Analysis
-
max time kernel
57s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
6293c7fb892752996708a86fd05d08be49cb97abd622555923a291e46cec59dbN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6293c7fb892752996708a86fd05d08be49cb97abd622555923a291e46cec59dbN.exe
Resource
win10v2004-20241007-en
General
-
Target
6293c7fb892752996708a86fd05d08be49cb97abd622555923a291e46cec59dbN.exe
-
Size
79KB
-
MD5
52a736d833c7ffdf21a350ad1e1c6fd6
-
SHA1
75801dbcd2c153d226c41a9da4ef0e8b79e36a9a
-
SHA256
b1f55dfa09e39e83dafb50a0d1ecd5103d15f52a154c9a540f0271c6aea03907
-
SHA512
1937dedb4332a2131509dfd33ae7be3d78c147380f24322e225f2397b2c840f240a235a4a00d4c4c08b4f779fa826a185c6a0b1121646fd271bf753529cc11f8
-
SSDEEP
1536:8lbCAyKHXycWqVrmdR9+4UEbiFkSIgiItKq9v6Dw:8lbuKHjnuVUEbixtBtKq9vb
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peakkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbhfcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akjfhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcankb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndhpqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iganmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nodnmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaffca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbljfdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajlhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofklpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qakppa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhgaan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcfmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eabeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hminbkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olgehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aapikqel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpobi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olehbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpmeij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oafhmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agcekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iigehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keodflee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbdbbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flbgak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdokceo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfhjifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofpmegpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjndca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdibapb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdajff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqkbkicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkdgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdllci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpagbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkafib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdnihiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elcbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbheif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcfmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qchmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpeonkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaiklki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndlamke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkigbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiekkdjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpgai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpcbecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qidckjae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekppjmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjolpkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giikkehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlpngd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbhmlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joepjokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpmbgai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbinad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkgqpjch.