Oafclh32.exe 2488 Ofcldoef.exe 2488 Ofcldoef.exe 1592 Ofehiocd.exe 1592 Ofehiocd.exe 2536 Plbaafak.exe 2536 Plbaafak.exe 2396 Pembpkfi.exe 2396 Pembpkfi.exe 2928 Pbqbioeb.exe 2928 Pbqbioeb.exe 2640 Pligbekc.exe 2640 Pligbekc.exe 1660 Phphgf32.exe 1660 Phphgf32.exe 2692 Qechqj32.exe 2692 Qechqj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ilolol32.exe Heedbbdb.exe File created C:\Windows\SysWOW64\Afeakp32.dll Ffahgn32.exe File opened for modification C:\Windows\SysWOW64\Injnfl32.exe Iihhmhng.exe File created C:\Windows\SysWOW64\Lpofkf32.dll Afmokbop.exe File opened for modification C:\Windows\SysWOW64\Fcfmacce.exe Flldei32.exe File created C:\Windows\SysWOW64\Gfpamd32.dll Oohmmojn.exe File created C:\Windows\SysWOW64\Ekmeec32.dll Pkajgonp.exe File opened for modification C:\Windows\SysWOW64\Appikd32.exe Aghdboal.exe File opened for modification C:\Windows\SysWOW64\Qoipflcf.exe Qeakmg32.exe File created C:\Windows\SysWOW64\Qedibbah.dll Emmnch32.exe File created C:\Windows\SysWOW64\Kgfoee32.exe Kmpkhl32.exe File created C:\Windows\SysWOW64\Gpdhiaoi.exe Gjgpqjqa.exe File created C:\Windows\SysWOW64\Hhfqejoh.exe Gonlld32.exe File opened for modification C:\Windows\SysWOW64\Kbljmd32.exe Kgffpk32.exe File created C:\Windows\SysWOW64\Beaaplbg.exe Bbpioa32.exe File created C:\Windows\SysWOW64\Pfflnl32.exe Pibkdhbi.exe File created C:\Windows\SysWOW64\Kbkgfgam.exe Kibcnb32.exe File opened for modification C:\Windows\SysWOW64\Kofnbk32.exe Kleeqp32.exe File opened for modification C:\Windows\SysWOW64\Blcokf32.exe Bbkkbpjc.exe File created C:\Windows\SysWOW64\Ijeinphf.exe Ijcmipjh.exe File created C:\Windows\SysWOW64\Lfpllg32.exe Laccdp32.exe File opened for modification C:\Windows\SysWOW64\Kceijg32.exe Kbdmboqk.exe File created C:\Windows\SysWOW64\Genmab32.exe Gkehhlef.exe File opened for modification C:\Windows\SysWOW64\Mochmm32.exe Lbmknipc.exe File created C:\Windows\SysWOW64\Lpmnln32.dll Jegknp32.exe File opened for modification C:\Windows\SysWOW64\Lhnckp32.exe Lepfoe32.exe File created C:\Windows\SysWOW64\Fngjmb32.exe Fbpihafp.exe File created C:\Windows\SysWOW64\Delimb32.dll Noajoihl.exe File created C:\Windows\SysWOW64\Pahelkpb.dll Pbokaelh.exe File created C:\Windows\SysWOW64\Lhnckp32.exe Lepfoe32.exe File created C:\Windows\SysWOW64\Qnbhgadc.dll Mcccglnn.exe File created C:\Windows\SysWOW64\Bdcmjg32.exe Blhifemo.exe File created C:\Windows\SysWOW64\Bllcke32.exe Ahnjefcd.exe File created C:\Windows\SysWOW64\Eepeckpm.dll Khpccibp.exe File opened for modification C:\Windows\SysWOW64\Fidkep32.exe Ffeoid32.exe File opened for modification C:\Windows\SysWOW64\Hoeigi32.exe Hlgmkn32.exe File created C:\Windows\SysWOW64\Lmphlhmc.dll Fojnhlch.exe File created C:\Windows\SysWOW64\Bcebml32.dll Koaohila.exe File opened for modification C:\Windows\SysWOW64\Kdmdlc32.exe Klapha32.exe File created C:\Windows\SysWOW64\Gjfbaj32.dll Odmhjp32.exe File created C:\Windows\SysWOW64\Ojlpmp32.dll Fjnkac32.exe File created C:\Windows\SysWOW64\Ahpfoa32.exe Apeakonl.exe File created C:\Windows\SysWOW64\Dakbajhh.dll Khgnff32.exe File created C:\Windows\SysWOW64\Mjnohc32.exe Mjlbcd32.exe File opened for modification C:\Windows\SysWOW64\Jkcllmhb.exe Jffddfjk.exe File opened for modification C:\Windows\SysWOW64\Lhclfphg.exe Ledpjdid.exe File created C:\Windows\SysWOW64\Kfofla32.exe Kmfbckfa.exe File created C:\Windows\SysWOW64\Cjklgj32.dll Nmggnm32.exe File opened for modification C:\Windows\SysWOW64\Eopehg32.exe Eiclop32.exe File opened for modification C:\Windows\SysWOW64\Lfcmchla.exe Llkijb32.exe File created C:\Windows\SysWOW64\Lnlaejfg.dll Joaebkni.exe File created C:\Windows\SysWOW64\Komkek32.dll Mlenijej.exe File opened for modification C:\Windows\SysWOW64\Hemggm32.exe Hlebog32.exe File created C:\Windows\SysWOW64\Edopja32.dll Kckeno32.exe File created C:\Windows\SysWOW64\Bipkao32.dll Nikide32.exe File created C:\Windows\SysWOW64\Enagnc32.exe Ehgoaiml.exe File opened for modification C:\Windows\SysWOW64\Abmkhmfe.exe Alcclb32.exe File created C:\Windows\SysWOW64\Bpbnpchg.dll Lgdcqj32.exe File opened for modification C:\Windows\SysWOW64\Hqdeciho.exe Hjjmgo32.exe File created C:\Windows\SysWOW64\Ijekcf32.dll Lqdfmihh.exe File opened for modification C:\Windows\SysWOW64\Jolingnk.exe Jddhknpg.exe File created C:\Windows\SysWOW64\Bjnbiqik.dll Goemhfco.exe File created C:\Windows\SysWOW64\Nbabfmjp.dll Eqejjj32.exe File opened for modification C:\Windows\SysWOW64\Aihmhe32.exe