Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
24/11/2024, 20:19
Behavioral task
behavioral1
Sample
6081ad013022c1880081e7a917e03d5b80938e62361ff2c72815902a0d45cbd2.exe
Resource
win7-20241023-en
windows7-x64
12 signatures
120 seconds
General
-
Target
6081ad013022c1880081e7a917e03d5b80938e62361ff2c72815902a0d45cbd2.exe
-
Size
93KB
-
MD5
5f5333c539b7a0fe7a4663a1e31daaad
-
SHA1
0318b69b5f0148c613816d33140a6579f16707f3
-
SHA256
6081ad013022c1880081e7a917e03d5b80938e62361ff2c72815902a0d45cbd2
-
SHA512
a10557a39435b5ae076b5acc0aa3ee15841d8284a29371932a38b61956bbc669a21b7490852cd5dd7646591938443e3ccc7ebbe3140af36a2d804d602f118333
-
SSDEEP
1536:YZ/mCTG86HoEo3CkmkrCDFNfHLO1DaYfMZRWuLsV+1x:yO0v6HoTxmvlCgYfc0DV+1x
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpgcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdojgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhkmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqqpgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdjccf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpeeqig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpopnejo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaompi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbflno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilofhffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcmbgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlphbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khkbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnkmqkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idadnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpadhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbaii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfqgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoajel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdaqmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfglep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogpdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelkeeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgphcqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpadhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oibmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkoicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfqgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbepdhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljghjpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnldjekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoepnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deollamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmcnqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkmqkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdlkcdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdfnehp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omqlpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bofgii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijehdl32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2144 Dcccpl32.exe 1972 Dinklffl.exe 1988 Dpgcip32.exe 2868 Dcfpel32.exe 2136 Daipqhdg.exe 2756 Degiggjm.exe 2784 Eoompl32.exe 2096 Egjbdo32.exe 1496 Eoajel32.exe 796 Ekhkjm32.exe 2796 Eabcggll.exe 2916 Egokonjc.exe 2044 Epgphcqd.exe 2460 Efdhpjok.exe 316 Eqjmncna.exe 2464 Fchijone.exe 408 Foojop32.exe 3016 Fbmfkkbm.exe 1884 Fkejcq32.exe 2164 Fdnolfon.exe 2572 Fkhgip32.exe 1640 Fbbofjnh.exe 2304 Fkjdopeh.exe 548 Fqglggcp.exe 3056 Fkmqdpce.exe 1616 Gnkmqkbi.exe 1264 Gcheib32.exe 2872 Gkomjo32.exe 2008 Ggfnopfg.exe 2960 Gpabcbdb.exe 2904 Gjfgqk32.exe 2468 Gcokiaji.exe 2880 Gfmgelil.exe 3024 Gmgpbf32.exe 1508 Gpelnb32.exe 1084 Gbdhjm32.exe 1952 Hebdfind.exe 1940 Hmjlhfof.exe 2076 Hloiib32.exe 896 Hpjeialg.exe 2316 Hegnahjo.exe 1056 Heikgh32.exe 2084 Hdlkcdog.exe 968 Hhhgcc32.exe 1560 Hapklimq.exe 1796 Hndlem32.exe 2228 Idadnd32.exe 2104 Ijklknbn.exe 1280 Imiigiab.exe 1964 Ibfaopoi.exe 2840 Ijmipn32.exe 2744 Iipiljgf.exe 3060 Ilofhffj.exe 2876 Ibhndp32.exe 2140 Ifdjeoep.exe 1444 Iibfajdc.exe 568 Ioooiack.exe 532 Ifffkncm.exe 2036 Ieigfk32.exe 1140 Ihhcbf32.exe 2384 Ipokcdjn.exe 836 Ibmgpoia.exe 1260 Ielclkhe.exe 992 Jhjphfgi.exe -
Loads dropped DLL 64 IoCs
