Analysis
-
max time kernel
95s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 08:55
Static task
static1
Behavioral task
behavioral1
Sample
356177bd3cec12204966895b3d8172037ff85a71020cf186cb32db41605f4374N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
356177bd3cec12204966895b3d8172037ff85a71020cf186cb32db41605f4374N.exe
Resource
win10v2004-20241007-en
General
-
Target
356177bd3cec12204966895b3d8172037ff85a71020cf186cb32db41605f4374N.exe
-
Size
1.8MB
-
MD5
c0223afa95c9ce80e3b59576e08a36d0
-
SHA1
c769cbf09118cd8397cbbfad74564ccf5b867e4c
-
SHA256
356177bd3cec12204966895b3d8172037ff85a71020cf186cb32db41605f4374
-
SHA512
a747de1e6872ec5d3a7b1af8edafd3330497b304099b44ea41e940b3853fc9a8fd28e3c56a9094500241007cdc2866b2ee24c5d889da5328c678dac7d34402f5
-
SSDEEP
24576:PpKm2Nys/q1tF1Pm0jdA5uBAdpFZymfDdGsJm1OVmfihT:P12Nys/q1tF1Pm0jdFmyMPT
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmhand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncofplba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qofcff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbcfbjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknlbhhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 356177bd3cec12204966895b3d8172037ff85a71020cf186cb32db41605f4374N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpimlfke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poliea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfcjfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncabfkqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmmepfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pibdmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecefqnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebommi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipoopgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcelpggq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aleckinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elpkep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpbin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifnhpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbddfmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chiigadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlbkap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phdnngdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mldhfpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Papfgbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eleepoob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjpnlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camddhoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiioonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maeachag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neoieenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhkdmlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lggejg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hildmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoopgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Micoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpchib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onocomdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbighjdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmipdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmdom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfgipd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coknoaic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idahjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjmn32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2504 Kbmoen32.exe 4716 Kiggbhda.exe 3016 Kkfcndce.exe 4260 Kndojobi.exe 636 Kenggi32.exe 4428 Kgmcce32.exe 2420 Knflpoqf.exe 1132 Kaehljpj.exe 5056 Kilpmh32.exe 4980 Kjmmepfj.exe 212 Kbddfmgl.exe 32 Kinmcg32.exe 3680 Kjpijpdg.exe 2288 Lbgalmej.exe 2892 Liqihglg.exe 4720 Lkofdbkj.exe 5104 Lalnmiia.exe 1328 Lgffic32.exe 2216 Lbkkgl32.exe 1464 Lejgch32.exe 4808 Lldopb32.exe 3980 Lnbklm32.exe 2608 Lelchgne.exe 1852 Lgkpdcmi.exe 1868 Lndham32.exe 1576 Lacdmh32.exe 1144 Lijlof32.exe 4064 Llhikacp.exe 1864 Mngegmbc.exe 732 Maeachag.exe 3972 Milidebi.exe 3960 Mahnhhod.exe 1184 Miofjepg.exe 912 Mjpbam32.exe 3904 Mbgjbkfg.exe 876 Miaboe32.exe 2324 Mjbogmdb.exe 2340 Mbighjdd.exe 392 Micoed32.exe 2944 Mlbkap32.exe 2416 Mblcnj32.exe 4788 Mifljdjo.exe 4336 Mldhfpib.exe 1748 Nbnpcj32.exe 244 Nemmoe32.exe 3920 Nlfelogp.exe 2908 Noeahkfc.exe 4456 Neoieenp.exe 2748 Nliaao32.exe 2020 Nbcjnilj.exe 4244 Neafjdkn.exe 5108 Nlkngo32.exe 1704 Nojjcj32.exe 4100 Neccpd32.exe 3568 Nlnkmnah.exe 3024 Nolgijpk.exe 3092 Niakfbpa.exe 1968 Nlphbnoe.exe 4600 Objpoh32.exe 3124 Oehlkc32.exe 4376 Olbdhn32.exe 4276 Oblmdhdo.exe 