Amalcd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3592 4176 WerFault.exe 1020 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbeqem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnknfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aghidl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kibcnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbqaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikahkng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iffggo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofgkebk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgfgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdejpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbgnpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeiekgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfnlahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dchcdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jankcafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjkije32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjing32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdkolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkdhohk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epckkeek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkggel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqenfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olablfbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfpjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jclqefac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpplfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmigdend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqemmcqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjqqianh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gakchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjdecca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inopce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgknffcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaagnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndkdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmijij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glddig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmdlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momckfid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anppiikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjbecqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqjcli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlcoage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqocej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apeakonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdfhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfdaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmklico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmdcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edenlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeibcnmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgoaiml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepfoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfadgqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfikjfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqkace32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnooj32.dll" Cidklp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdbmkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiagck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigmoadp.dll" Ehgoaiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbnqpih.dll" Mjialchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejldfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lolbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdldpa32.dll" Dqemmcqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljcblpk.dll" Jfhqiegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbabfmjp.dll" Eqejjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmeqepdc.dll" Eopehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhcpggl.dll" Lanpmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjphfe.dll" Hjlhcegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifhacfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daghjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liplmolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhlmifm.dll" Jecnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biamam32.dll" Enagnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcoimjn.dll" Glefpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcajaqai.dll" Fliaecjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpeamj32.dll" Ndqokc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oleinmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgcingnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phqbcjkp.dll" Elmmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dijbqion.dll" Pembpkfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipedihgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqaanoah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kineom32.dll" Pfabbmeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkhdohnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddeammok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einead32.dll" Mdpqec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdnnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Madcgpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogphdb32.dll" Oblmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dclikp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blfnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjkije32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnfnik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfadgqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efeblnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eddlcgjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkiacm32.dll" Kqijck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjialchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbopibgb.dll" Phghedga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjndha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonmki32.dll" Lajgnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himanf32.dll" Omgckcmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addgcj32.dll" Ibafhmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiepac32.dll" Qhabfibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ondciqan.dll" Fmfpnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afjbecqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfaodclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihefhgnm.dll" Nkfaqkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Colegflh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmigdend.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhgonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lacpcj32.dll" Gfqmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lokpcekn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adokdbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faapbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqcffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ighchh32.dll" Bjjcdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbofngho.dll" Ebnlba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pahelkpb.dll" Pbokaelh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 572 wrote to memory of 2920 572 175127c941331b62f6059ee3a46553d7cfa1fa0fe5f1f71869f518c39b672b23N.exe 29 PID 572 wrote to memory of 2920 572 175127c941331b62f6059ee3a46553d7cfa1fa0fe5f1f71869f518c39b672b23N.exe 29 PID 572 wrote to memory of 2920 572 175127c941331b62f6059ee3a46553d7cfa1fa0fe5f1f71869f518c39b672b23N.exe 29 PID 572 wrote to memory of 2920 572 175127c941331b62f6059ee3a46553d7cfa1fa0fe5f1f71869f518c39b672b23N.exe 29 PID 2920 wrote to memory of 2900 2920 Jecnpg32.exe 30 PID 2920 wrote to memory of 2900 2920 Jecnpg32.exe 30 PID 2920 wrote to memory of 2900 2920 Jecnpg32.exe 30 PID 2920 wrote to memory of 2900 2920 Jecnpg32.exe 30 PID 2900 wrote to memory of 2464 2900 Kbgnil32.exe 31 PID 2900 wrote to memory of 2464 2900 Kbgnil32.exe 31 PID 2900 wrote to memory of 2464 2900 Kbgnil32.exe 31 PID 2900 wrote to memory of 2464 2900 Kbgnil32.exe 31 PID 2464 wrote to memory of 1576 2464 Klapha32.exe 32 PID 2464 wrote to memory of 1576 2464 Klapha32.exe 32 PID 2464 wrote to memory of 1576 2464 Klapha32.exe 32 PID 2464 wrote to memory of 1576 2464 Klapha32.exe 32 PID 1576 wrote to memory of 1144 1576 Kdmdlc32.exe 33 PID 1576 wrote to memory of 1144 1576 Kdmdlc32.exe 33 PID 1576 wrote to memory of 1144 1576 Kdmdlc32.exe 