Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 08:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
-
Size
245KB
-
MD5
945849ea8f8feb995f855f2ae2ac8370
-
SHA1
0b9d178b16d9954657ccc973940e3c238b38c498
-
SHA256
c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9
-
SHA512
7d92d91978a1d7145adfab7eeb42621a33faa4e7c9981eff69946ab6c7298e11af1c00343c580ce7512f246c864a0799e062dc081dc51b62d8a60abd252ff165
-
SSDEEP
1536:Bz6+rVZyPt8Ul8yiYijKst1kRzARx36xf/4cXeXvubKrFEwMEwKhbArEwKhQL4co:Bz6oVZyeJJRjl1YuKxfwago+bAr+Qka
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiojkffd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnnakmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpljbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcaloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfgbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdppdop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aloeii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjjohe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpadpnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgkilok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inoaadih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iannnphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcenj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhoie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfijkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgkilok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkanob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egfkfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejegblid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmhgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbikjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okcmgmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmagpihd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llekcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llidnjkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdeimhkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hglfol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgadgilh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjqei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cikkeppa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejpngm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abimfcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pamhmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbklm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnidpme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpeoeogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljkhbnlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ockkbqne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkhidoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nollbldc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liaelpdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcmoab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcigf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflfag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbikjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhaagfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aloeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abimfcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amoacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kecekkjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkpncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpgpboi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cionei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhldoifj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhqlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaljon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laalak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Longjpoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijbmnhk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4768 Kbnjig32.exe 688 Klgoalkh.exe 2716 Kcqgnfbe.exe 2552 Keappapf.exe 2740 Kahpebej.exe 4368 Lchmoe32.exe 1068 Liaelpdj.exe 4604 Llpahkcm.exe 5004 Lcjide32.exe 844 Ljfogo32.exe 3528 Llekcj32.exe 4872 Lpbcii32.exe 2412 Ljkhbnlo.exe 4436 Llidnjkc.exe 1492 Mjmdgn32.exe 1248 Mlnnii32.exe 4620 Mbkfap32.exe 4408 Mffbbomn.exe 4480 Mplfog32.exe 4276 Mqnceg32.exe 708 Mcmoab32.exe 1144 Nbblbo32.exe 4104 Nhldoifj.exe 2976 Nofmlc32.exe 3920 Nhnadidg.exe 3304 Njnnnllj.exe 5000 Nqhfkf32.exe 3276 Njpjdkig.exe 4644 Nfgkilok.exe 212 Oqlofeoa.exe 4092 Ockkbqne.exe 1636 Ooalga32.exe 3876 Oijqpg32.exe 4320 Oodimaaf.exe 704 