Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 04:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233.exe
-
Size
64KB
-
MD5
64f35ce0509a774c32ab6b72c80b5794
-
SHA1
3031d71e5fb7ce44fae3e0cf6abab69e8906ca86
-
SHA256
dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233
-
SHA512
e2d775c544bbd25288421f4a824a4bbfe23d58d1dda51742b21614afdacb87aea6c1bad7ce49e309432af8f8035b59f749a4408ee09d20fc19b168a58fefe6a4
-
SSDEEP
1536:5Mql+V8e7sEnqg+2qqEnE07pvy7d4RxUXruCHcpzt/Idn:9YCesEqnE071CopFwn
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olbfagca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfjhcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeafjiop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkeecogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaajei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmnjkjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjahej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locjhqpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpbalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkeecogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkhhhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigkel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndqkleln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplimbka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inlkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeafjiop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaompi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcqombic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnipjni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoagccfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbdkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdepg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaqcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omnipjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjnhaco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkgjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcaimgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kklkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pofkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpicle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obmnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjcomcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbflno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfioia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhknaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aficjnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oococb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjjma32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 264 Gkbcbn32.exe 2544 Gblkoham.exe 2444 Gdkgkcpq.exe 2868 Ggicgopd.exe 2624 Goplilpf.exe 2976 Ggkqmoma.exe 2616 Gjjmijme.exe 2676 Gbadjg32.exe 2164 Gqdefddb.exe 640 Hkiicmdh.exe 1728 Hmkeke32.exe 1588 Hebnlb32.exe 2960 Hnjbeh32.exe 2716 Hahnac32.exe 1040 Hpkompgg.exe 2596 Hfegij32.exe 1620 Hakkgc32.exe 1048 Hcigco32.exe 956 Hfhcoj32.exe 1556 Hldlga32.exe 2212 Hboddk32.exe 1708 Hemqpf32.exe 544 Hmdhad32.exe 2292 Hneeilgj.exe 2284 Iflmjihl.exe 2724 Iikifegp.exe 2896 Ibcnojnp.exe 2924 Illbhp32.exe 2092 Ijnbcmkk.exe 2660 Iahkpg32.exe 2784 Idgglb32.exe 2500 Ihbcmaje.exe 1428 Inlkik32.exe 1796 Iefcfe32.exe 1996 Ihdpbq32.exe 1712 Ijclol32.exe 2088 Ippdgc32.exe 1484 Idkpganf.exe 352 Ihglhp32.exe 2824 Ijehdl32.exe 564 Iihiphln.exe 2172 Jmdepg32.exe 3020 Jpbalb32.exe 2432 Jbqmhnbo.exe 1300 Jkhejkcq.exe 2304 Jliaac32.exe 1164 Jfofol32.exe 2328 Jeafjiop.exe 2320 Jlkngc32.exe 2404 Jojkco32.exe 2744 Jojkco32.exe 2884 Jgabdlfb.exe 2640 Jedcpi32.exe 2928 Jioopgef.exe 2512 Jlnklcej.exe 2632 Jolghndm.exe 2696 Jbhcim32.exe 1272 Jajcdjca.exe 620 Jhdlad32.exe 2488 Jlphbbbg.exe 2372 Jondnnbk.exe 2600 Jampjian.exe 648 Kdklfe32.exe 1200 Khghgchk.exe -
Loads dropped DLL 64 IoCs
pid Process 2120 dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233.exe 2120 dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233.exe 264 Gkbcbn32.exe 264 Gkbcbn32.exe 2544 Gblkoham.exe 2544 Gblkoham.exe 2444 Gdkgkcpq.exe 2444 Gdkgkcpq.exe 2868 Ggicgopd.exe 2868 Ggicgopd.exe 2624 Goplilpf.exe 2624 Goplilpf.exe 2976 Ggkqmoma.exe 2976 Ggkqmoma.exe 2616 Gjjmijme.exe 2616 Gjjmijme.exe 2676 Gbadjg32.exe 2676 Gbadjg32.exe 2164 Gqdefddb.exe 2164 Gqdefddb.exe 640 Hkiicmdh.exe 640 Hkiicmdh.exe 1728 Hmkeke32.exe 1728 Hmkeke32.exe 1588 Hebnlb32.exe 1588 Hebnlb32.exe 2960 Hnjbeh32.exe 2960 Hnjbeh32.exe 2716 Hahnac32.exe 2716 Hahnac32.exe 1040 Hpkompgg.exe 1040 Hpkompgg.exe 2596 Hfegij32.exe 2596 Hfegij32.exe 1620 Hakkgc32.exe 1620 Hakkgc32.exe 1048 Hcigco32.exe 1048 Hcigco32.exe 956 Hfhcoj32.exe 956 Hfhcoj32.exe 1556 Hldlga32.exe 1556 Hldlga32.exe 2212 Hboddk32.exe 2212 Hboddk32.exe 1708 Hemqpf32.exe 1708 Hemqpf32.exe 544 Hmdhad32.exe 544 Hmdhad32.exe 2292 Hneeilgj.exe 2292 Hneeilgj.exe 2284 Iflmjihl.exe 2284 Iflmjihl.exe 2724 Iikifegp.exe 2724 Iikifegp.exe 2896 Ibcnojnp.exe 2896 Ibcnojnp.exe 2924 Illbhp32.exe 2924 Illbhp32.exe 2092 Ijnbcmkk.exe 2092 Ijnbcmkk.exe 2660 Iahkpg32.exe 2660 Iahkpg32.exe 2784 Idgglb32.exe 2784 Idgglb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lgqkbb32.exe