Analysis
-
max time kernel
39s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19/11/2024, 17:45
Behavioral task
behavioral1
Sample
73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe
-
Size
224KB
-
MD5
d63bbe7fa3223fb14b08bf47d0a6d510
-
SHA1
860fa571ad9d506caa3f33f2b64858c5084c3487
-
SHA256
73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58
-
SHA512
6419152f7f95b273258e9dc1fd351a384b7f4a69806d6bdf74c44cdb9a7945456984fb36492c61da1b29b8a20cac993de670c91034b3a594be5424ff574d64f1
-
SSDEEP
3072:cFDw294NIuYUvIMDrFDHZtOgxBOXXwwfBoD6N3h8N5G2qVUDrFDHZtOgtSU:cGrL4s5tTDUZNSN58VU5tTtf
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkmln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnplgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljkofkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmpfgklo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkqbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pihbbgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjdpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcpdeam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjhig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iagchmjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpmlcpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnbfkccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkmln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpcbhlki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeglqpaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgibijkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcfioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfqii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epakcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbnnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlejkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoopie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnogmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbhbfmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhgdqef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciebdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndgdpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajghgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppkgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnpieceq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdolga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbloba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmndokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljnmkoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdcebagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkcedgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmchljg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfppgohb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfphmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldooi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omekgakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfkbhae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfakbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgaqohql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijcgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knaqcabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cipnng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekmjanpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elpldp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojaceln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedllgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hedllgjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Denknngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfkhbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjajno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdkfic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plheil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdqfnhpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohqhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Annpaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihlbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmbkfd32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2372 Piemih32.exe 2348 Plffkc32.exe 2808 Pngbcldl.exe 2768 Pdajpf32.exe 2344 Pgdpgqgg.exe 2668 Qdhqpe32.exe 2352 Qmcedg32.exe 2848 Ajgfnk32.exe 1624 Aqanke32.exe 2880 Aofklbnj.exe 2836 Aeccdila.exe 1720 Aokdga32.exe 1912 Aehmoh32.exe 2196 Ablmilgf.exe 292 Bnbnnm32.exe 812 Bfppgohb.exe 2500 Bphdpe32.exe 1544 Bmldji32.exe 1548 Bcfmfc32.exe 1936 Claake32.exe 1976 