5072 Oifeab32.exe 1948 Okgaijaj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bjlpjm32.exe Bcahmb32.exe File opened for modification C:\Windows\SysWOW64\Gpbpbecj.exe Gmdcfidg.exe File opened for modification C:\Windows\SysWOW64\Pdhkcb32.exe Pjpfjl32.exe File created C:\Windows\SysWOW64\Glfdiedd.dll Dafppp32.exe File created C:\Windows\SysWOW64\Bhocin32.dll Qebhhp32.exe File created C:\Windows\SysWOW64\Jhidngmn.dll Eblpgjha.exe File opened for modification C:\Windows\SysWOW64\Fbcfhibj.exe Fpejlmcf.exe File created C:\Windows\SysWOW64\Higjaoci.exe Hdjbiheb.exe File opened for modification C:\Windows\SysWOW64\Ojdnid32.exe Oalipoiq.exe File created C:\Windows\SysWOW64\Pjpfjl32.exe Pagbaglh.exe File created C:\Windows\SysWOW64\Knflpoqf.exe Kgmcce32.exe File created C:\Windows\SysWOW64\Elcfgpga.dll Kjpijpdg.exe File created C:\Windows\SysWOW64\Efjikc32.dll Mbgjbkfg.exe File created C:\Windows\SysWOW64\Okgaijaj.exe Oifeab32.exe File created C:\Windows\SysWOW64\Fpbmfn32.exe Eiieicml.exe File opened for modification C:\Windows\SysWOW64\Pecellgl.exe Pmlmkn32.exe File created C:\Windows\SysWOW64\Obgbikfp.dll Bedgjgkg.exe File opened for modification C:\Windows\SysWOW64\Mmpmnl32.exe Mgbefe32.exe File created C:\Windows\SysWOW64\Iaejbl32.dll Kjmmepfj.exe File opened for modification C:\Windows\SysWOW64\Maeachag.exe Mngegmbc.exe File created C:\Windows\SysWOW64\Mbighjdd.exe Mjbogmdb.exe File created C:\Windows\SysWOW64\Gphphj32.exe Gkkgpc32.exe File opened for modification C:\Windows\SysWOW64\Gojiiafp.exe Gbchdp32.exe File created C:\Windows\SysWOW64\Pdhkcb32.exe Pjpfjl32.exe File opened for modification C:\Windows\SysWOW64\Dfjpfj32.exe Dpphjp32.exe File created C:\Windows\SysWOW64\Lfojjf32.dll Jdodkebj.exe File created C:\Windows\SysWOW64\Baadiiif.exe Bochmn32.exe File created C:\Windows\SysWOW64\Hhhdjbno.dll Bddjpd32.exe File created C:\Windows\SysWOW64\Akkeajoj.dll Mnjqmpgg.exe File created C:\Windows\SysWOW64\Njmqnobn.exe Nmipdk32.exe File created C:\Windows\SysWOW64\Akpoaj32.exe Aoioli32.exe File opened for modification C:\Windows\SysWOW64\Bmjkic32.exe Bhmbqm32.exe File created C:\Windows\SysWOW64\Cpfoag32.dll Ckebcg32.exe File created C:\Windows\SysWOW64\Jdigjdia.dll Kilpmh32.exe File created C:\Windows\SysWOW64\Dbmiag32.dll Oifeab32.exe File created C:\Windows\SysWOW64\Bblnindg.exe Bkafmd32.exe File opened for modification C:\Windows\SysWOW64\Difpmfna.exe Dfgcakon.exe File created C:\Windows\SysWOW64\Qlejfm32.dll Dpbdopck.exe File opened for modification C:\Windows\SysWOW64\Ejchhgid.exe Eblpgjha.exe File created C:\Windows\SysWOW64\Hildmn32.exe Hdokdg32.exe File opened for modification C:\Windows\SysWOW64\Idahjg32.exe Hildmn32.exe File opened for modification C:\Windows\SysWOW64\Mcpcdg32.exe Lcnfohmi.exe File opened for modification C:\Windows\SysWOW64\Mngegmbc.exe Llhikacp.exe File created C:\Windows\SysWOW64\Neoieenp.exe Noeahkfc.exe File created C:\Windows\SysWOW64\Nlkngo32.exe Neafjdkn.exe File opened for modification C:\Windows\SysWOW64\Nhahaiec.exe Neclenfo.exe File created C:\Windows\SysWOW64\Ekpped32.dll Qlimed32.exe File created C:\Windows\SysWOW64\Impliekg.exe Ilqoobdd.exe File opened for modification C:\Windows\SysWOW64\Kbddfmgl.exe Kjmmepfj.exe File created C:\Windows\SysWOW64\Neccpd32.exe Nojjcj32.exe File opened for modification C:\Windows\SysWOW64\Dfgcakon.exe Dpnkdq32.exe File created C:\Windows\SysWOW64\Gkbofaoj.dll Ejoomhmi.exe File created C:\Windows\SysWOW64\Kclgmq32.exe Kmaopfjm.exe File created C:\Windows\SysWOW64\Lqbncb32.exe Ljhefhha.exe File created C:\Windows\SysWOW64\Popbpqjh.exe Pmaffnce.exe File created C:\Windows\SysWOW64\Fbpcnkaj.dll Gpnfge32.exe File created C:\Windows\SysWOW64\Mcpcdg32.exe Lcnfohmi.exe File created C:\Windows\SysWOW64\Figmglee.dll Opnbae32.exe File created C:\Windows\SysWOW64\Ggmgbckd.dll Nojjcj32.exe File opened for modification C:\Windows\SysWOW64\Dpgnjo32.exe Dmhand32.exe File created C:\Windows\SysWOW64\Lnmkfh32.exe Lgccinoe.exe File created C:\Windows\SysWOW64\Gaakdpkj.dll Oalipoiq.exe File opened for modification C:\Windows\SysWOW64\Phigif32.exe Pejkmk32.exe File created C:\Windows\SysWOW64\Nmipdk32.exe Nncccnol.