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2956 Mddibb32.exe 2976 Mlpngd32.exe 2776 Mejoei32.exe 2124 Mhkhgd32.exe 2992 Ngqeha32.exe 2940 Nianjl32.exe 2868 Nlbgkgcc.exe 1468 Nldcagaq.exe 784 Oklmhcdf.exe 3004 Olkjaflh.exe 1412 Okqgcb32.exe 1800 Odiklh32.exe 1768 Pqplqile.exe 2504 Pncljmko.exe 2236 Pqdelh32.exe 1820 Poibmdmh.exe 2132 Pkpcbecl.exe 720 Qidckjae.exe 2228 Qekdpkgj.exe 1280 Aemafjeg.exe 1536 Akjfhdka.exe 1060 Agqfme32.exe 2012 Aidpjm32.exe 2580 Bleilh32.exe 1580 Bfmjoqoe.exe 2576 Bpengf32.exe 2880 Bhpclica.exe 1612 Blnkbg32.exe 2996 Bakdjn32.exe 1048 Cfhlbe32.exe 2772 Cglfndaa.exe 2820 Clinfk32.exe 2456 Cllkkk32.exe 2352 Ccecheeb.exe 2304 Cipleo32.exe 2832 Dhehfk32.exe 2112 Dekeeonn.exe 1112 Ejadibmh.exe 792 Elpqemll.exe 1524 Eqnillbb.exe 2176 Ekjgbi32.exe 2468 Fkldgi32.exe 1972 Fkambhgf.exe 1624 Fqnfkoen.exe 2460 Fjfjcdln.exe 592 Fcoolj32.exe 1936 Fikgda32.exe 2636 Gbdlnf32.exe 2604 Gindjqnc.exe 2716 Gphlgk32.exe 2928 Geddoa32.exe 1824 Gpjilj32.exe 2888 Gbheif32.exe 2032 Ghenamai.exe 2780 Gnofng32.exe 2508 Glcfgk32.exe 1856 Gbmoceol.exe 1832 Hjhchg32.exe 2212 Habkeacd.exe 1108 Hnflnfbm.exe 1540 Hfaqbh32.exe 2248 Hbhagiem.exe 904 Hjoiiffo.exe 2128 Hplbamdf.exe -
Loads dropped DLL 64 IoCs
pid Process 2496 6293c7fb892752996708a86fd05d08be49cb97abd622555923a291e46cec59dbN.exe 2496 6293c7fb892752996708a86fd05d08be49cb97abd622555923a291e46cec59dbN.exe 2956 Mddibb32.exe 2956 Mddibb32.exe 2976 Mlpngd32.exe 2976 Mlpngd32.exe 2776 Mejoei32.exe 2776 Mejoei32.exe 2124 Mhkhgd32.exe 2124 Mhkhgd32.exe 2992 Ngqeha32.exe 2992 Ngqeha32.exe 2940 Nianjl32.exe 2940 Nianjl32.exe 2868 Nlbgkgcc.exe 2868 Nlbgkgcc.exe 1468 Nldcagaq.exe 1468 Nldcagaq.exe 784 Oklmhcdf.exe 784 Oklmhcdf.exe 3004 Olkjaflh.exe 3004 Olkjaflh.exe 1412 Okqgcb32.exe 1412 Okqgcb32.exe 1800 Odiklh32.exe 1800 Odiklh32.exe 1768 Pqplqile.exe 1768 Pqplqile.exe 2504 Pncljmko.exe 2504 Pncljmko.exe 2236 Pqdelh32.exe 2236 Pqdelh32.exe 1820 Poibmdmh.exe 1820 Poibmdmh.exe 2132 Pkpcbecl.exe 2132 Pkpcbecl.exe 720 Qidckjae.exe 720 Qidckjae.exe 2228 Qekdpkgj.exe 2228 Qekdpkgj.exe 1280 Aemafjeg.exe 1280 Aemafjeg.exe 1536 Akjfhdka.exe 1536 Akjfhdka.exe 1060 Agqfme32.exe 1060 Agqfme32.exe 2012 Aidpjm32.exe 2012 Aidpjm32.exe 2580 Bleilh32.exe 2580 Bleilh32.exe 1580 Bfmjoqoe.exe 1580 Bfmjoqoe.exe 2576 Bpengf32.exe 2576 Bpengf32.exe 2880 Bhpclica.exe 2880 Bhpclica.exe 1612 Blnkbg32.exe 1612 Blnkbg32.exe 2996 Bakdjn32.exe 2996 Bakdjn32.exe 1048 Cfhlbe32.exe 1048 Cfhlbe32.exe 2772 Cglfndaa.exe 2772 Cglfndaa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dbcgao32.dll 6293c7fb892752996708a86fd05d08be49cb97abd622555923a291e46cec59dbN.exe File created C:\Windows\SysWOW64\Happkf32.exe Hobcok32.exe File created C:\Windows\SysWOW64\Hamgfm32.dll Mmpmjpba.exe File created C:\Windows\SysWOW64\Memncbmj.exe Mncfgh32.exe File created C:\Windows\SysWOW64\Gppkkikh.exe Gnoocq32.exe File opened for modification C:\Windows\SysWOW64\Mekanbol.exe Mmpmjpba.exe File created C:\Windows\SysWOW64\Pjligacm.dll Hhhkbqea.exe File opened for modification C:\Windows\SysWOW64\Ndhlfh32.exe Nhalag32.exe File created C:\Windows\SysWOW64\Pppihdha.exe Pifakj32.exe File created C:\Windows\SysWOW64\Anhdmh32.exe Agolpnjl.exe File created C:\Windows\SysWOW64\Flbehbqm.exe Fcjqpm32.exe File opened for modification C:\Windows\SysWOW64\Idemkp32.exe Ikmibjkm.exe File created C:\Windows\SysWOW64\Olkobp32.dll Mekanbol.exe File created C:\Windows\SysWOW64\Hmlkhk32.exe Hgobpd32.exe File opened for modification C:\Windows\SysWOW64\Bfqaph32.exe Bdoeipjh.exe File created C:\Windows\SysWOW64\Bcgoolln.exe Bqhbcqmj.exe File opened for modification C:\Windows\SysWOW64\Njaoeq32.exe Ngcbie32.exe File opened for modification C:\Windows\SysWOW64\Onmgeb32.exe Odgchjhl.exe File opened for modification C:\Windows\SysWOW64\Febmfcjj.exe Fkmhij32.exe File created C:\Windows\SysWOW64\Jogneifn.dll Gindjqnc.exe File created C:\Windows\SysWOW64\Npffaq32.exe Nilndfgl.exe File opened for modification C:\Windows\SysWOW64\Gpccgppq.exe Giikkehc.exe File opened for modification C:\Windows\SysWOW64\Pmgnan32.exe Pdnihiad.exe File opened for modification C:\Windows\SysWOW64\Iniglajj.exe Ihooog32.exe File opened for modification C:\Windows\SysWOW64\Afeold32.exe Akpkok32.exe File opened for modification C:\Windows\SysWOW64\Jnlfjjpl.exe Iganmp32.exe File created C:\Windows\SysWOW64\Gllmbj32.dll Kbikokin.exe File created C:\Windows\SysWOW64\Lcignoki.exe Kkglim32.exe File created C:\Windows\SysWOW64\Ekppjmia.exe Eiocbd32.exe File opened for modification C:\Windows\SysWOW64\Hqjfgb32.exe Hjpnjheg.exe File created C:\Windows\SysWOW64\Lbkdpgdb.dll Ofpmegpe.exe File created C:\Windows\SysWOW64\Fpmcpglh.dll Lkoidcaj.exe File opened for modification C:\Windows\SysWOW64\Gaiijgbi.exe