Cbljgpja.exe 2088 Ciebdj32.exe 2256 Celbik32.exe 1760 Codgbqmc.exe 2076 Ceoooj32.exe 1580 Cddlpg32.exe 2660 Coiqmp32.exe 2940 Cpkmehol.exe 3004 Dpmjjhmi.exe 2664 Diencmcj.exe 1056 Dpofpg32.exe 940 Dihkimag.exe 2284 Denknngk.exe 1780 Deahcneh.exe 2872 Dlkqpg32.exe 2876 Eagiho32.exe 2204 Eokiabjf.exe 2132 Ealbcngg.exe 2164 Ehfkphnd.exe 388 Eopcmb32.exe 552 Ekgcbcke.exe 1644 Epdljjjm.exe 2064 Egndgdai.exe 2432 Fnhlcn32.exe 2448 Fgpalcog.exe 1996 Fjomhonj.exe 844 Flmidkmn.exe 1100 Fokfqflb.exe 2908 Fjajno32.exe 2168 Fmofjj32.exe 2936 Fbloba32.exe 2820 Fhfgokap.exe 1948 Fclkldqe.exe 1144 Ffjghppi.exe 568 Fkgpaf32.exe 3068 Fnelmb32.exe 1168 Gikpjk32.exe 1508 Godhgedg.exe 2356 Gqfeom32.exe 1048 Ggpmkgab.exe 2692 Gbeaip32.exe 2080 Gknfaehi.exe 2884 Gmobin32.exe 1656 Gjccbb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2316 73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe 2316 73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe 2372 Piemih32.exe 2372 Piemih32.exe 2348 Plffkc32.exe 2348 Plffkc32.exe 2808 Pngbcldl.exe 2808 Pngbcldl.exe 2768 Pdajpf32.exe 2768 Pdajpf32.exe 2344 Pgdpgqgg.exe 2344 Pgdpgqgg.exe 2668 Qdhqpe32.exe 2668 Qdhqpe32.exe 2352 Qmcedg32.exe 2352 Qmcedg32.exe 2848 Ajgfnk32.exe 2848 Ajgfnk32.exe 1624 Aqanke32.exe 1624 Aqanke32.exe 2880 Aofklbnj.exe 2880 Aofklbnj.exe 2836 Aeccdila.exe 2836 Aeccdila.exe 1720 Aokdga32.exe 1720 Aokdga32.exe 1912 Aehmoh32.exe 1912 Aehmoh32.exe 2196 Ablmilgf.exe 2196 Ablmilgf.exe 292 Bnbnnm32.exe 292 Bnbnnm32.exe 812 Bfppgohb.exe 812 Bfppgohb.exe 2500 Bphdpe32.exe 2500 Bphdpe32.exe 1544 Bmldji32.exe 1544 Bmldji32.exe 1548 Bcfmfc32.exe 1548 Bcfmfc32.exe 1936 Claake32.exe 1936 Claake32.exe 1976 Cbljgpja.exe 1976 Cbljgpja.exe 2088 Ciebdj32.exe 2088 Ciebdj32.exe 2256 Celbik32.exe 2256 Celbik32.exe 1760 Codgbqmc.exe 1760 Codgbqmc.exe 2076 Ceoooj32.exe 2076 Ceoooj32.exe 1580 Cddlpg32.exe 1580 Cddlpg32.exe 2660 Coiqmp32.exe 2660 Coiqmp32.exe 2940 Cpkmehol.exe 2940 Cpkmehol.exe 3004 Dpmjjhmi.exe 3004 Dpmjjhmi.exe 2664 Diencmcj.exe 2664 Diencmcj.exe 1056 Dpofpg32.exe 1056 Dpofpg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kpkcdn32.exe Knmghb32.exe File created C:\Windows\SysWOW64\Ibbffq32.exe Ihlbih32.exe File opened for modification C:\Windows\SysWOW64\Necqbp32.exe Nbddfe32.exe File created C:\Windows\SysWOW64\Kbjbibli.exe Kaieai32.exe File created C:\Windows\SysWOW64\Npgpnq32.dll Cfmjoe32.exe File created C:\Windows\SysWOW64\Eikngjpo.dll Efifjg32.exe File created C:\Windows\SysWOW64\Abfjga32.dll Hbgjmcba.exe File created C:\Windows\SysWOW64\Magfkkpi.dll Okolfkjg.exe File created C:\Windows\SysWOW64\Ddcadd32.exe Dadehh32.exe File created C:\Windows\SysWOW64\Mfngbq32.exe Lodoefed.exe File created C:\Windows\SysWOW64\Acloba32.dll Ddnaonia.exe File created C:\Windows\SysWOW64\Nghehm32.dll Qomcdf32.exe File created C:\Windows\SysWOW64\Fbdpjgjf.exe Fljhmmci.exe File created C:\Windows\SysWOW64\Hqhiab32.exe Hkkaik32.exe File created C:\Windows\SysWOW64\Kllboe32.dll Dlnjjc32.exe File created C:\Windows\SysWOW64\Gbkdgn32.exe Gkaljdaf.exe File created C:\Windows\SysWOW64\Cdjkhnje.dll Mgdmeh32.exe File created C:\Windows\SysWOW64\Cmolej32.dll Jadlgjjq.exe File created C:\Windows\SysWOW64\Cbekip32.dll Ljhppo32.exe File created C:\Windows\SysWOW64\Bfkakbpp.exe Bcmeogam.exe File created C:\Windows\SysWOW64\Bmhmgbif.exe Bgkeol32.exe File created C:\Windows\SysWOW64\Ajgfnk32.exe Qmcedg32.exe File opened for modification C:\Windows\SysWOW64\Memncbmj.exe Maabcc32.exe File opened for modification C:\Windows\SysWOW64\Bfphmi32.exe Bnhqll32.exe File created C:\Windows\SysWOW64\Gkaljdaf.exe Gdgcnj32.exe File created C:\Windows\SysWOW64\Eigaib32.dll Mdahnmck.exe File opened for modification C:\Windows\SysWOW64\Omjeba32.exe Ofpmegpe.exe File opened for modification C:\Windows\SysWOW64\Hbgjmcba.exe Hecjco32.exe File opened for modification C:\Windows\SysWOW64\Llfcik32.exe Lflklaoc.exe File opened for modification C:\Windows\SysWOW64\Gddpndhp.exe Gafcahil.exe File created C:\Windows\SysWOW64\Gaopnk32.dll Kikpgk32.exe File created C:\Windows\SysWOW64\Adcobk32.exe Aadbfp32.exe File created C:\Windows\SysWOW64\Bdpnlo32.exe Bfnnpbnn.exe File created C:\Windows\SysWOW64\Cfocnoae.dll Ndgdpn32.exe File created C:\Windows\SysWOW64\Nilpmo32.exe Nfncad32.exe File created C:\Windows\SysWOW64\Bgfdjfkh.exe Bcjhig32.exe File created C:\Windows\SysWOW64\Gdpene32.dll Dbidof32.exe File opened for modification C:\Windows\SysWOW64\Ealbcngg.exe Eokiabjf.exe File created C:\Windows\SysWOW64\Geplpfnh.exe Gdophn32.exe File opened for modification C:\Windows\SysWOW64\Fnhlcn32.exe Egndgdai.exe File created C:\Windows\SysWOW64\Fnagchpe.dll