Obbeimaj.exe 408 Ojimjjal.exe 1176 Opfebqpd.exe 2784 Obdbolog.exe 3384 Oiojkffd.exe 912 Oqfblcgf.exe 3984 Opibhq32.exe 4280 Ppkonp32.exe 2900 Pbikjl32.exe 1668 Piccfe32.exe 2480 Pfgdpj32.exe 2000 Pamhmb32.exe 2756 Pfjqei32.exe 4008 Pmcibc32.exe 3496 Pflmkimc.exe 2960 Ppdbdo32.exe 2760 Pfnjqikq.exe 2236 Qpgoinaa.exe 4296 Qiocbd32.exe 4040 Qbggkiob.exe 5032 Ammlhbnh.exe 4164 Apkhdn32.exe 3408 Aidlmcdl.exe 3964 Adiqjlcb.exe 324 Ajcigf32.exe 4624 Amaeca32.exe 1716 Afjjlg32.exe 4764 Amdbiahp.exe 1060 Adnjek32.exe 4484 Aflfag32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Keqieklj.exe Khmhlg32.exe File created C:\Windows\SysWOW64\Gkbhpocn.dll Opibhq32.exe File created C:\Windows\SysWOW64\Iecamf32.dll Djnaamol.exe File created C:\Windows\SysWOW64\Ggbchm32.exe Gedgla32.exe File created C:\Windows\SysWOW64\Agolnflf.dll Hekmmqme.exe File created C:\Windows\SysWOW64\Bepobppn.dll Nhpgpboi.exe File created C:\Windows\SysWOW64\Bnchjo32.dll Pbidoe32.exe File opened for modification C:\Windows\SysWOW64\Nqhfkf32.exe Njnnnllj.exe File opened for modification C:\Windows\SysWOW64\Dablmkba.exe Djldlnao.exe File created C:\Windows\SysWOW64\Fbebihbl.exe Fcbefalp.exe File created C:\Windows\SysWOW64\Cgjbcebq.exe Bpqjfk32.exe File opened for modification C:\Windows\SysWOW64\Mkepeo32.exe Mdkhidoj.exe File created C:\Windows\SysWOW64\Cionei32.exe Cmhmqhbl.exe File created C:\Windows\SysWOW64\Kbkfiaco.exe Kjdnhcbl.exe File created C:\Windows\SysWOW64\Dlhofd32.dll Femnbg32.exe File created C:\Windows\SysWOW64\Lhkdneaq.exe Laalak32.exe File opened for modification C:\Windows\SysWOW64\Ppdbdo32.exe Pflmkimc.exe File opened for modification C:\Windows\SysWOW64\Epnidpme.exe Eidqgf32.exe File created C:\Windows\SysWOW64\Gjocoi32.exe Gcekbokj.exe File created C:\Windows\SysWOW64\Ajhhlpmm.dll Mclhfl32.exe File opened for modification C:\Windows\SysWOW64\Oqlofeoa.exe Nfgkilok.exe File created C:\Windows\SysWOW64\Jdpklo32.dll Dcaloc32.exe File created C:\Windows\SysWOW64\Fanajimp.dll Leebqk32.exe File created C:\Windows\SysWOW64\Nikpidbp.dll Bmkhip32.exe File created C:\Windows\SysWOW64\Ghblpi32.dll Mdkhidoj.exe File created C:\Windows\SysWOW64\Dlddme32.dll Pfijkc32.exe File created C:\Windows\SysWOW64\Edghoo32.exe Emnpbepd.exe File created C:\Windows\SysWOW64\Fkdpod32.dll Dappgk32.exe File opened for modification C:\Windows\SysWOW64\Pigfgo32.exe Pfijkc32.exe File created C:\Windows\SysWOW64\Gckmqbod.dll Aflpgq32.exe File created C:\Windows\SysWOW64\Fpjhpo32.exe Fnllcc32.exe File created C:\Windows\SysWOW64\Mmgqogpe.dll c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe File opened for modification C:\Windows\SysWOW64\Mcmoab32.exe Mqnceg32.exe File opened for modification C:\Windows\SysWOW64\Oqfblcgf.exe Oiojkffd.exe File created C:\Windows\SysWOW64\Mjcclf32.dll Gbaaeggo.exe File opened for modification C:\Windows\SysWOW64\Gjocoi32.exe Gcekbokj.exe File created C:\Windows\SysWOW64\Pcmjdg32.exe Pmcbgmcg.exe File opened for modification C:\Windows\SysWOW64\Ljfogo32.exe Lcjide32.exe File opened for modification C:\Windows\SysWOW64\Ooalga32.exe Ockkbqne.exe File created C:\Windows\SysWOW64\Jicnaean.dll Pfjqei32.exe File created C:\Windows\SysWOW64\Niacgmml.dll Ephing32.exe File created C:\Windows\SysWOW64\Klgoalkh.exe Kbnjig32.exe File opened for modification C:\Windows\SysWOW64\Gdpnabgb.exe Gbaaeggo.exe File created C:\Windows\SysWOW64\Khoebgkn.exe Keqieklj.exe File opened for modification C:\Windows\SysWOW64\Pcmjdg32.exe Pmcbgmcg.exe File opened for modification C:\Windows\SysWOW64\Adnjek32.exe Amdbiahp.exe File created C:\Windows\SysWOW64\Lcpikn32.exe Llfqnc32.exe File created C:\Windows\SysWOW64\Afjjlg32.exe Amaeca32.exe File opened for modification C:\Windows\SysWOW64\Odpjkalb.exe Oboaif32.exe File created C:\Windows\SysWOW64\Qpgoinaa.exe Pfnjqikq.exe File created C:\Windows\SysWOW64\Bhjnom32.dll Apmnpg32.exe File created C:\Windows\SysWOW64\Epnidpme.exe Eidqgf32.exe File created C:\Windows\SysWOW64\Ldkobgmm.exe Longjpoe.exe File created C:\Windows\SysWOW64\Qohjnfpf.dll Edekip32.exe File created C:\Windows\SysWOW64\Fllpjp32.exe Fgogai32.exe File opened for modification C:\Windows\SysWOW64\Nofmlc32.exe Nhldoifj.exe File created C:\Windows\SysWOW64\Elnplg32.dll Ecfejc32.exe File created C:\Windows\SysWOW64\Kaikfmma.dll Pccgnibo.exe File created C:\Windows\SysWOW64\Dkppekog.dll Aijlcl32.exe File created C:\Windows\SysWOW64\Bncpqm32.dll Badgdold.exe File created C:\Windows\SysWOW64\Pliioanb.dll Ggbchm32.exe File opened for modification C:\Windows\SysWOW64\Hccgcmoj.exe Hbakld32.exe File opened for modification C:\Windows\SysWOW64\Khmhlg32.exe Koddcagp.exe File created C:\Windows\SysWOW64\Gkfbhn32.dll