33 PID 1576 wrote to memory of 1144 1576 Kdmdlc32.exe 33 PID 1144 wrote to memory of 2736 1144 Kacakgip.exe 34 PID 1144 wrote to memory of 2736 1144 Kacakgip.exe 34 PID 1144 wrote to memory of 2736 1144 Kacakgip.exe 34 PID 1144 wrote to memory of 2736 1144 Kacakgip.exe 34 PID 2736 wrote to memory of 952 2736 Lbgkhoml.exe 35 PID 2736 wrote to memory of 952 2736 Lbgkhoml.exe 35 PID 2736 wrote to memory of 952 2736 Lbgkhoml.exe 35 PID 2736 wrote to memory of 952 2736 Lbgkhoml.exe 35 PID 952 wrote to memory of 1048 952 Licpki32.exe 36 PID 952 wrote to memory of 1048 952 Licpki32.exe 36 PID 952 wrote to memory of 1048 952 Licpki32.exe 36 PID 952 wrote to memory of 1048 952 Licpki32.exe 36 PID 1048 wrote to memory of 1356 1048 Lejppj32.exe 37 PID 1048 wrote to memory of 1356 1048 Lejppj32.exe 37 PID 1048 wrote to memory of 1356 1048 Lejppj32.exe 37 PID 1048 wrote to memory of 1356 1048 Lejppj32.exe 37 PID 1356 wrote to memory of 2468 1356 Laqadknn.exe 38 PID 1356 wrote to memory of 2468 1356 Laqadknn.exe 38 PID 1356 wrote to memory of 2468 1356 Laqadknn.exe 38 PID 1356 wrote to memory of 2468 1356 Laqadknn.exe 38 PID 2468 wrote to memory of 1664 2468 Modano32.exe 39 PID 2468 wrote to memory of 1664 2468 Modano32.exe 39 PID 2468 wrote to memory of 1664 2468 Modano32.exe 39 PID 2468 wrote to memory of 1664 2468 Modano32.exe 39 PID 1664 wrote to memory of 976 1664 Mpjgag32.exe 40 PID 1664 wrote to memory of 976 1664 Mpjgag32.exe 40 PID 1664 wrote to memory of 976 1664 Mpjgag32.exe 40 PID 1664 wrote to memory of 976 1664 Mpjgag32.exe 40 PID 976 wrote to memory of 1820 976 Mpmdff32.exe 41 PID 976 wrote to memory of 1820 976 Mpmdff32.exe 41 PID 976 wrote to memory of 1820 976 Mpmdff32.exe 41 PID 976 wrote to memory of 1820 976 Mpmdff32.exe 41 PID 1820 wrote to memory of 2348 1820 Mlcekgbb.exe 42 PID 1820 wrote to memory of 2348 1820 Mlcekgbb.exe 42 PID 1820 wrote to memory of 2348 1820 Mlcekgbb.exe 42 PID 1820 wrote to memory of 2348 1820 Mlcekgbb.exe 42 PID 2348 wrote to memory of 2508 2348 Nlfaag32.exe 43 PID 2348 wrote to memory of 2508 2348 Nlfaag32.exe 43 PID 2348 wrote to memory of 2508 2348 Nlfaag32.exe 43 PID 2348 wrote to memory of 2508 2348 Nlfaag32.exe 43 PID 2508 wrote to memory of 1756 2508 Nfqbol32.exe 44 PID 2508 wrote to memory of 1756 2508 Nfqbol32.exe 44 PID 2508 wrote to memory of 1756 2508 Nfqbol32.exe 44 PID 2508 wrote to memory of 1756 2508 Nfqbol32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\175127c941331b62f6059ee3a46553d7cfa1fa0fe5f1f71869f518c39b672b23N.exe"C:\Users\Admin\AppData\Local\Temp\175127c941331b62f6059ee3a46553d7cfa1fa0fe5f1f71869f518c39b672b23N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Jecnpg32.exeC:\Windows\system32\Jecnpg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Kbgnil32.exeC:\Windows\system32\Kbgnil32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Kdmdlc32.exeC:\Windows\system32\Kdmdlc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Kacakgip.exeC:\Windows\system32\Kacakgip.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Lbgkhoml.exeC:\Windows\system32\Lbgkhoml.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Licpki32.exeC:\Windows\system32\Licpki32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Lejppj32.exeC:\Windows\system32\Lejppj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Laqadknn.exeC:\Windows\system32\Laqadknn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Mpjgag32.exeC:\Windows\system32\Mpjgag32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Mpmdff32.exeC:\Windows\system32\Mpmdff32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Mlcekgbb.exeC:\Windows\system32\Mlcekgbb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Nlfaag32.exeC:\Windows\system32\Nlfaag32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Ncdciq32.exeC:\Windows\system32\Ncdciq32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Nfeljlqh.exeC:\Windows\system32\Nfeljlqh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280 -