Njcibgcf.exe File created C:\Windows\SysWOW64\Kbldbo32.dll Nnpofe32.exe File created C:\Windows\SysWOW64\Kaieai32.exe Kkomepon.exe File opened for modification C:\Windows\SysWOW64\Hopgikop.exe Gheola32.exe File created C:\Windows\SysWOW64\Jcdmpg32.dll Cbihpbpl.exe File opened for modification C:\Windows\SysWOW64\Fmpnpe32.exe Fkbadifn.exe File created C:\Windows\SysWOW64\Oiifcdhn.exe Obonfj32.exe File created C:\Windows\SysWOW64\Mkdfpb32.dll Cabldeik.exe File created C:\Windows\SysWOW64\Fqnhcgma.exe Fnplgl32.exe File opened for modification C:\Windows\SysWOW64\Imqdcjkd.exe Hfflfp32.exe File created C:\Windows\SysWOW64\Nfncad32.exe Ncpgeh32.exe File created C:\Windows\SysWOW64\Agakog32.exe Adcobk32.exe File created C:\Windows\SysWOW64\Oicoednb.dll Kcqfahom.exe File created C:\Windows\SysWOW64\Odmbgbpa.dll Qefihg32.exe File created C:\Windows\SysWOW64\Fmgklpjm.dll Lpjiik32.exe File created C:\Windows\SysWOW64\Paemac32.exe Pogaeg32.exe File created C:\Windows\SysWOW64\Cnjbfhqa.exe Cjngej32.exe File opened for modification C:\Windows\SysWOW64\Adcobk32.exe Aadbfp32.exe File opened for modification C:\Windows\SysWOW64\Fhqfie32.exe Fnkblm32.exe File created C:\Windows\SysWOW64\Hccllbjf.dll Kegebn32.exe File created C:\Windows\SysWOW64\Kdlbckee.exe Knbjgq32.exe File created C:\Windows\SysWOW64\Gknhjn32.exe Gddpndhp.exe File opened for modification C:\Windows\SysWOW64\Ggeiooea.exe Gdfmccfm.exe File created C:\Windows\SysWOW64\Jfqjjp32.dll Nmkbfmpf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7672 7412 WerFault.exe 886 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedllgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnbfkccn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkndibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgcbcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqchi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddqeodjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emncci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deahcneh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehfkphnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qefihg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcqfahom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnipgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haejcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgaoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfijfdca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpldp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmdfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnmhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfflfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npieoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpnjkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imchcplm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdnipal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggdfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdcbjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olehbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degobhjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plheil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibebeqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmidkmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifniaeqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hminbkql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmchljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnacbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabldeik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqnhcgma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfekkgla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdlbckee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohnpcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifiilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdahnmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofklbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmldji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfjibdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmojfcdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjnnbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihbbgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkccob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acplpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadlgjjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcdmikma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbmbpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lccepqdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabkla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coiqmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibejfffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahioobed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgehpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinnfonh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhca32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nilpmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adfbbabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noieei32.dll" Edidcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgibijkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnldnbno.dll" Oafhmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdkfic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbkimd32.dll" Abdpngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjdpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opkndldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkpnph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqidng32.dll" Cgfqii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hminbkql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnlilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkiooocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aimkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaajfbd.dll" Eokiabjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adbmjbif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cabldeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmcpglh.dll" Lahaqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmpfgklo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmpfgklo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adcobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdlphnb.dll" Dnpedghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffofoi32.dll" Cfekkgla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhfihd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opcaiggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odefpfcd.dll" Annpaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiaoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ificlp32.dll" Baiingae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhemaec.dll" Fofekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bncpffdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emilqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kooklaek.dll" Dijjgegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoakai32.dll" Kaieai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gikpjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmcbk32.dll" Qamjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkaljdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhahcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koakpn32.dll" Haohel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppdnf32.dll" Ifiilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcgdjmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agakog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncejcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apeflmjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooeolkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmghcf32.dll" Gohnpcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgeqb32.dll" Mgjpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbodpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alnfeemk.dll" Gcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicoednb.dll" Kcqfahom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plneoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddqeodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojnhfhh.dll" Ipimic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnelmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfmhfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlhjijpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikbndqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqcepk32.dll" Lflklaoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkpieggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haohel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kejpdk32.dll" Klbdiokf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2372 2316 73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe 30 PID 2316 wrote to memory of 2372 2316 73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe 30 PID 2316 wrote to memory of 2372 2316 73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe 30 PID 2316 