pid Process 2404 6081ad013022c1880081e7a917e03d5b80938e62361ff2c72815902a0d45cbd2.exe 2404 6081ad013022c1880081e7a917e03d5b80938e62361ff2c72815902a0d45cbd2.exe 2144 Dcccpl32.exe 2144 Dcccpl32.exe 1972 Dinklffl.exe 1972 Dinklffl.exe 1988 Dpgcip32.exe 1988 Dpgcip32.exe 2868 Dcfpel32.exe 2868 Dcfpel32.exe 2136 Daipqhdg.exe 2136 Daipqhdg.exe 2756 Degiggjm.exe 2756 Degiggjm.exe 2784 Eoompl32.exe 2784 Eoompl32.exe 2096 Egjbdo32.exe 2096 Egjbdo32.exe 1496 Eoajel32.exe 1496 Eoajel32.exe 796 Ekhkjm32.exe 796 Ekhkjm32.exe 2796 Eabcggll.exe 2796 Eabcggll.exe 2916 Egokonjc.exe 2916 Egokonjc.exe 2044 Epgphcqd.exe 2044 Epgphcqd.exe 2460 Efdhpjok.exe 2460 Efdhpjok.exe 316 Eqjmncna.exe 316 Eqjmncna.exe 2464 Fchijone.exe 2464 Fchijone.exe 408 Foojop32.exe 408 Foojop32.exe 3016 Fbmfkkbm.exe 3016 Fbmfkkbm.exe 1884 Fkejcq32.exe 1884 Fkejcq32.exe 2164 Fdnolfon.exe 2164 Fdnolfon.exe 2572 Fkhgip32.exe 2572 Fkhgip32.exe 1640 Fbbofjnh.exe 1640 Fbbofjnh.exe 2304 Fkjdopeh.exe 2304 Fkjdopeh.exe 548 Fqglggcp.exe 548 Fqglggcp.exe 3056 Fkmqdpce.exe 3056 Fkmqdpce.exe 1616 Gnkmqkbi.exe 1616 Gnkmqkbi.exe 1264 Gcheib32.exe 1264 Gcheib32.exe 2872 Gkomjo32.exe 2872 Gkomjo32.exe 2008 Ggfnopfg.exe 2008 Ggfnopfg.exe 2960 Gpabcbdb.exe 2960 Gpabcbdb.exe 2904 Gjfgqk32.exe 2904 Gjfgqk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fqdiga32.exe Fnflke32.exe File created C:\Windows\SysWOW64\Obecdjcn.dll Oemgplgo.exe File created C:\Windows\SysWOW64\Adifpk32.exe Aomnhd32.exe File created C:\Windows\SysWOW64\Elooehob.dll Kfbfkmeh.exe File created C:\Windows\SysWOW64\Enlidg32.exe Eknmhk32.exe File opened for modification C:\Windows\SysWOW64\Oanefo32.exe Oehdan32.exe File created C:\Windows\SysWOW64\Ihnijmcj.dll Klpdaf32.exe File opened for modification C:\Windows\SysWOW64\Jialfgcc.exe Jolghndm.exe File created C:\Windows\SysWOW64\Mgcchb32.dll Nabopjmj.exe File opened for modification C:\Windows\SysWOW64\Eqjmncna.exe Efdhpjok.exe File opened for modification C:\Windows\SysWOW64\Fdnolfon.exe Fkejcq32.exe File created C:\Windows\SysWOW64\Naejdn32.dll Nncbdomg.exe File opened for modification C:\Windows\SysWOW64\Aebmjo32.exe Aohdmdoh.exe File opened for modification C:\Windows\SysWOW64\Mfihkoal.exe Mpopnejo.exe File created C:\Windows\SysWOW64\Goejbpjh.dll Lclicpkm.exe File opened for modification C:\Windows\SysWOW64\Jkmeoa32.exe Jgaiobjn.exe File created C:\Windows\SysWOW64\Icmongda.dll Ihpfgalh.exe File created C:\Windows\SysWOW64\Bgmaomdn.dll Pcbncfjd.exe File created C:\Windows\SysWOW64\Cgcnghpl.exe Ceebklai.exe File created C:\Windows\SysWOW64\Hloiib32.exe Hmjlhfof.exe File created C:\Windows\SysWOW64\Lomgjb32.exe Lkakicam.exe File created C:\Windows\SysWOW64\Kgbioq32.dll Mbcoio32.exe File created C:\Windows\SysWOW64\Gpajfg32.dll Cgcnghpl.exe File created C:\Windows\SysWOW64\Cfpecqda.dll Meabakda.exe File created C:\Windows\SysWOW64\Fnofjfhk.exe Fgdnnl32.exe File created C:\Windows\SysWOW64\Cicalakk.exe Clpabm32.exe File created C:\Windows\SysWOW64\Deollamj.exe Dlfgcl32.exe File created C:\Windows\SysWOW64\Kcjjof32.dll Ehkhaqpk.exe File created C:\Windows\SysWOW64\Fgokeion.dll Inlkik32.exe File opened for modification C:\Windows\SysWOW64\Nncbdomg.exe Nhjjgd32.exe File created C:\Windows\SysWOW64\Bfomkg32.dll Hndlem32.exe File created C:\Windows\SysWOW64\Meoell32.exe Mbpipp32.exe File created C:\Windows\SysWOW64\Jpogbgmi.exe Jnpkflne.exe File opened for modification C:\Windows\SysWOW64\Pdmnam32.exe Panaeb32.exe File opened for modification C:\Windows\SysWOW64\Bckjhl32.exe Bjbeofpp.exe File created C:\Windows\SysWOW64\Fqdiga32.exe Fnflke32.exe File opened for modification C:\Windows\SysWOW64\Fcbecl32.exe Fqdiga32.exe File created C:\Windows\SysWOW64\Lhgccebd.dll Kocmim32.exe File opened for modification C:\Windows\SysWOW64\Efdhpjok.exe Epgphcqd.exe File opened for modification C:\Windows\SysWOW64\Hhhgcc32.exe Hdlkcdog.exe File created C:\Windows\SysWOW64\Enemcbio.dll Opqoge32.exe File created C:\Windows\SysWOW64\Ocaeoe32.dll Ijklknbn.exe File opened for modification C:\Windows\SysWOW64\Iipiljgf.exe Ijmipn32.exe File opened for modification C:\Windows\SysWOW64\Opfbngfb.exe Ohojmjep.exe File opened for modification C:\Windows\SysWOW64\Hqfaldbo.exe Hjlioj32.exe File opened for modification C:\Windows\SysWOW64\Ifjlcmmj.exe Iamdkfnc.exe File created C:\Windows\SysWOW64\Pipnmn32.dll