C:\Windows\SysWOW64\Oblmom32.exeC:\Windows\system32\Oblmom32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Odjikh32.exeC:\Windows\system32\Odjikh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Oncndnlq.exeC:\Windows\system32\Oncndnlq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Oqcffi32.exeC:\Windows\system32\Oqcffi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Ofqonp32.exeC:\Windows\system32\Ofqonp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Oafclh32.exeC:\Windows\system32\Oafclh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Ofcldoef.exeC:\Windows\system32\Ofcldoef.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Ofehiocd.exeC:\Windows\system32\Ofehiocd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Plbaafak.exeC:\Windows\system32\Plbaafak.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Pembpkfi.exeC:\Windows\system32\Pembpkfi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Pbqbioeb.exeC:\Windows\system32\Pbqbioeb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Pligbekc.exeC:\Windows\system32\Pligbekc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Qechqj32.exeC:\Windows\system32\Qechqj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Qjqqianh.exeC:\Windows\system32\Qjqqianh.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Aamekk32.exeC:\Windows\system32\Aamekk32.exe34⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Abnbccia.exeC:\Windows\system32\Abnbccia.exe35⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Adnomfqc.exeC:\Windows\system32\Adnomfqc.exe36⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Alicahno.exeC:\Windows\system32\Alicahno.exe37⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Afngoand.exeC:\Windows\system32\Afngoand.exe38⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Aioppl32.exeC:\Windows\system32\Aioppl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bhfjgh32.exeC:\Windows\system32\Bhfjgh32.exe40⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Bdmklico.exeC:\Windows\system32\Bdmklico.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Bjjcdp32.exeC:\Windows\system32\Bjjcdp32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe43⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Colegflh.exeC:\Windows\system32\Colegflh.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Cfemdp32.exeC:\Windows\system32\Cfemdp32.exe45⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Cpkaai32.exeC:\Windows\system32\Cpkaai32.exe46⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Cclkcdpl.exeC:\Windows\system32\Cclkcdpl.exe47⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Chickknc.exeC:\Windows\system32\Chickknc.exe48⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Cobkhe32.exeC:\Windows\system32\Cobkhe32.exe49⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Cfmceomm.exeC:\Windows\system32\Cfmceomm.exe50⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Cnhhia32.exeC:\Windows\system32\Cnhhia32.exe51⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Chmlfj32.exeC:\Windows\system32\Chmlfj32.exe52⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Dklibf32.exeC:\Windows\system32\Dklibf32.exe53⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Dqiakm32.exeC:\Windows\system32\Dqiakm32.exe54⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe55⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe56⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Dfhficcn.exeC:\Windows\system32\Dfhficcn.exe57⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Dmaoem32.exeC:\Windows\system32\Dmaoem32.exe58⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Dfjcncak.exeC:\Windows\system32\Dfjcncak.exe59⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Dqpgll32.exeC:\Windows\system32\Dqpgll32.exe60⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Dbadcdgp.exeC:\Windows\system32\Dbadcdgp.exe61⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Diklpn32.exeC:\Windows\system32\Diklpn32.exe62⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Dcppmg32.exeC:\Windows\system32\Dcppmg32.exe63⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Eimien32.exeC:\Windows\system32\Eimien32.exe64⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Ebemnc32.exeC:\Windows\system32\Ebemnc32.exe65⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Egbffj32.exeC:\Windows\system32\Egbffj32.exe66⤵
- System Location Discovery: System Language Discovery
PID:328 -
C:\Windows\SysWOW64\Ebhjdc32.exeC:\Windows\system32\Ebhjdc32.exe67⤵PID:1400
-
C:\Windows\SysWOW64\Eheblj32.exeC:\Windows\system32\Eheblj32.exe68⤵PID:920
-
C:\Windows\SysWOW64\Eamgeo32.exeC:\Windows\system32\Eamgeo32.exe69⤵PID:940
-
C:\Windows\SysWOW64\Ehgoaiml.exeC:\Windows\system32\Ehgoaiml.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Enagnc32.exeC:\Windows\system32\Enagnc32.exe71⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Eekpknlf.exeC:\Windows\system32\Eekpknlf.exe72⤵PID:2476