Edhoie32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8348 8272 WerFault.exe 377 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pigfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpjdkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmhgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbidoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojimjjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbpmmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhloeikc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbcjdab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nofmlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbdiopkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Femnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klgoalkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcqgnfbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhhjmbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhkdneaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooalga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdbiahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khmhlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blmakgeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkfap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdikce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omioaokb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfdppdop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abimfcid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eekalg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfebqpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egihkqhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Longjpoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkhidoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blhhpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eghaajdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchmoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfgkilok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbeimaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpgoinaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjdkepd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidlmcdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mamlmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcbop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jomncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecnbhle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclhfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbblbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhfne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgjbcebq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkljb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icljjkgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflpgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcgkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keappapf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdbolog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppdbdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnjqikq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dablmkba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbcico32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkonp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpljbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqieklj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pieiao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amanik32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdhiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjodin32.dll" Cmagpihd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idelqf32.dll" Liaelpdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkbpmmdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjbkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcebmaa.dll" Hbjdkepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djilbf32.dll" Kbnjig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baiqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acfmjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eekalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dappgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cccjfnfq.dll" Mkepeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfiqnn32.dll" Clfdaeml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qecpgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiocbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddlong32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephing32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbebihbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kilicb32.dll" Aegibnhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kahpebej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbggkiob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epgbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nikpidbp.dll" Bmkhip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbdiopkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amoacl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbcico32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnllcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgfoef.dll" Mecnbhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edghoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dancal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnopci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdijlhkm.dll" Lkpncb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apkhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaikfmma.dll" Pccgnibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbidoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llekcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnciohah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pieiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienackeo.dll" Dccbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknkdbpo.dll" Diihfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmofnhi.dll" Omioaokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liaelpdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhnadidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Digkqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddlong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghaag32.dll" Qpgoinaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cikkeppa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhpnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijlcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgogai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ammlhbnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aflfag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abimfcid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nknclm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keappapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjfdh32.dll" Opfebqpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diihfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kecekkjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apmnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnjek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpljbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcaloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edhoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cionei32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3112 wrote to memory of 4768 3112 c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe 83 PID 3112 wrote to memory of 4768 3112 c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe 83 PID 3112 wrote to memory of 4768 3112 c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe 83 PID 4768 wrote to memory of 688 4768 Kbnjig32.exe 84 PID 4768 wrote to memory of 688 4768 Kbnjig32.exe 84 PID 4768 wrote to memory of 688 4768 Kbnjig32.exe 84 PID 688 wrote to memory of 2716 688 Klgoalkh.exe 85 PID 688 wrote to memory of 2716 688 Klgoalkh.exe 85 PID 688 wrote to memory of 2716 688 Klgoalkh.exe 85 PID 2716 wrote to memory of 2552 2716 Kcqgnfbe.exe 88 PID 2716 wrote to memory of 2552 2716 Kcqgnfbe.exe 88 PID 2716 wrote to memory of 2552 2716 Kcqgnfbe.exe 88 PID 2552 wrote to memory of 2740 2552 Keappapf.exe 89 PID 2552 wrote to memory of 2740 2552 Keappapf.exe 89 PID 2552 wrote to memory of 2740 2552 Keappapf.exe 89 PID 2740 wrote to memory of 4368 2740 Kahpebej.exe 90 PID 2740 wrote to memory of 4368 2740 Kahpebej.exe 90 PID 2740 wrote to memory of 4368 2740 Kahpebej.exe 90 PID 4368 wrote to memory of 1068 4368 Lchmoe32.exe 91 PID 4368 wrote to memory of 1068 4368 Lchmoe32.exe 91 PID 4368 wrote to memory of 1068 4368 Lchmoe32.exe 91 PID 1068 wrote to memory of 4604 1068 Liaelpdj.exe 93 PID 1068 wrote to memory of 4604 1068 Liaelpdj.exe 93 PID 1068 wrote to memory of 4604 1068 Liaelpdj.exe 93 PID 4604 wrote to memory of 5004 4604 Llpahkcm.exe 94 PID 4604 wrote to memory of 5004 4604 Llpahkcm.exe 94 PID 4604 wrote to memory of 5004 4604 Llpahkcm.exe 94 PID 5004 wrote to memory of 844 5004 Lcjide32.exe 95 PID 5004 wrote to memory of 844 5004 Lcjide32.exe 