Gllabp32.exe File created C:\Windows\SysWOW64\Hjoiiffo.exe Hbhagiem.exe File created C:\Windows\SysWOW64\Egghdk32.dll Cmimif32.exe File opened for modification C:\Windows\SysWOW64\Cicggcke.exe Bcgoolln.exe File created C:\Windows\SysWOW64\Hkidclbb.exe Hhjhgpcn.exe File created C:\Windows\SysWOW64\Bqqclmpe.dll Aeahjn32.exe File opened for modification C:\Windows\SysWOW64\Liekddkh.exe Lchclmla.exe File created C:\Windows\SysWOW64\Bnhjae32.exe Bfqaph32.exe File opened for modification C:\Windows\SysWOW64\Conpdm32.exe Cicggcke.exe File created C:\Windows\SysWOW64\Acloba32.dll Dflnkjhe.exe File created C:\Windows\SysWOW64\Opqjjalh.dll Oafjfokk.exe File created C:\Windows\SysWOW64\Fqehcpaf.dll Fpcghl32.exe File created C:\Windows\SysWOW64\Fhlhmi32.exe Fmfdppia.exe File opened for modification C:\Windows\SysWOW64\Fkldgi32.exe Ekjgbi32.exe File created C:\Windows\SysWOW64\Fdcncg32.exe Fofekp32.exe File opened for modification C:\Windows\SysWOW64\Jlpmndba.exe Ilnqhddd.exe File created C:\Windows\SysWOW64\Lndlamke.exe Lkepdbkb.exe File created C:\Windows\SysWOW64\Pdllci32.exe Pjchjcmf.exe File created C:\Windows\SysWOW64\Cjcfdm32.dll Dcojbm32.exe File created C:\Windows\SysWOW64\Blbfiq32.dll Licpki32.exe File opened for modification C:\Windows\SysWOW64\Ommdqi32.exe Ofcldoef.exe File created C:\Windows\SysWOW64\Pncljmko.exe Pqplqile.exe File opened for modification C:\Windows\SysWOW64\Hminbkql.exe Hcajjf32.exe File opened for modification C:\Windows\SysWOW64\Gjolpkhj.exe Ggppdpif.exe File created C:\Windows\SysWOW64\Bngnoa32.dll Mmpobi32.exe File created C:\Windows\SysWOW64\Ifabli32.dll Cincaq32.exe File opened for modification C:\Windows\SysWOW64\Pnefiq32.exe Plfjme32.exe File created C:\Windows\SysWOW64\Jlfhkenj.dll Apbblg32.exe File opened for modification C:\Windows\SysWOW64\Efaiobkc.exe Dpedmhfi.exe File created C:\Windows\SysWOW64\Ffkicc32.dll Bcfmfc32.exe File created C:\Windows\SysWOW64\Agcekn32.exe Aklefm32.exe File created C:\Windows\SysWOW64\Nolbcaeh.dll Nbegonmd.exe -
Program crash 1 IoCs
pid pid_target Process 3940 5648 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcankb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgokflc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfljmmjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibpjaagi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbieing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joepjokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjqfmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkglim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfaag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcncg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiocbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggbljogc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmgeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdllci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emqaaabg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlgaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfmahkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgjqook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkljfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdhcinme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjgepqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjchjcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danaqbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlcfnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpjgag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkccffq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjiibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbljfdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cincaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmada32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdbab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empphi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejmljg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnhidmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkambhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbcbag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckdio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkccob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncljmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmlal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eghdanac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmiahlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnflnfbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpldp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmjihqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omonmpcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appfggjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geddoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijelgemi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdocf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokofpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcahjqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojaceln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckamihfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljdlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaqbh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foohqdql.dll" Ffjghppi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nijcgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cneiki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlmhggb.dll" Ggppdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jommmbhn.dll" Ogkbmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedqakci.dll" Abiqcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcpkli32.dll" Akpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mookod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkjaaglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbfilc32.dll" Pnefiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfnfjmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilhlan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfmahkhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chkoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlhdjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logcad32.dll" Mffdmfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kidjfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lafekm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkjldmnf.dll" Ccecheeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omjgkjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibmkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdaeb32.dll" Mgigpgkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omonmpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eampgb32.dll" Omjgkjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomagi32.dll" Aemafjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmbnhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edmnnakm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjqpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjenbk32.dll" Hklhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnfhfmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabdgo32.dll" Jcaahofh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffemlf32.dll" Nodnmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipcjje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjlaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eghdanac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igoagpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmogcdag.dll" Pjqdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijlqlam.dll" Fdbibjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiphhoij.dll" Immkiodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeedad32.dll" Ddnhidmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onejjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjlgna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlfno32.dll" Ggcnbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidnidah.dll" Onlooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plfjme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmicb32.dll" Ldokhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkhalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmkpadn.dll" Hcajjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acloba32.dll" Dflnkjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odiklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Habkeacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhaikja.dll" Mgoaap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oheieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnnoaop.dll" Jbooen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmmdfgc.dll" Mccaodgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baakem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejadibmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodnfbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbffjdpp.dll" Fokofpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndmeecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbmoceol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npffaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhldob32.dll" Jbdokceo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2956 