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10600 8960 WerFault.exe 522 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndham32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmdhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkdgchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jleijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maeachag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnofeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpijpdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lalnmiia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neccpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objpoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojiiafp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nliaao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkggfkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camddhoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblnindg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhahaiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiildio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoabad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojjcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphphj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohpkmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflmlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqhcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnpcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfepf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmoen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejgch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllkqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpdhboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncofplba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahpfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkdof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdickcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifljdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgepom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilqoobdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pibdmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coknoaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbnnpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impliekg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifnhpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngegmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacoqnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjemflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coiaiakf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnkmnah.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjpijpdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkfcndce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbgjbkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdodkebj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meiioonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnqimah.dll" Onnmdcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofdmmgd.dll" Bojomm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndnpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgkpdcmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlfelogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpnkdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdmbe32.dll" Megljppl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heeeiopa.dll" Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkpbin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oklfllgp.dll" Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebgpad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glipgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcelpggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neccpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgfkbgm.dll" Oiknlagg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomkkpc.dll" Dfefkkqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elpkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgaokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoglqie.dll" Kflide32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakiqbgc.dll" Diccgfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolkod32.dll" Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjnik32.dll" Fpejlmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdhkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cklhcfle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flngfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll" Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhcpa32.dll" Okgaijaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gphphj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onocomdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll" Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll" Cpmapodj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mblcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liqihglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpchnbbb.dll" Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phahglpk.dll" Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fppcajgd.dll" Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qabjcina.dll" Gkkgpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaagldf.dll" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbnnbmfj.dll" Oblmdhdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkdcbd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3188 