wrote to memory of 2372 2316 73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe 30 PID 2372 wrote to memory of 2348 2372 Piemih32.exe 31 PID 2372 wrote to memory of 2348 2372 Piemih32.exe 31 PID 2372 wrote to memory of 2348 2372 Piemih32.exe 31 PID 2372 wrote to memory of 2348 2372 Piemih32.exe 31 PID 2348 wrote to memory of 2808 2348 Plffkc32.exe 32 PID 2348 wrote to memory of 2808 2348 Plffkc32.exe 32 PID 2348 wrote to memory of 2808 2348 Plffkc32.exe 32 PID 2348 wrote to memory of 2808 2348 Plffkc32.exe 32 PID 2808 wrote to memory of 2768 2808 Pngbcldl.exe 33 PID 2808 wrote to memory of 2768 2808 Pngbcldl.exe 33 PID 2808 wrote to memory of 2768 2808 Pngbcldl.exe 33 PID 2808 wrote to memory of 2768 2808 Pngbcldl.exe 33 PID 2768 wrote to memory of 2344 2768 Pdajpf32.exe 34 PID 2768 wrote to memory of 2344 2768 Pdajpf32.exe 34 PID 2768 wrote to memory of 2344 2768 Pdajpf32.exe 34 PID 2768 wrote to memory of 2344 2768 Pdajpf32.exe 34 PID 2344 wrote to memory of 2668 2344 Pgdpgqgg.exe 35 PID 2344 wrote to memory of 2668 2344 Pgdpgqgg.exe 35 PID 2344 wrote to memory of 2668 2344 Pgdpgqgg.exe 35 PID 2344 wrote to memory of 2668 2344 Pgdpgqgg.exe 35 PID 2668 wrote to memory of 2352 2668 Qdhqpe32.exe 36 PID 2668 wrote to memory of 2352 2668 Qdhqpe32.exe 36 PID 2668 wrote to memory of 2352 2668 Qdhqpe32.exe 36 PID 2668 wrote to memory of 2352 2668 Qdhqpe32.exe 36 PID 2352 wrote to memory of 2848 2352 Qmcedg32.exe 37 PID 2352 wrote to memory of 2848 2352 Qmcedg32.exe 37 PID 2352 wrote to memory of 2848 2352 Qmcedg32.exe 37 PID 2352 wrote to memory of 2848 2352 Qmcedg32.exe 37 PID 2848 wrote to memory of 1624 2848 Ajgfnk32.exe 38 PID 2848 wrote to memory of 1624 2848 Ajgfnk32.exe 38 PID 2848 wrote to memory of 1624 2848 Ajgfnk32.exe 38 PID 2848 wrote to memory of 1624 2848 Ajgfnk32.exe 38 PID 1624 wrote to memory of 2880 1624 Aqanke32.exe 39 PID 1624 wrote to memory of 2880 1624 Aqanke32.exe 39 PID 1624 wrote to memory of 2880 1624 Aqanke32.exe 39 PID 1624 wrote to memory of 2880 1624 Aqanke32.exe 39 PID 2880 wrote to memory of 2836 2880 Aofklbnj.exe 40 PID 2880 wrote to memory of 2836 2880 Aofklbnj.exe 40 PID 2880 wrote to memory of 2836 2880 Aofklbnj.exe 40 PID 2880 wrote to memory of 2836 2880 Aofklbnj.exe 40 PID 2836 wrote to memory of 1720 2836 Aeccdila.exe 41 PID 2836 wrote to memory of 1720 2836 Aeccdila.exe 41 PID 2836 wrote to memory of 1720 2836 Aeccdila.exe 41 PID 2836 wrote to memory of 1720 2836 Aeccdila.exe 41 PID 1720 wrote to memory of 1912 1720 Aokdga32.exe 42 PID 1720 wrote to memory of 1912 1720 Aokdga32.exe 42 PID 1720 wrote to memory of 1912 1720 Aokdga32.exe 42 PID 1720 wrote to memory of 1912 1720 Aokdga32.exe 42 PID 1912 wrote to memory of 2196 1912 Aehmoh32.exe 43 PID 1912 wrote to memory of 2196 1912 Aehmoh32.exe 43 PID 1912 wrote to memory of 2196 1912 Aehmoh32.exe 43 PID 1912 wrote to memory of 2196 1912 Aehmoh32.exe 43 PID 2196 wrote to memory of 292 2196 Ablmilgf.exe 44 PID 2196 wrote to memory of 292 2196 Ablmilgf.exe 44 PID 2196 wrote to memory of 292 2196 Ablmilgf.exe 44 PID 2196 wrote to memory of 292 2196 Ablmilgf.exe 44 PID 292 wrote to memory of 812 292 Bnbnnm32.exe 45 PID 292 wrote to memory of 812 292 Bnbnnm32.exe 45 PID 292 wrote to memory of 812 292 Bnbnnm32.exe 45 PID 292 wrote to memory of 812 292 Bnbnnm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe"C:\Users\Admin\AppData\Local\Temp\73374b2f4fe9d14875e2f9e7a44d2ff3bbf96e2832d6b4bff33d62140c114e58N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Piemih32.exeC:\Windows\system32\Piemih32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Plffkc32.exeC:\Windows\system32\Plffkc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Pngbcldl.exeC:\Windows\system32\Pngbcldl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Pdajpf32.exeC:\Windows\system32\Pdajpf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Pgdpgqgg.exeC:\Windows\system32\Pgdpgqgg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Qdhqpe32.exeC:\Windows\system32\Qdhqpe32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Qmcedg32.exeC:\Windows\system32\Qmcedg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Ajgfnk32.exeC:\Windows\system32\Ajgfnk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Aqanke32.exeC:\Windows\system32\Aqanke32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Aofklbnj.exeC:\Windows\system32\Aofklbnj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Aeccdila.exeC:\Windows\system32\Aeccdila.