2496 6293c7fb892752996708a86fd05d08be49cb97abd622555923a291e46cec59dbN.exe 30 PID 2496 wrote to memory of 2956 2496 6293c7fb892752996708a86fd05d08be49cb97abd622555923a291e46cec59dbN.exe 30 PID 2496 wrote to memory of 2956 2496 6293c7fb892752996708a86fd05d08be49cb97abd622555923a291e46cec59dbN.exe 30 PID 2496 wrote to memory of 2956 2496 6293c7fb892752996708a86fd05d08be49cb97abd622555923a291e46cec59dbN.exe 30 PID 2956 wrote to memory of 2976 2956 Mddibb32.exe 31 PID 2956 wrote to memory of 2976 2956 Mddibb32.exe 31 PID 2956 wrote to memory of 2976 2956 Mddibb32.exe 31 PID 2956 wrote to memory of 2976 2956 Mddibb32.exe 31 PID 2976 wrote to memory of 2776 2976 Mlpngd32.exe 32 PID 2976 wrote to memory of 2776 2976 Mlpngd32.exe 32 PID 2976 wrote to memory of 2776 2976 Mlpngd32.exe 32 PID 2976 wrote to memory of 2776 2976 Mlpngd32.exe 32 PID 2776 wrote to memory of 2124 2776 Mejoei32.exe 33 PID 2776 wrote to memory of 2124 2776 Mejoei32.exe 33 PID 2776 wrote to memory of 2124 2776 Mejoei32.exe 33 PID 2776 wrote to memory of 2124 2776 Mejoei32.exe 33 PID 2124 wrote to memory of 2992 2124 Mhkhgd32.exe 34 PID 2124 wrote to memory of 2992 2124 Mhkhgd32.exe 34 PID 2124 wrote to memory of 2992 2124 Mhkhgd32.exe 34 PID 2124 wrote to memory of 2992 2124 Mhkhgd32.exe 34 PID 2992 wrote to memory of 2940 2992 Ngqeha32.exe 35 PID 2992 wrote to memory of 2940 2992 Ngqeha32.exe 35 PID 2992 wrote to memory of 2940 2992 Ngqeha32.exe 35 PID 2992 wrote to memory of 2940 2992 Ngqeha32.exe 35 PID 2940 wrote to memory of 2868 2940 Nianjl32.exe 36 PID 2940 wrote to memory of 2868 2940 Nianjl32.exe 36 PID 2940 wrote to memory of 2868 2940 Nianjl32.exe 36 PID 2940 wrote to memory of 2868 2940 Nianjl32.exe 36 PID 2868 wrote to memory of 1468 2868 Nlbgkgcc.exe 37 PID 2868 wrote to memory of 1468 2868 Nlbgkgcc.exe 37 PID 2868 wrote to memory of 1468 2868 Nlbgkgcc.exe 37 PID 2868 wrote to memory of 1468 2868 Nlbgkgcc.exe 37 PID 1468 wrote to memory of 784 1468 Nldcagaq.exe 38 PID 1468 wrote to memory of 784 1468 Nldcagaq.exe 38 PID 1468 wrote to memory of 784 1468 Nldcagaq.exe 38 PID 1468 wrote to memory of 784 1468 Nldcagaq.exe 38 PID 784 wrote to memory of 3004 784 Oklmhcdf.exe 39 PID 784 wrote to memory of 3004 784 Oklmhcdf.exe 39 PID 784 wrote to memory of 3004 784 Oklmhcdf.exe 39 PID 784 wrote to memory of 3004 784 Oklmhcdf.exe 39 PID 3004 wrote to memory of 1412 3004 Olkjaflh.exe 40 PID 3004 wrote to memory of 1412 3004 Olkjaflh.exe 40 PID 3004 wrote to memory of 1412 3004 Olkjaflh.exe 40 PID 3004 wrote to memory of 1412 3004 Olkjaflh.exe 40 PID 1412 wrote to memory of 1800 1412 Okqgcb32.exe 41 PID 1412 wrote to memory of 1800 1412 Okqgcb32.exe 41 PID 1412 wrote to memory of 1800 1412 Okqgcb32.exe 41 PID 1412 wrote to memory of 1800 1412 Okqgcb32.exe 41 PID 1800 wrote to memory of 1768 1800 Odiklh32.exe 42 PID 1800 wrote to memory of 1768 1800 Odiklh32.exe 42 PID 1800 wrote to memory of 1768 1800 Odiklh32.exe 42 PID 1800 wrote to memory of 1768 1800 Odiklh32.exe 42 PID 1768 wrote to memory of 2504 1768 Pqplqile.exe 43 PID 1768 wrote to memory of 2504 1768 Pqplqile.exe 43 PID 1768 wrote to memory of 2504 1768 Pqplqile.exe 43 PID 1768 wrote to memory of 2504 1768 Pqplqile.exe 43 PID 2504 wrote to memory of 2236 2504 Pncljmko.exe 44 PID 2504 wrote to memory of 2236 2504 Pncljmko.exe 44 PID 2504 wrote to memory of 2236 2504 Pncljmko.exe 44 PID 2504 wrote to memory of 2236 2504 Pncljmko.exe 44 PID 2236 wrote to memory of 1820 2236 Pqdelh32.exe 45 PID 2236 wrote to memory of 1820 2236 Pqdelh32.exe 45 PID 2236 wrote to memory of 1820 2236 Pqdelh32.exe 45 PID 2236 wrote to memory of 1820 2236 