wrote to memory of 2504 3188 356177bd3cec12204966895b3d8172037ff85a71020cf186cb32db41605f4374N.exe 83 PID 3188 wrote to memory of 2504 3188 356177bd3cec12204966895b3d8172037ff85a71020cf186cb32db41605f4374N.exe 83 PID 3188 wrote to memory of 2504 3188 356177bd3cec12204966895b3d8172037ff85a71020cf186cb32db41605f4374N.exe 83 PID 2504 wrote to memory of 4716 2504 Kbmoen32.exe 84 PID 2504 wrote to memory of 4716 2504 Kbmoen32.exe 84 PID 2504 wrote to memory of 4716 2504 Kbmoen32.exe 84 PID 4716 wrote to memory of 3016 4716 Kiggbhda.exe 85 PID 4716 wrote to memory of 3016 4716 Kiggbhda.exe 85 PID 4716 wrote to memory of 3016 4716 Kiggbhda.exe 85 PID 3016 wrote to memory of 4260 3016 Kkfcndce.exe 86 PID 3016 wrote to memory of 4260 3016 Kkfcndce.exe 86 PID 3016 wrote to memory of 4260 3016 Kkfcndce.exe 86 PID 4260 wrote to memory of 636 4260 Kndojobi.exe 87 PID 4260 wrote to memory of 636 4260 Kndojobi.exe 87 PID 4260 wrote to memory of 636 4260 Kndojobi.exe 87 PID 636 wrote to memory of 4428 636 Kenggi32.exe 88 PID 636 wrote to memory of 4428 636 Kenggi32.exe 88 PID 636 wrote to memory of 4428 636 Kenggi32.exe 88 PID 4428 wrote to memory of 2420 4428 Kgmcce32.exe 89 PID 4428 wrote to memory of 2420 4428 Kgmcce32.exe 89 PID 4428 wrote to memory of 2420 4428 Kgmcce32.exe 89 PID 2420 wrote to memory of 1132 2420 Knflpoqf.exe 90 PID 2420 wrote to memory of 1132 2420 Knflpoqf.exe 90 PID 2420 wrote to memory of 1132 2420 Knflpoqf.exe 90 PID 1132 wrote to memory of 5056 1132 Kaehljpj.exe 91 PID 1132 wrote to memory of 5056 1132 Kaehljpj.exe 91 PID 1132 wrote to memory of 5056 1132 Kaehljpj.exe 91 PID 5056 wrote to memory of 4980 5056 Kilpmh32.exe 92 PID 5056 wrote to memory of 4980 5056 Kilpmh32.exe 92 PID 5056 wrote to memory of 4980 5056 Kilpmh32.exe 92 PID 4980 wrote to memory of 212 4980 Kjmmepfj.exe 93 PID 4980 wrote to memory of 212 4980 Kjmmepfj.exe 93 PID 4980 wrote to memory of 212 4980 Kjmmepfj.exe 93 PID 212 wrote to memory of 32 212 Kbddfmgl.exe 94 PID 212 wrote to memory of 32 212 Kbddfmgl.exe 94 PID 212 wrote to memory of 32 212 Kbddfmgl.exe 94 PID 32 wrote to memory of 3680 32 Kinmcg32.exe 95 PID 32 wrote to memory of 3680 32 Kinmcg32.exe 95 PID 32 wrote to memory of 3680 32 Kinmcg32.exe 95 PID 3680 wrote to memory of 2288 3680 Kjpijpdg.exe 96 PID 3680 wrote to memory of 2288 3680 Kjpijpdg.exe 96 PID 3680 wrote to memory of 2288 3680 Kjpijpdg.exe 96 PID 2288 wrote to memory of 2892 2288 Lbgalmej.exe 97 PID 2288 wrote to memory of 2892 2288 Lbgalmej.exe 97 PID 2288 wrote to memory of 2892 2288 Lbgalmej.exe 97 PID 2892 wrote to memory of 4720 2892 Liqihglg.exe 98 PID 2892 wrote to memory of 4720 2892 Liqihglg.exe 98 PID 2892 wrote to memory of 4720 2892 Liqihglg.exe 98 PID 4720 wrote to memory of 5104 4720 Lkofdbkj.exe 99 PID 4720 wrote to memory of 5104 4720 Lkofdbkj.exe 99 PID 4720 wrote to memory of 5104 4720 Lkofdbkj.exe 99 PID 5104 wrote to memory of 1328 5104 Lalnmiia.exe 100 PID 5104 wrote to memory of 1328 5104 Lalnmiia.exe 100 PID 5104 wrote to memory of 1328 5104 Lalnmiia.exe 100 PID 1328 wrote to memory of 2216 1328 Lgffic32.exe 101 PID 1328 wrote to memory of 2216 1328 Lgffic32.exe 101 PID 1328 wrote to memory of 2216 1328 Lgffic32.exe 101 PID 2216 wrote to memory of 1464 2216 Lbkkgl32.exe 102 PID 2216 wrote to memory of 1464 2216 Lbkkgl32.exe 102 PID 2216 wrote to memory of 1464 2216 Lbkkgl32.exe 102 PID 1464 wrote to memory of 4808 1464 Lejgch32.exe 103 PID 1464 wrote to memory of 4808 1464 Lejgch32.exe 103 PID 1464 wrote to memory of 4808 1464 Lejgch32.exe 103 PID 4808 wrote to memory of 3980 4808 Lldopb32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\356177bd3cec12204966895b3d8172037ff85a71020cf186cb32db41605f4374N.exe"C:\Users\Admin\AppData\Local\Temp\356177bd3cec12204966895b3d8172037ff85a71020cf186cb32db41605f4374N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3980 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe24⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe27⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe28⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:732 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe32⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe33⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe34⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe35⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3904 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe37⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4788 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe46⤵