-
C:\Windows\SysWOW64\Efllcf32.exeC:\Windows\system32\Efllcf32.exe73⤵PID:2960
-
C:\Windows\SysWOW64\Fdpmljan.exeC:\Windows\system32\Fdpmljan.exe74⤵PID:2132
-
C:\Windows\SysWOW64\Fmhaep32.exeC:\Windows\system32\Fmhaep32.exe75⤵PID:2680
-
C:\Windows\SysWOW64\Fbeimf32.exeC:\Windows\system32\Fbeimf32.exe76⤵PID:1704
-
C:\Windows\SysWOW64\Fioajqmb.exeC:\Windows\system32\Fioajqmb.exe77⤵PID:1624
-
C:\Windows\SysWOW64\Flnnfllf.exeC:\Windows\system32\Flnnfllf.exe78⤵PID:1976
-
C:\Windows\SysWOW64\Ffcbce32.exeC:\Windows\system32\Ffcbce32.exe79⤵PID:2192
-
C:\Windows\SysWOW64\Flpkll32.exeC:\Windows\system32\Flpkll32.exe80⤵PID:2236
-
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe81⤵
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Fidkep32.exeC:\Windows\system32\Fidkep32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Faopib32.exeC:\Windows\system32\Faopib32.exe83⤵PID:864
-
C:\Windows\SysWOW64\Gledgkfn.exeC:\Windows\system32\Gledgkfn.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Gaamobdf.exeC:\Windows\system32\Gaamobdf.exe85⤵PID:2524
-
C:\Windows\SysWOW64\Goemhfco.exeC:\Windows\system32\Goemhfco.exe86⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Ggqamh32.exeC:\Windows\system32\Ggqamh32.exe87⤵PID:880
-
C:\Windows\SysWOW64\Gmkjjbhg.exeC:\Windows\system32\Gmkjjbhg.exe88⤵PID:2300
-
C:\Windows\SysWOW64\Giakoc32.exeC:\Windows\system32\Giakoc32.exe89⤵PID:2104
-
C:\Windows\SysWOW64\Ggekhhle.exeC:\Windows\system32\Ggekhhle.exe90⤵PID:2868
-
C:\Windows\SysWOW64\Hpnpam32.exeC:\Windows\system32\Hpnpam32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Hifdjcif.exeC:\Windows\system32\Hifdjcif.exe92⤵PID:2620
-
C:\Windows\SysWOW64\Hpplfm32.exeC:\Windows\system32\Hpplfm32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Hemeod32.exeC:\Windows\system32\Hemeod32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Hlgmkn32.exeC:\Windows\system32\Hlgmkn32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Hoeigi32.exeC:\Windows\system32\Hoeigi32.exe96⤵PID:1876
-
C:\Windows\SysWOW64\Hlijan32.exeC:\Windows\system32\Hlijan32.exe97⤵PID:2216
-
C:\Windows\SysWOW64\Hddoep32.exeC:\Windows\system32\Hddoep32.exe98⤵PID:2172
-
C:\Windows\SysWOW64\Hahoodqi.exeC:\Windows\system32\Hahoodqi.exe99⤵PID:440
-
C:\Windows\SysWOW64\Hdgkkppm.exeC:\Windows\system32\Hdgkkppm.exe100⤵PID:2000
-
C:\Windows\SysWOW64\Inopce32.exeC:\Windows\system32\Inopce32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Ikcpmieg.exeC:\Windows\system32\Ikcpmieg.exe102⤵PID:1720
-
C:\Windows\SysWOW64\Iqpiepcn.exeC:\Windows\system32\Iqpiepcn.exe103⤵PID:1604
-
C:\Windows\SysWOW64\Icnealbb.exeC:\Windows\system32\Icnealbb.exe104⤵PID:2664
-
C:\Windows\SysWOW64\Iglngj32.exeC:\Windows\system32\Iglngj32.exe105⤵PID:1628
-
C:\Windows\SysWOW64\Iccnmk32.exeC:\Windows\system32\Iccnmk32.exe106⤵PID:1744
-
C:\Windows\SysWOW64\Imkbeqem.exeC:\Windows\system32\Imkbeqem.exe107⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Jcekbk32.exeC:\Windows\system32\Jcekbk32.exe108⤵PID:1644
-
C:\Windows\SysWOW64\Jmnpkp32.exeC:\Windows\system32\Jmnpkp32.exe109⤵PID:2344
-
C:\Windows\SysWOW64\Jffddfjk.exeC:\Windows\system32\Jffddfjk.exe110⤵
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Jkcllmhb.exeC:\Windows\system32\Jkcllmhb.exe111⤵PID:1796
-
C:\Windows\SysWOW64\Jfhqiegh.exeC:\Windows\system32\Jfhqiegh.exe112⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Joaebkni.exeC:\Windows\system32\Joaebkni.exe113⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Jennjblp.exeC:\Windows\system32\Jennjblp.exe114⤵PID:548
-
C:\Windows\SysWOW64\Jkgfgl32.exeC:\Windows\system32\Jkgfgl32.exe115⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Jadnoc32.exeC:\Windows\system32\Jadnoc32.exe116⤵PID:2688
-
C:\Windows\SysWOW64\Knkkngol.exeC:\Windows\system32\Knkkngol.exe117⤵PID:1260
-
C:\Windows\SysWOW64\Kplhfo32.exeC:\Windows\system32\Kplhfo32.exe118⤵PID:2764
-
C:\Windows\SysWOW64\Kleeqp32.exeC:\Windows\system32\Kleeqp32.exe119⤵
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Kofnbk32.exeC:\Windows\system32\Kofnbk32.exe120⤵PID:2376
-
C:\Windows\SysWOW64\Lepfoe32.exeC:\Windows\system32\Lepfoe32.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:340 -
C:\Windows\SysWOW64\Lhnckp32.exeC:\Windows\system32\Lhnckp32.exe122⤵PID:1800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-