Ldbofgme.exe File opened for modification C:\Windows\SysWOW64\Ibcnojnp.exe Iikifegp.exe File created C:\Windows\SysWOW64\Iocnkj32.dll Mnmpdlac.exe File created C:\Windows\SysWOW64\Mikjpiim.exe Mfmndn32.exe File created C:\Windows\SysWOW64\Knbbpakg.dll Kpicle32.exe File created C:\Windows\SysWOW64\Ihnijmcj.dll Lonpma32.exe File created C:\Windows\SysWOW64\Dimkiekk.dll Llbqfe32.exe File created C:\Windows\SysWOW64\Pmmeon32.exe Pkoicb32.exe File opened for modification C:\Windows\SysWOW64\Idgglb32.exe Iahkpg32.exe File opened for modification C:\Windows\SysWOW64\Jkhejkcq.exe Jbqmhnbo.exe File opened for modification C:\Windows\SysWOW64\Jlkngc32.exe Jeafjiop.exe File opened for modification C:\Windows\SysWOW64\Khkbbc32.exe Kdpfadlm.exe File opened for modification C:\Windows\SysWOW64\Cagienkb.exe Cbdiia32.exe File opened for modification C:\Windows\SysWOW64\Mbhlek32.exe Mnmpdlac.exe File created C:\Windows\SysWOW64\Oidiekdn.exe Oeindm32.exe File created C:\Windows\SysWOW64\Kblikadd.dll Pkaehb32.exe File opened for modification C:\Windows\SysWOW64\Qjklenpa.exe Qeppdo32.exe File opened for modification C:\Windows\SysWOW64\Bffbdadk.exe Bgcbhd32.exe File created C:\Windows\SysWOW64\Pacnfacn.dll Ihglhp32.exe File opened for modification C:\Windows\SysWOW64\Lkjjma32.exe Lhknaf32.exe File created C:\Windows\SysWOW64\Gddgejcp.dll Mqbbagjo.exe File created C:\Windows\SysWOW64\Mgcchb32.dll Nmfbpk32.exe File created C:\Windows\SysWOW64\Jcfnin32.dll Hpkompgg.exe File opened for modification C:\Windows\SysWOW64\Jolghndm.exe Jlnklcej.exe File created C:\Windows\SysWOW64\Pplncj32.dll Kkgahoel.exe File created C:\Windows\SysWOW64\Djdgic32.exe Cfhkhd32.exe File created C:\Windows\SysWOW64\Hcigco32.exe Hakkgc32.exe File opened for modification C:\Windows\SysWOW64\Nbjeinje.exe Nplimbka.exe File opened for modification C:\Windows\SysWOW64\Olbfagca.exe Ompefj32.exe File created C:\Windows\SysWOW64\Nloone32.dll Calcpm32.exe File created C:\Windows\SysWOW64\Qiioon32.exe Qgjccb32.exe File created C:\Windows\SysWOW64\Cgcnghpl.exe Cchbgi32.exe File created C:\Windows\SysWOW64\Jolghndm.exe Jlnklcej.exe File opened for modification C:\Windows\SysWOW64\Kdklfe32.exe Jampjian.exe File opened for modification C:\Windows\SysWOW64\Lhknaf32.exe Ldpbpgoh.exe File created C:\Windows\SysWOW64\Decfggnn.dll Oococb32.exe File opened for modification C:\Windows\SysWOW64\Qeppdo32.exe Qcachc32.exe File created C:\Windows\SysWOW64\Maanne32.dll Afdiondb.exe File opened for modification C:\Windows\SysWOW64\Jliaac32.exe Jkhejkcq.exe File created C:\Windows\SysWOW64\Qppkfhlc.exe Pleofj32.exe File opened for modification C:\Windows\SysWOW64\Qppkfhlc.exe Pleofj32.exe File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Afdiondb.exe File opened for modification C:\Windows\SysWOW64\Kaompi32.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Abnhjmjc.dll Lqipkhbj.exe File created C:\Windows\SysWOW64\Gggpgo32.dll Ahgofi32.exe File created C:\Windows\SysWOW64\Kgloog32.dll Cnkjnb32.exe File created C:\Windows\SysWOW64\Nenkqi32.exe Nmfbpk32.exe File opened for modification C:\Windows\SysWOW64\Cocphf32.exe Ckhdggom.exe File opened for modification C:\Windows\SysWOW64\Dmbcen32.exe Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Kcecbq32.exe Kdbbgdjj.exe File created C:\Windows\SysWOW64\Chdndgcj.dll Lcofio32.exe File opened for modification C:\Windows\SysWOW64\Mikjpiim.exe Mfmndn32.exe File created C:\Windows\SysWOW64\Nipdkieg.exe Nfahomfd.exe File created C:\Windows\SysWOW64\Loqmba32.exe Llbqfe32.exe File created C:\Windows\SysWOW64\Pdeqfhjd.exe Pafdjmkq.exe File opened for modification C:\Windows\SysWOW64\Bqijljfd.exe Bnknoogp.exe File created C:\Windows\SysWOW64\Illbhp32.exe Ibcnojnp.exe File opened for modification C:\Windows\SysWOW64\Mgedmb32.exe Mcjhmcok.exe File opened for modification C:\Windows\SysWOW64\Odedge32.exe Opihgfop.exe File opened for modification C:\Windows\SysWOW64\Olebgfao.exe Oiffkkbk.exe File created C:\Windows\SysWOW64\Gigqol32.dll Lclicpkm.exe File created C:\Windows\SysWOW64\Moohhbcf.dll Njfjnpgp.exe File created C:\Windows\SysWOW64\Dcqlnqml.dll Kklkcn32.exe File created C:\Windows\SysWOW64\Qgjccb32.exe Qcogbdkg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe File created C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4300 4268 WerFault.exe 333 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqgmfkhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcigco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdklfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipdkieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paknelgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neiaeiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaajei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbpenco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpicle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemgplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijclol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfahomfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgahoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loqmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjpiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqombic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odchbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjmijme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkngc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompefj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjnhaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkgjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgmlhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfjhcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnklcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofadnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbfagca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfnomde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcnbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjhmcok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfjnpgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obokcqhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jondnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmpdlac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqnifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkompgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaokcb32.dll" Ndqkleln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opqoge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pafdjmkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbmaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll" Pbagipfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ippdgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjoahnho.dll" Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbbpenco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njjcip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcofio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcecbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opqoge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anbkipok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aficjnpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aomnhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjakccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kklkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmhnp32.dll" Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofhjopbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iflmjihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijnbcmkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdklfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbcbjlmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll" Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll" Abpcooea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofjqboi.dll" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjeeidhg.dll" Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndqkleln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codfplej.dll" Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifigco32.dll" Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll" Bbbpenco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcbch32.dll" Hcigco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pclmghko.dll" Ippdgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihnijmcj.dll" Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imafcg32.dll" Alihaioe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boljgg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 264 2120 dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233.exe 30 PID 2120 wrote to memory of 264 2120 dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233.exe 30 PID 2120 wrote to memory of 264 2120 dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233.exe 30 PID 2120 wrote to memory of 264 2120 dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233.exe 30 PID 264 wrote to memory of 2544 264 Gkbcbn32.exe 31 PID 264 wrote to memory of 2544 264 Gkbcbn32.exe 31 PID 264 wrote to memory of 2544 264 Gkbcbn32.exe 31 PID 264 wrote to memory of 2544 264 Gkbcbn32.exe 31 PID 2544 wrote to memory of 2444 2544 Gblkoham.exe 32 PID 2544 wrote to memory of 2444 2544 Gblkoham.exe 32 PID 2544 wrote to memory of 2444 2544 Gblkoham.exe 32 PID 2544 wrote to memory of 2444 2544 Gblkoham.exe 32 PID 2444 wrote to memory of 2868 2444 Gdkgkcpq.exe 33 PID 2444 wrote to memory of 2868 2444 Gdkgkcpq.exe 33 PID 2444 wrote to memory of 2868 2444 Gdkgkcpq.exe 33 PID 2444 wrote to memory of 2868 2444 Gdkgkcpq.exe 33 PID 2868 wrote to memory of 2624 2868 Ggicgopd.exe 34 PID 2868 wrote to memory of 2624 2868 Ggicgopd.exe 34 PID 2868 wrote to memory of 2624 2868 Ggicgopd.exe 34 PID 2868 wrote to memory of 2624 2868 Ggicgopd.exe 34 PID 2624 wrote to memory of 2976 2624 Goplilpf.exe 35 PID 2624 wrote to memory of 2976 2624 Goplilpf.exe 35 PID 2624 wrote to memory of 2976 2624 Goplilpf.exe 35 PID 2624 wrote to memory of 2976 2624 Goplilpf.exe 35 PID 2976 wrote to memory of 2616 2976 Ggkqmoma.exe 36 PID 2976 wrote to memory of 2616 2976 Ggkqmoma.exe 36 PID 2976 wrote to memory of 2616 2976 Ggkqmoma.exe 36 PID 2976 wrote to memory of 2616 2976 Ggkqmoma.exe 36 PID 2616 wrote to memory of 2676 2616 Gjjmijme.exe 37 PID 2616 wrote to memory of 2676 2616 Gjjmijme.exe 37 PID 2616 