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3920 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe51⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4244 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe53⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4100 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3568 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe57⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe58⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe59⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe61⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe62⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4276 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5072 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe66⤵PID:4660
-
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe67⤵PID:2036
-
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe68⤵PID:1836
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe69⤵PID:4704
-
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe70⤵
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe71⤵PID:2268
-
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe72⤵PID:5000
-
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe73⤵
- System Location Discovery: System Language Discovery
PID:5124 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe74⤵
- System Location Discovery: System Language Discovery
PID:5164 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe75⤵PID:5204
-
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5244 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe77⤵PID:5284
-
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe78⤵PID:5324
-
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe79⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5404 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5444 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe82⤵PID:5488
-
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe83⤵PID:5528
-
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe84⤵PID:5572
-
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5612 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5652 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe87⤵PID:5692
-
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe88⤵PID:5732
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe89⤵
- Drops file in System32 directory
PID:5772 -
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe90⤵PID:5812
-
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe91⤵PID:5852
-
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe92⤵PID:5892
-
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe93⤵PID:5932
-
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe94⤵PID:5972
-
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe95⤵PID:6012
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe96⤵PID:6052
-
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe97⤵PID:6092
-
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe98⤵PID:6132
-
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe100⤵
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe101⤵PID:4316
-
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4784 -
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe103⤵PID:4556
-
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe104⤵PID:3844
-
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5116 -
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe106⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe107⤵PID:5196
-
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe108⤵PID:5280
-
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe109⤵
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe110⤵PID:5436
-
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe111⤵PID:4904
-
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe112⤵PID:5568
-
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe113⤵PID:5640
-
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe114⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe115⤵
- System Location Discovery: System Language Discovery
PID:5768 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe116⤵PID:5836
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe117⤵
- Modifies registry class
PID:5908 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe118⤵PID:5964
-
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe119⤵PID:6020
-
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe120⤵PID:6076
-
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe121⤵PID:6140
-
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe122⤵PID:4832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-