Jedcpi32.exe File created C:\Windows\SysWOW64\Mdcagkgd.dll Hpjeialg.exe File created C:\Windows\SysWOW64\Hdlkcdog.exe Heikgh32.exe File created C:\Windows\SysWOW64\Bffbdadk.exe Boljgg32.exe File created C:\Windows\SysWOW64\Ojomdoof.exe Odedge32.exe File created C:\Windows\SysWOW64\Phlclgfc.exe Oemgplgo.exe File created C:\Windows\SysWOW64\Jinafidh.dll Nbbbdcgi.exe File created C:\Windows\SysWOW64\Opfbngfb.exe Ohojmjep.exe File created C:\Windows\SysWOW64\Akgddhmc.dll Ggnmbn32.exe File created C:\Windows\SysWOW64\Fkejcq32.exe Fbmfkkbm.exe File opened for modification C:\Windows\SysWOW64\Kohnoc32.exe Kljabgnh.exe File created C:\Windows\SysWOW64\Qqggnndf.dll Nfdkoc32.exe File opened for modification C:\Windows\SysWOW64\Bkpeci32.exe Biaign32.exe File opened for modification C:\Windows\SysWOW64\Lhpglecl.exe Lqipkhbj.exe File created C:\Windows\SysWOW64\Omakjj32.dll Ceebklai.exe File created C:\Windows\SysWOW64\Eiahmmdf.dll Kcamjb32.exe File created C:\Windows\SysWOW64\Accpqnab.dll Necogkbo.exe File opened for modification C:\Windows\SysWOW64\Lneaqn32.exe Lgkhdddo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5260 5200 WerFault.exe 519 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmgpbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipiljgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkqmoma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldmleam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oagoep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpfgalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odedge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfdnihk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daipqhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplkmgol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljghjpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhakcfab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Becpap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdkoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopahjll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiqmlfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deollamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbigpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbdqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhdggom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcbankf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjdaqgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbmfkkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meabakda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmejllia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beackp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnldjekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eobchk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeecogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khoebi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenljmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilofhffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpkflne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boidnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijklknbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpogbgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqlpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjjed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicalakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhknaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcppidk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfacfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpdaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcomhbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmcibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfqgl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcamjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohojmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfocegkg.dll" Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkckneq.dll" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iedfqeka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oemgplgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kljabgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedohngn.dll" Khabghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjeanhe.dll" Ceeieced.