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Aokdga32.exeC:\Windows\system32\Aokdga32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Aehmoh32.exeC:\Windows\system32\Aehmoh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Ablmilgf.exeC:\Windows\system32\Ablmilgf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Bnbnnm32.exeC:\Windows\system32\Bnbnnm32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Bfppgohb.exeC:\Windows\system32\Bfppgohb.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Windows\SysWOW64\Bphdpe32.exeC:\Windows\system32\Bphdpe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Bmldji32.exeC:\Windows\system32\Bmldji32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Bcfmfc32.exeC:\Windows\system32\Bcfmfc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Claake32.exeC:\Windows\system32\Claake32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Cbljgpja.exeC:\Windows\system32\Cbljgpja.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Celbik32.exeC:\Windows\system32\Celbik32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Codgbqmc.exeC:\Windows\system32\Codgbqmc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Ceoooj32.exeC:\Windows\system32\Ceoooj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Cddlpg32.exeC:\Windows\system32\Cddlpg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Coiqmp32.exeC:\Windows\system32\Coiqmp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Cpkmehol.exeC:\Windows\system32\Cpkmehol.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Dpmjjhmi.exeC:\Windows\system32\Dpmjjhmi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Diencmcj.exeC:\Windows\system32\Diencmcj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Dpofpg32.exeC:\Windows\system32\Dpofpg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Dihkimag.exeC:\Windows\system32\Dihkimag.exe33⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Denknngk.exeC:\Windows\system32\Denknngk.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Dlkqpg32.exeC:\Windows\system32\Dlkqpg32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Eagiho32.exeC:\Windows\system32\Eagiho32.exe37⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Eokiabjf.exeC:\Windows\system32\Eokiabjf.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Ealbcngg.exeC:\Windows\system32\Ealbcngg.exe39⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Ehfkphnd.exeC:\Windows\system32\Ehfkphnd.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Eopcmb32.exeC:\Windows\system32\Eopcmb32.exe41⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Ekgcbcke.exeC:\Windows\system32\Ekgcbcke.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:552 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe43⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Egndgdai.exeC:\Windows\system32\Egndgdai.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Fnhlcn32.exeC:\Windows\system32\Fnhlcn32.exe45⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Fgpalcog.exeC:\Windows\system32\Fgpalcog.exe46⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Fjomhonj.exeC:\Windows\system32\Fjomhonj.exe47⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Flmidkmn.exeC:\Windows\system32\Flmidkmn.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Fokfqflb.exeC:\Windows\system32\Fokfqflb.exe49⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Fjajno32.exeC:\Windows\system32\Fjajno32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Fmofjj32.exeC:\Windows\system32\Fmofjj32.exe51⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Fbloba32.exeC:\Windows\system32\Fbloba32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe53⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Fclkldqe.exeC:\Windows\system32\Fclkldqe.exe54⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Ffjghppi.exeC:\Windows\system32\Ffjghppi.exe55⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Fkgpaf32.exeC:\Windows\system32\Fkgpaf32.exe56⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Fnelmb32.exeC:\Windows\system32\Fnelmb32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Gikpjk32.exeC:\Windows\system32\Gikpjk32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Godhgedg.exeC:\Windows\system32\Godhgedg.exe59⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Gqfeom32.exeC:\Windows\system32\Gqfeom32.exe60⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe61⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Gbeaip32.exeC:\Windows\system32\Gbeaip32.exe62⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Gknfaehi.exeC:\Windows\system32\Gknfaehi.exe63⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Gmobin32.exeC:\Windows\system32\Gmobin32.exe64⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Gjccbb32.exeC:\Windows\system32\Gjccbb32.exe65⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Gckgkg32.exeC:\Windows\system32\Gckgkg32.exe66⤵PID:300