Pqdelh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6293c7fb892752996708a86fd05d08be49cb97abd622555923a291e46cec59dbN.exe"C:\Users\Admin\AppData\Local\Temp\6293c7fb892752996708a86fd05d08be49cb97abd622555923a291e46cec59dbN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Mddibb32.exeC:\Windows\system32\Mddibb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Mlpngd32.exeC:\Windows\system32\Mlpngd32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Mejoei32.exeC:\Windows\system32\Mejoei32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Mhkhgd32.exeC:\Windows\system32\Mhkhgd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ngqeha32.exeC:\Windows\system32\Ngqeha32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Nianjl32.exeC:\Windows\system32\Nianjl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Nlbgkgcc.exeC:\Windows\system32\Nlbgkgcc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Nldcagaq.exeC:\Windows\system32\Nldcagaq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Olkjaflh.exeC:\Windows\system32\Olkjaflh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Okqgcb32.exeC:\Windows\system32\Okqgcb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Odiklh32.exeC:\Windows\system32\Odiklh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Pqplqile.exeC:\Windows\system32\Pqplqile.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Pncljmko.exeC:\Windows\system32\Pncljmko.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Pqdelh32.exeC:\Windows\system32\Pqdelh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Poibmdmh.exeC:\Windows\system32\Poibmdmh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Pkpcbecl.exeC:\Windows\system32\Pkpcbecl.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Qidckjae.exeC:\Windows\system32\Qidckjae.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:720 -
C:\Windows\SysWOW64\Qekdpkgj.exeC:\Windows\system32\Qekdpkgj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Aemafjeg.exeC:\Windows\system32\Aemafjeg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Akjfhdka.exeC:\Windows\system32\Akjfhdka.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Agqfme32.exeC:\Windows\system32\Agqfme32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Windows\SysWOW64\Aidpjm32.exeC:\Windows\system32\Aidpjm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Bfmjoqoe.exeC:\Windows\system32\Bfmjoqoe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Bpengf32.exeC:\Windows\system32\Bpengf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Bhpclica.exeC:\Windows\system32\Bhpclica.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Blnkbg32.exeC:\Windows\system32\Blnkbg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Bakdjn32.exeC:\Windows\system32\Bakdjn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Cglfndaa.exeC:\Windows\system32\Cglfndaa.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Clinfk32.exeC:\Windows\system32\Clinfk32.exe33⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Cllkkk32.exeC:\Windows\system32\Cllkkk32.exe34⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ccecheeb.exeC:\Windows\system32\Ccecheeb.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Cipleo32.exeC:\Windows\system32\Cipleo32.exe36⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Dhehfk32.exeC:\Windows\system32\Dhehfk32.exe37⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe38⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ejadibmh.exeC:\Windows\system32\Ejadibmh.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe40⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe41⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Fkldgi32.exeC:\Windows\system32\Fkldgi32.exe43⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Fqnfkoen.exeC:\Windows\system32\Fqnfkoen.exe45⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Fjfjcdln.exeC:\Windows\system32\Fjfjcdln.exe46⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Fcoolj32.exeC:\Windows\system32\Fcoolj32.exe47⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Fikgda32.exeC:\Windows\system32\Fikgda32.exe48⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Gbdlnf32.exeC:\Windows\system32\Gbdlnf32.exe49⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe51⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe55⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Gnofng32.exeC:\Windows\system32\Gnofng32.exe56⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe57⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Gbmoceol.exeC:\Windows\system32\Gbmoceol.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe59⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Habkeacd.exeC:\Windows\system32\Habkeacd.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Hnflnfbm.exeC:\Windows\system32\Hnflnfbm.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Hfaqbh32.exeC:\Windows\system32\Hfaqbh32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Hjoiiffo.exeC:\Windows\system32\Hjoiiffo.exe64⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe65⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe66⤵PID:2572