wrote to memory of 2676 2616 Gjjmijme.exe 37 PID 2616 wrote to memory of 2676 2616 Gjjmijme.exe 37 PID 2676 wrote to memory of 2164 2676 Gbadjg32.exe 38 PID 2676 wrote to memory of 2164 2676 Gbadjg32.exe 38 PID 2676 wrote to memory of 2164 2676 Gbadjg32.exe 38 PID 2676 wrote to memory of 2164 2676 Gbadjg32.exe 38 PID 2164 wrote to memory of 640 2164 Gqdefddb.exe 39 PID 2164 wrote to memory of 640 2164 Gqdefddb.exe 39 PID 2164 wrote to memory of 640 2164 Gqdefddb.exe 39 PID 2164 wrote to memory of 640 2164 Gqdefddb.exe 39 PID 640 wrote to memory of 1728 640 Hkiicmdh.exe 40 PID 640 wrote to memory of 1728 640 Hkiicmdh.exe 40 PID 640 wrote to memory of 1728 640 Hkiicmdh.exe 40 PID 640 wrote to memory of 1728 640 Hkiicmdh.exe 40 PID 1728 wrote to memory of 1588 1728 Hmkeke32.exe 41 PID 1728 wrote to memory of 1588 1728 Hmkeke32.exe 41 PID 1728 wrote to memory of 1588 1728 Hmkeke32.exe 41 PID 1728 wrote to memory of 1588 1728 Hmkeke32.exe 41 PID 1588 wrote to memory of 2960 1588 Hebnlb32.exe 42 PID 1588 wrote to memory of 2960 1588 Hebnlb32.exe 42 PID 1588 wrote to memory of 2960 1588 Hebnlb32.exe 42 PID 1588 wrote to memory of 2960 1588 Hebnlb32.exe 42 PID 2960 wrote to memory of 2716 2960 Hnjbeh32.exe 43 PID 2960 wrote to memory of 2716 2960 Hnjbeh32.exe 43 PID 2960 wrote to memory of 2716 2960 Hnjbeh32.exe 43 PID 2960 wrote to memory of 2716 2960 Hnjbeh32.exe 43 PID 2716 wrote to memory of 1040 2716 Hahnac32.exe 44 PID 2716 wrote to memory of 1040 2716 Hahnac32.exe 44 PID 2716 wrote to memory of 1040 2716 Hahnac32.exe 44 PID 2716 wrote to memory of 1040 2716 Hahnac32.exe 44 PID 1040 wrote to memory of 2596 1040 Hpkompgg.exe 45 PID 1040 wrote to memory of 2596 1040 Hpkompgg.exe 45 PID 1040 wrote to memory of 2596 1040 Hpkompgg.exe 45 PID 1040 wrote to memory of 2596 1040 Hpkompgg.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233.exe"C:\Users\Admin\AppData\Local\Temp\dc66c34f47367b7366b52f5171fb2c3819c7e69169db760921f8104a02f93233.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe33⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe35⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe36⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:352 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe41⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe42⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe48⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe51⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe52⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe54⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe55⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe57⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe58⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe59⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe60⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe65⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:996 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe69⤵PID:1872
-
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308 -
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe72⤵PID:2152
-
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe74⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe75⤵PID:2996
-
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe76⤵PID:2200
-
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe78⤵PID:1596
-
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe79⤵PID:2000
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe80⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe81⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe83⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe85⤵PID:1672
-
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe86⤵PID:628
-
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe87⤵PID:756
-
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe89⤵PID:2052
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe91⤵PID:2160
-
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe92⤵PID:1400
-
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe94⤵
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe96⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe97⤵PID:1384
-
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe98⤵PID:1252
-
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe101⤵
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe105⤵PID:2732
-
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe107⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe108⤵
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe109⤵PID:2272
-
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1368 -
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe111⤵
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe112⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe113⤵PID:2552
-
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe114⤵PID:600
-
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe115⤵PID:2908
-
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe117⤵PID:2352
-
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe118⤵PID:1832
-
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe120⤵PID:2840
-
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-