95 PID 5004 wrote to memory of 844 5004 Lcjide32.exe 95 PID 844 wrote to memory of 3528 844 Ljfogo32.exe 96 PID 844 wrote to memory of 3528 844 Ljfogo32.exe 96 PID 844 wrote to memory of 3528 844 Ljfogo32.exe 96 PID 3528 wrote to memory of 4872 3528 Llekcj32.exe 97 PID 3528 wrote to memory of 4872 3528 Llekcj32.exe 97 PID 3528 wrote to memory of 4872 3528 Llekcj32.exe 97 PID 4872 wrote to memory of 2412 4872 Lpbcii32.exe 98 PID 4872 wrote to memory of 2412 4872 Lpbcii32.exe 98 PID 4872 wrote to memory of 2412 4872 Lpbcii32.exe 98 PID 2412 wrote to memory of 4436 2412 Ljkhbnlo.exe 99 PID 2412 wrote to memory of 4436 2412 Ljkhbnlo.exe 99 PID 2412 wrote to memory of 4436 2412 Ljkhbnlo.exe 99 PID 4436 wrote to memory of 1492 4436 Llidnjkc.exe 100 PID 4436 wrote to memory of 1492 4436 Llidnjkc.exe 100 PID 4436 wrote to memory of 1492 4436 Llidnjkc.exe 100 PID 1492 wrote to memory of 1248 1492 Mjmdgn32.exe 101 PID 1492 wrote to memory of 1248 1492 Mjmdgn32.exe 101 PID 1492 wrote to memory of 1248 1492 Mjmdgn32.exe 101 PID 1248 wrote to memory of 4620 1248 Mlnnii32.exe 102 PID 1248 wrote to memory of 4620 1248 Mlnnii32.exe 102 PID 1248 wrote to memory of 4620 1248 Mlnnii32.exe 102 PID 4620 wrote to memory of 4408 4620 Mbkfap32.exe 103 PID 4620 wrote to memory of 4408 4620 Mbkfap32.exe 103 PID 4620 wrote to memory of 4408 4620 Mbkfap32.exe 103 PID 4408 wrote to memory of 4480 4408 Mffbbomn.exe 104 PID 4408 wrote to memory of 4480 4408 Mffbbomn.exe 104 PID 4408 wrote to memory of 4480 4408 Mffbbomn.exe 104 PID 4480 wrote to memory of 4276 4480 Mplfog32.exe 105 PID 4480 wrote to memory of 4276 4480 Mplfog32.exe 105 PID 4480 wrote to memory of 4276 4480 Mplfog32.exe 105 PID 4276 wrote to memory of 708 4276 Mqnceg32.exe 106 PID 4276 wrote to memory of 708 4276 Mqnceg32.exe 106 PID 4276 wrote to memory of 708 4276 Mqnceg32.exe 106 PID 708 wrote to memory of 1144 708 Mcmoab32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe"C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Kbnjig32.exeC:\Windows\system32\Kbnjig32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Klgoalkh.exeC:\Windows\system32\Klgoalkh.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Kcqgnfbe.exeC:\Windows\system32\Kcqgnfbe.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Keappapf.exeC:\Windows\system32\Keappapf.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Kahpebej.exeC:\Windows\system32\Kahpebej.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Lchmoe32.exeC:\Windows\system32\Lchmoe32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Liaelpdj.exeC:\Windows\system32\Liaelpdj.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Llpahkcm.exeC:\Windows\system32\Llpahkcm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Lcjide32.exeC:\Windows\system32\Lcjide32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Ljfogo32.exeC:\Windows\system32\Ljfogo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Llekcj32.exeC:\Windows\system32\Llekcj32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Lpbcii32.exeC:\Windows\system32\Lpbcii32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Ljkhbnlo.exeC:\Windows\system32\Ljkhbnlo.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Llidnjkc.exeC:\Windows\system32\Llidnjkc.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Mjmdgn32.exeC:\Windows\system32\Mjmdgn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Mlnnii32.exeC:\Windows\system32\Mlnnii32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Mbkfap32.exeC:\Windows\system32\Mbkfap32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Mffbbomn.exeC:\Windows\system32\Mffbbomn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Mplfog32.exeC:\Windows\system32\Mplfog32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Mqnceg32.exeC:\Windows\system32\Mqnceg32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Mcmoab32.exeC:\Windows\system32\Mcmoab32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Nbblbo32.exeC:\Windows\system32\Nbblbo32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Windows\SysWOW64\Nhldoifj.exeC:\Windows\system32\Nhldoifj.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4104 -
C:\Windows\SysWOW64\Nofmlc32.exeC:\Windows\system32\Nofmlc32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Nhnadidg.exeC:\Windows\system32\Nhnadidg.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3920 -
C:\Windows\SysWOW64\Njnnnllj.exeC:\Windows\system32\Njnnnllj.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3304 -
C:\Windows\SysWOW64\Nqhfkf32.exeC:\Windows\system32\Nqhfkf32.exe28⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Njpjdkig.exeC:\Windows\system32\Njpjdkig.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3276 -