-
C:\Windows\SysWOW64\Ibmkbh32.exeC:\Windows\system32\Ibmkbh32.exe67⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe68⤵PID:1676
-
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe69⤵PID:1960
-
C:\Windows\SysWOW64\Ilhlan32.exeC:\Windows\system32\Ilhlan32.exe70⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Ikmibjkm.exeC:\Windows\system32\Ikmibjkm.exe71⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Idemkp32.exeC:\Windows\system32\Idemkp32.exe72⤵PID:2616
-
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe73⤵PID:1616
-
C:\Windows\SysWOW64\Idgjqook.exeC:\Windows\system32\Idgjqook.exe74⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe75⤵PID:636
-
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe76⤵PID:1472
-
C:\Windows\SysWOW64\Jnbkodci.exeC:\Windows\system32\Jnbkodci.exe77⤵PID:2252
-
C:\Windows\SysWOW64\Jcocgkbp.exeC:\Windows\system32\Jcocgkbp.exe78⤵PID:944
-
C:\Windows\SysWOW64\Jlghpa32.exeC:\Windows\system32\Jlghpa32.exe79⤵PID:1984
-
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe80⤵PID:760
-
C:\Windows\SysWOW64\Jpeafo32.exeC:\Windows\system32\Jpeafo32.exe81⤵PID:368
-
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe82⤵PID:2360
-
C:\Windows\SysWOW64\Jllakpdk.exeC:\Windows\system32\Jllakpdk.exe83⤵PID:1104
-
C:\Windows\SysWOW64\Kkaolm32.exeC:\Windows\system32\Kkaolm32.exe84⤵PID:2204
-
C:\Windows\SysWOW64\Kghoan32.exeC:\Windows\system32\Kghoan32.exe85⤵PID:2640
-
C:\Windows\SysWOW64\Knbgnhfd.exeC:\Windows\system32\Knbgnhfd.exe86⤵PID:108
-
C:\Windows\SysWOW64\Kkfhglen.exeC:\Windows\system32\Kkfhglen.exe87⤵PID:1076
-
C:\Windows\SysWOW64\Kdnlpaln.exeC:\Windows\system32\Kdnlpaln.exe88⤵PID:1992
-
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe89⤵PID:1576
-
C:\Windows\SysWOW64\Kjnanhhc.exeC:\Windows\system32\Kjnanhhc.exe90⤵PID:2804
-
C:\Windows\SysWOW64\Lqgjkbop.exeC:\Windows\system32\Lqgjkbop.exe91⤵PID:2828
-
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe92⤵PID:2552
-
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe93⤵PID:2136
-
C:\Windows\SysWOW64\Lchclmla.exeC:\Windows\system32\Lchclmla.exe94⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Liekddkh.exeC:\Windows\system32\Liekddkh.exe95⤵PID:2164
-
C:\Windows\SysWOW64\Lckpbm32.exeC:\Windows\system32\Lckpbm32.exe96⤵PID:2412
-
C:\Windows\SysWOW64\Lelljepm.exeC:\Windows\system32\Lelljepm.exe97⤵PID:976
-
C:\Windows\SysWOW64\Lfkhch32.exeC:\Windows\system32\Lfkhch32.exe98⤵PID:1508
-
C:\Windows\SysWOW64\Lkhalo32.exeC:\Windows\system32\Lkhalo32.exe99⤵
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe100⤵PID:2736
-
C:\Windows\SysWOW64\Mgoaap32.exeC:\Windows\system32\Mgoaap32.exe101⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Mbdfni32.exeC:\Windows\system32\Mbdfni32.exe102⤵PID:1692
-
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe103⤵PID:2908
-
C:\Windows\SysWOW64\Mmngof32.exeC:\Windows\system32\Mmngof32.exe104⤵PID:2800
-
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe106⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe107⤵
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe108⤵PID:2436
-
C:\Windows\SysWOW64\Nbfobllj.exeC:\Windows\system32\Nbfobllj.exe109⤵PID:2152
-
C:\Windows\SysWOW64\Nkbcgnie.exeC:\Windows\system32\Nkbcgnie.exe110⤵PID:1876
-
C:\Windows\SysWOW64\Neghdg32.exeC:\Windows\system32\Neghdg32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Nhfdqb32.exeC:\Windows\system32\Nhfdqb32.exe112⤵PID:1512
-
C:\Windows\SysWOW64\Noplmlok.exeC:\Windows\system32\Noplmlok.exe113⤵PID:2516
-
C:\Windows\SysWOW64\Ndmeecmb.exeC:\Windows\system32\Ndmeecmb.exe114⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Okfmbm32.exeC:\Windows\system32\Okfmbm32.exe115⤵PID:2488
-
C:\Windows\SysWOW64\Odoakckp.exeC:\Windows\system32\Odoakckp.exe116⤵PID:2968
-
C:\Windows\SysWOW64\Ohjmlaci.exeC:\Windows\system32\Ohjmlaci.exe117⤵PID:3028
-
C:\Windows\SysWOW64\Oiljcj32.exeC:\Windows\system32\Oiljcj32.exe118⤵PID:2816
-
C:\Windows\SysWOW64\Opebpdad.exeC:\Windows\system32\Opebpdad.exe119⤵PID:2336
-
C:\Windows\SysWOW64\Ogpjmn32.exeC:\Windows\system32\Ogpjmn32.exe120⤵PID:2184
-
C:\Windows\SysWOW64\Ophoecoa.exeC:\Windows\system32\Ophoecoa.exe121⤵PID:2260
-
C:\Windows\SysWOW64\Ogbgbn32.exeC:\Windows\system32\Ogbgbn32.exe122⤵PID:2140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-