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpemm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimeai32.dll" Djgkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kklkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpeiada.dll" Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlemad32.dll" Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imiigiab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbigpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epphbb32.dll" Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmagfog.dll" Qobbofgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmpbdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdnolfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkepinpk.dll" Jgaiobjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgkocj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfphcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mchoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Popeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnofjfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idejihgk.dll" Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoloenf.dll" Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofadnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcokiaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijbfecp.dll" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqqpgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkbaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpiqmlfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjcppidk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enemcbio.dll" Opqoge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hegnahjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckoelflc.dll" Jgdfdbhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdjccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqncaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplbqgdb.dll" Mlfacfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibanaibn.dll" Ggfnopfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmcef32.dll" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbnfb32.dll" Qhmcmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icblnd32.dll" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddfebnoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkqqnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmacf32.dll" Hegnahjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjghm32.dll" Iipiljgf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2144 2404 6081ad013022c1880081e7a917e03d5b80938e62361ff2c72815902a0d45cbd2.exe 30 PID 2404 wrote to memory of 2144 2404 6081ad013022c1880081e7a917e03d5b80938e62361ff2c72815902a0d45cbd2.exe 30 PID 2404 wrote to memory of 2144 2404 6081ad013022c1880081e7a917e03d5b80938e62361ff2c72815902a0d45cbd2.exe 30 PID 2404 wrote to memory of 2144 2404 6081ad013022c1880081e7a917e03d5b80938e62361ff2c72815902a0d45cbd2.exe 30 PID 2144 wrote to memory of 1972 2144 Dcccpl32.exe 31 PID 2144 wrote to memory of 1972 2144 Dcccpl32.exe 31 PID 2144 wrote to memory of 1972 2144 Dcccpl32.exe 31 PID 2144 wrote to memory of 1972 2144 Dcccpl32.exe 31 PID 1972 wrote to memory of 1988 1972 Dinklffl.exe 32 PID 1972 wrote to memory of 1988 1972 Dinklffl.exe 32 PID 1972 wrote to memory of 1988 1972 Dinklffl.exe 32 PID 1972 wrote to memory of 1988 1972 Dinklffl.exe 32 PID 1988 wrote to memory of 2868 1988 Dpgcip32.exe 33 PID 1988 wrote to memory of 2868 1988 Dpgcip32.exe 33 PID 1988 wrote to memory of 2868 1988 Dpgcip32.exe 33 PID 1988 wrote to memory of 2868 1988 Dpgcip32.exe 33 PID 2868 wrote to memory of 2136 2868 Dcfpel32.exe 34 PID 2868 wrote to memory of 2136 2868 Dcfpel32.exe 34 PID 2868 wrote to memory of 2136 2868 Dcfpel32.exe 34 PID 2868 wrote to memory of 2136 2868 Dcfpel32.exe 34 PID 2136 wrote to memory of 2756 2136 Daipqhdg.exe 35 PID 2136 wrote to memory of 2756 2136 Daipqhdg.exe 35 PID 2136 wrote to memory of 2756 2136 Daipqhdg.exe 35 PID 2136 wrote to memory of 2756 2136 Daipqhdg.exe 35 PID 2756 wrote to memory of 2784 2756 Degiggjm.exe 36 PID 2756 wrote