C:\Windows\SysWOW64\Nfgkilok.exeC:\Windows\system32\Nfgkilok.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4644 -
C:\Windows\SysWOW64\Oqlofeoa.exeC:\Windows\system32\Oqlofeoa.exe31⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Ockkbqne.exeC:\Windows\system32\Ockkbqne.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4092 -
C:\Windows\SysWOW64\Ooalga32.exeC:\Windows\system32\Ooalga32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Oijqpg32.exeC:\Windows\system32\Oijqpg32.exe34⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Oodimaaf.exeC:\Windows\system32\Oodimaaf.exe35⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Obbeimaj.exeC:\Windows\system32\Obbeimaj.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:704 -
C:\Windows\SysWOW64\Ojimjjal.exeC:\Windows\system32\Ojimjjal.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\Opfebqpd.exeC:\Windows\system32\Opfebqpd.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Obdbolog.exeC:\Windows\system32\Obdbolog.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Oiojkffd.exeC:\Windows\system32\Oiojkffd.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\Oqfblcgf.exeC:\Windows\system32\Oqfblcgf.exe41⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Opibhq32.exeC:\Windows\system32\Opibhq32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Ppkonp32.exeC:\Windows\system32\Ppkonp32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4280 -
C:\Windows\SysWOW64\Pbikjl32.exeC:\Windows\system32\Pbikjl32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Piccfe32.exeC:\Windows\system32\Piccfe32.exe45⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Pfgdpj32.exeC:\Windows\system32\Pfgdpj32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Pamhmb32.exeC:\Windows\system32\Pamhmb32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Pfjqei32.exeC:\Windows\system32\Pfjqei32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Pmcibc32.exeC:\Windows\system32\Pmcibc32.exe49⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Pflmkimc.exeC:\Windows\system32\Pflmkimc.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3496 -
C:\Windows\SysWOW64\Ppdbdo32.exeC:\Windows\system32\Ppdbdo32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Pfnjqikq.exeC:\Windows\system32\Pfnjqikq.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Qpgoinaa.exeC:\Windows\system32\Qpgoinaa.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Qiocbd32.exeC:\Windows\system32\Qiocbd32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\Qbggkiob.exeC:\Windows\system32\Qbggkiob.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Ammlhbnh.exeC:\Windows\system32\Ammlhbnh.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Apkhdn32.exeC:\Windows\system32\Apkhdn32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4164 -
C:\Windows\SysWOW64\Aidlmcdl.exeC:\Windows\system32\Aidlmcdl.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3408 -
C:\Windows\SysWOW64\Adiqjlcb.exeC:\Windows\system32\Adiqjlcb.exe59⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Ajcigf32.exeC:\Windows\system32\Ajcigf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Amaeca32.exeC:\Windows\system32\Amaeca32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4624 -
C:\Windows\SysWOW64\Afjjlg32.exeC:\Windows\system32\Afjjlg32.exe62⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Amdbiahp.exeC:\Windows\system32\Amdbiahp.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4764 -
C:\Windows\SysWOW64\Adnjek32.exeC:\Windows\system32\Adnjek32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Aflfag32.exeC:\Windows\system32\Aflfag32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Abcgghde.exeC:\Windows\system32\Abcgghde.exe66⤵PID:2816
-
C:\Windows\SysWOW64\Bjjohe32.exeC:\Windows\system32\Bjjohe32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3936 -
C:\Windows\SysWOW64\Badgdold.exeC:\Windows\system32\Badgdold.exe68⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Bfapmfkk.exeC:\Windows\system32\Bfapmfkk.exe69⤵PID:3812
-
C:\Windows\SysWOW64\Bmkhip32.exeC:\Windows\system32\Bmkhip32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Bjohcdab.exeC:\Windows\system32\Bjohcdab.exe71⤵PID:744
-
C:\Windows\SysWOW64\Baiqpo32.exeC:\Windows\system32\Baiqpo32.exe72⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Bbjmggnm.exeC:\Windows\system32\Bbjmggnm.exe73⤵PID:396
-
C:\Windows\SysWOW64\Bmpadpnc.exeC:\Windows\system32\Bmpadpnc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3340 -
C:\Windows\SysWOW64\Bpnnakmf.exeC:\Windows\system32\Bpnnakmf.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4648 -