-
C:\Windows\SysWOW64\Gggclfkj.exeC:\Windows\system32\Gggclfkj.exe67⤵PID:2028
-
C:\Windows\SysWOW64\Gihpcn32.exeC:\Windows\system32\Gihpcn32.exe68⤵PID:1696
-
C:\Windows\SysWOW64\Haohel32.exeC:\Windows\system32\Haohel32.exe69⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Hbqdldhi.exeC:\Windows\system32\Hbqdldhi.exe70⤵PID:2688
-
C:\Windows\SysWOW64\Hliieioi.exeC:\Windows\system32\Hliieioi.exe71⤵PID:2772
-
C:\Windows\SysWOW64\Hcpqfgol.exeC:\Windows\system32\Hcpqfgol.exe72⤵PID:2636
-
C:\Windows\SysWOW64\Hfnmbbnp.exeC:\Windows\system32\Hfnmbbnp.exe73⤵PID:2272
-
C:\Windows\SysWOW64\Hmheol32.exeC:\Windows\system32\Hmheol32.exe74⤵PID:1588
-
C:\Windows\SysWOW64\Hbengc32.exeC:\Windows\system32\Hbengc32.exe75⤵PID:1560
-
C:\Windows\SysWOW64\Hecjco32.exeC:\Windows\system32\Hecjco32.exe76⤵
- Drops file in System32 directory
PID:348 -
C:\Windows\SysWOW64\Hbgjmcba.exeC:\Windows\system32\Hbgjmcba.exe77⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Hiabjm32.exeC:\Windows\system32\Hiabjm32.exe78⤵PID:1924
-
C:\Windows\SysWOW64\Hlpofh32.exeC:\Windows\system32\Hlpofh32.exe79⤵PID:2012
-
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe80⤵PID:1812
-
C:\Windows\SysWOW64\Idkcjk32.exeC:\Windows\system32\Idkcjk32.exe81⤵PID:1984
-
C:\Windows\SysWOW64\Imchcplm.exeC:\Windows\system32\Imchcplm.exe82⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Imfeip32.exeC:\Windows\system32\Imfeip32.exe83⤵PID:380
-
C:\Windows\SysWOW64\Ipdaek32.exeC:\Windows\system32\Ipdaek32.exe84⤵PID:2796
-
C:\Windows\SysWOW64\Ifniaeqk.exeC:\Windows\system32\Ifniaeqk.exe85⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Ipfnjkgk.exeC:\Windows\system32\Ipfnjkgk.exe86⤵PID:2916
-
C:\Windows\SysWOW64\Ibejfffo.exeC:\Windows\system32\Ibejfffo.exe87⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Iiobcq32.exeC:\Windows\system32\Iiobcq32.exe88⤵PID:2052
-
C:\Windows\SysWOW64\Ibgglfdl.exeC:\Windows\system32\Ibgglfdl.exe89⤵PID:2320
-
C:\Windows\SysWOW64\Iiaoip32.exeC:\Windows\system32\Iiaoip32.exe90⤵
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Ilpkel32.exeC:\Windows\system32\Ilpkel32.exe91⤵PID:2188
-
C:\Windows\SysWOW64\Jgeobdkc.exeC:\Windows\system32\Jgeobdkc.exe92⤵PID:1864
-
C:\Windows\SysWOW64\Jiclnpjg.exeC:\Windows\system32\Jiclnpjg.exe93⤵PID:1052
-
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe94⤵PID:2244
-
C:\Windows\SysWOW64\Jejlca32.exeC:\Windows\system32\Jejlca32.exe95⤵PID:2096
-
C:\Windows\SysWOW64\Jkgelh32.exeC:\Windows\system32\Jkgelh32.exe96⤵PID:2124
-
C:\Windows\SysWOW64\Jemiiqmh.exeC:\Windows\system32\Jemiiqmh.exe97⤵PID:680
-
C:\Windows\SysWOW64\Jkjaaglp.exeC:\Windows\system32\Jkjaaglp.exe98⤵PID:2740
-
C:\Windows\SysWOW64\Jnhnmckc.exeC:\Windows\system32\Jnhnmckc.exe99⤵PID:2240
-
C:\Windows\SysWOW64\Jdbfjm32.exeC:\Windows\system32\Jdbfjm32.exe100⤵PID:2428
-
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe101⤵PID:1276
-
C:\Windows\SysWOW64\Jpigonhd.exeC:\Windows\system32\Jpigonhd.exe102⤵PID:2720
-
C:\Windows\SysWOW64\Jhpopk32.exeC:\Windows\system32\Jhpopk32.exe103⤵PID:2184
-
C:\Windows\SysWOW64\Knmghb32.exeC:\Windows\system32\Knmghb32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\Kpkcdn32.exeC:\Windows\system32\Kpkcdn32.exe105⤵PID:2276
-
C:\Windows\SysWOW64\Kcipqi32.exeC:\Windows\system32\Kcipqi32.exe106⤵PID:2580
-
C:\Windows\SysWOW64\Knodnb32.exeC:\Windows\system32\Knodnb32.exe107⤵PID:2292
-
C:\Windows\SysWOW64\Klbdiokf.exeC:\Windows\system32\Klbdiokf.exe108⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Kcllfi32.exeC:\Windows\system32\Kcllfi32.exe109⤵PID:2804
-
C:\Windows\SysWOW64\Kfjibdbf.exeC:\Windows\system32\Kfjibdbf.exe110⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Kobmkj32.exeC:\Windows\system32\Kobmkj32.exe112⤵PID:1428
-
C:\Windows\SysWOW64\Kgjelg32.exeC:\Windows\system32\Kgjelg32.exe113⤵PID:436
-
C:\Windows\SysWOW64\Khkadoog.exeC:\Windows\system32\Khkadoog.exe114⤵PID:1772
-
C:\Windows\SysWOW64\Kpbiempj.exeC:\Windows\system32\Kpbiempj.exe115⤵PID:2004
-
C:\Windows\SysWOW64\Kcqfahom.exeC:\Windows\system32\Kcqfahom.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe117⤵
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Kkljfj32.exeC:\Windows\system32\Kkljfj32.exe118⤵PID:2596
-
C:\Windows\SysWOW64\Lbfcbdce.exeC:\Windows\system32\Lbfcbdce.exe119⤵PID:2228
-
C:\Windows\SysWOW64\Lhpkoo32.exeC:\Windows\system32\Lhpkoo32.exe120⤵PID:3032
-
C:\Windows\SysWOW64\Lkngkj32.exeC:\Windows\system32\Lkngkj32.exe121⤵PID:1088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-