C:\Windows\SysWOW64\Bfhfne32.exeC:\Windows\system32\Bfhfne32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Bpqjfk32.exeC:\Windows\system32\Bpqjfk32.exe77⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Cgjbcebq.exeC:\Windows\system32\Cgjbcebq.exe78⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Ciioopad.exeC:\Windows\system32\Ciioopad.exe79⤵PID:4168
-
C:\Windows\SysWOW64\Cikkeppa.exeC:\Windows\system32\Cikkeppa.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Ckkhocgd.exeC:\Windows\system32\Ckkhocgd.exe81⤵PID:1312
-
C:\Windows\SysWOW64\Cdclgh32.exeC:\Windows\system32\Cdclgh32.exe82⤵PID:4360
-
C:\Windows\SysWOW64\Cagmamlo.exeC:\Windows\system32\Cagmamlo.exe83⤵PID:3444
-
C:\Windows\SysWOW64\Cdeimhkb.exeC:\Windows\system32\Cdeimhkb.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3840 -
C:\Windows\SysWOW64\Cpljbi32.exeC:\Windows\system32\Cpljbi32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Dkanob32.exeC:\Windows\system32\Dkanob32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5036 -
C:\Windows\SysWOW64\Dghodc32.exeC:\Windows\system32\Dghodc32.exe87⤵PID:4540
-
C:\Windows\SysWOW64\Digkqn32.exeC:\Windows\system32\Digkqn32.exe88⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Dancal32.exeC:\Windows\system32\Dancal32.exe89⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Ddlong32.exeC:\Windows\system32\Ddlong32.exe90⤵
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Dgkljb32.exeC:\Windows\system32\Dgkljb32.exe91⤵
- System Location Discovery: System Language Discovery
PID:3140 -
C:\Windows\SysWOW64\Diihfn32.exeC:\Windows\system32\Diihfn32.exe92⤵
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\Dappgk32.exeC:\Windows\system32\Dappgk32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:4428 -
C:\Windows\SysWOW64\Dcaloc32.exeC:\Windows\system32\Dcaloc32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Djldlnao.exeC:\Windows\system32\Djldlnao.exe95⤵
- Drops file in System32 directory
PID:5216 -
C:\Windows\SysWOW64\Dablmkba.exeC:\Windows\system32\Dablmkba.exe96⤵
- System Location Discovery: System Language Discovery
PID:5260 -
C:\Windows\SysWOW64\Ddaiifae.exeC:\Windows\system32\Ddaiifae.exe97⤵PID:5300
-
C:\Windows\SysWOW64\Djnaamol.exeC:\Windows\system32\Djnaamol.exe98⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Ephing32.exeC:\Windows\system32\Ephing32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Ecfejc32.exeC:\Windows\system32\Ecfejc32.exe100⤵
- Drops file in System32 directory
PID:5428 -
C:\Windows\SysWOW64\Ejpngm32.exeC:\Windows\system32\Ejpngm32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5472 -
C:\Windows\SysWOW64\Epjfcgef.exeC:\Windows\system32\Epjfcgef.exe102⤵PID:5516
-
C:\Windows\SysWOW64\Ecibpbdj.exeC:\Windows\system32\Ecibpbdj.exe103⤵PID:5560
-
C:\Windows\SysWOW64\Ejbklm32.exeC:\Windows\system32\Ejbklm32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5604 -
C:\Windows\SysWOW64\Edhoie32.exeC:\Windows\system32\Edhoie32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Egfkfa32.exeC:\Windows\system32\Egfkfa32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5692 -
C:\Windows\SysWOW64\Ejegblid.exeC:\Windows\system32\Ejegblid.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Egihkqhn.exeC:\Windows\system32\Egihkqhn.exe108⤵
- System Location Discovery: System Language Discovery
PID:5780 -
C:\Windows\SysWOW64\Eanlhihd.exeC:\Windows\system32\Eanlhihd.exe109⤵PID:5824
-
C:\Windows\SysWOW64\Egkdapfk.exeC:\Windows\system32\Egkdapfk.exe110⤵PID:5868
-
C:\Windows\SysWOW64\Fcbefalp.exeC:\Windows\system32\Fcbefalp.exe111⤵
- Drops file in System32 directory
PID:5912 -
C:\Windows\SysWOW64\Fbebihbl.exeC:\Windows\system32\Fbebihbl.exe112⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Fdfkkcom.exeC:\Windows\system32\Fdfkkcom.exe113⤵PID:6004
-
C:\Windows\SysWOW64\Fnopci32.exeC:\Windows\system32\Fnopci32.exe114⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Fdhhqc32.exeC:\Windows\system32\Fdhhqc32.exe115⤵PID:6112
-
C:\Windows\SysWOW64\Fkbpmmdg.exeC:\Windows\system32\Fkbpmmdg.exe116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Gnciohah.exeC:\Windows\system32\Gnciohah.exe117⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Gcpago32.exeC:\Windows\system32\Gcpago32.exe118⤵PID:5256
-
C:\Windows\SysWOW64\Gbaaeggo.exeC:\Windows\system32\Gbaaeggo.exe119⤵
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Gdpnabgb.exeC:\Windows\system32\Gdpnabgb.exe120⤵PID:5372
-
C:\Windows\SysWOW64\Gcekbokj.exeC:\Windows\system32\Gcekbokj.exe121⤵
- Drops file in System32 directory
PID:5440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-