to memory of 2784 2756 Degiggjm.exe 36 PID 2756 wrote to memory of 2784 2756 Degiggjm.exe 36 PID 2756 wrote to memory of 2784 2756 Degiggjm.exe 36 PID 2784 wrote to memory of 2096 2784 Eoompl32.exe 37 PID 2784 wrote to memory of 2096 2784 Eoompl32.exe 37 PID 2784 wrote to memory of 2096 2784 Eoompl32.exe 37 PID 2784 wrote to memory of 2096 2784 Eoompl32.exe 37 PID 2096 wrote to memory of 1496 2096 Egjbdo32.exe 38 PID 2096 wrote to memory of 1496 2096 Egjbdo32.exe 38 PID 2096 wrote to memory of 1496 2096 Egjbdo32.exe 38 PID 2096 wrote to memory of 1496 2096 Egjbdo32.exe 38 PID 1496 wrote to memory of 796 1496 Eoajel32.exe 39 PID 1496 wrote to memory of 796 1496 Eoajel32.exe 39 PID 1496 wrote to memory of 796 1496 Eoajel32.exe 39 PID 1496 wrote to memory of 796 1496 Eoajel32.exe 39 PID 796 wrote to memory of 2796 796 Ekhkjm32.exe 40 PID 796 wrote to memory of 2796 796 Ekhkjm32.exe 40 PID 796 wrote to memory of 2796 796 Ekhkjm32.exe 40 PID 796 wrote to memory of 2796 796 Ekhkjm32.exe 40 PID 2796 wrote to memory of 2916 2796 Eabcggll.exe 41 PID 2796 wrote to memory of 2916 2796 Eabcggll.exe 41 PID 2796 wrote to memory of 2916 2796 Eabcggll.exe 41 PID 2796 wrote to memory of 2916 2796 Eabcggll.exe 41 PID 2916 wrote to memory of 2044 2916 Egokonjc.exe 42 PID 2916 wrote to memory of 2044 2916 Egokonjc.exe 42 PID 2916 wrote to memory of 2044 2916 Egokonjc.exe 42 PID 2916 wrote to memory of 2044 2916 Egokonjc.exe 42 PID 2044 wrote to memory of 2460 2044 Epgphcqd.exe 43 PID 2044 wrote to memory of 2460 2044 Epgphcqd.exe 43 PID 2044 wrote to memory of 2460 2044 Epgphcqd.exe 43 PID 2044 wrote to memory of 2460 2044 Epgphcqd.exe 43 PID 2460 wrote to memory of 316 2460 Efdhpjok.exe 44 PID 2460 wrote to memory of 316 2460 Efdhpjok.exe 44 PID 2460 wrote to memory of 316 2460 Efdhpjok.exe 44 PID 2460 wrote to memory of 316 2460 Efdhpjok.exe 44 PID 316 wrote to memory of 2464 316 Eqjmncna.exe 45 PID 316 wrote to memory of 2464 316 Eqjmncna.exe 45 PID 316 wrote to memory of 2464 316 Eqjmncna.exe 45 PID 316 wrote to memory of 2464 316 Eqjmncna.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6081ad013022c1880081e7a917e03d5b80938e62361ff2c72815902a0d45cbd2.exe"C:\Users\Admin\AppData\Local\Temp\6081ad013022c1880081e7a917e03d5b80938e62361ff2c72815902a0d45cbd2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:408 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe34⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe37⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe38⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe40⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe45⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe46⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe51⤵PID:1736
-
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe52⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe56⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe57⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe58⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe59⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe60⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe63⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe64⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe65⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe66⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe67⤵PID:864
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe68⤵PID:2320
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe69⤵PID:2444
-
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe71⤵PID:2976
-
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe72⤵PID:2920
-
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe75⤵PID:2776
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe76⤵PID:1824
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe77⤵PID:1780
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe78⤵
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe79⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe80⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe81⤵PID:1876
-
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe82⤵PID:2248
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe84⤵
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe86⤵PID:1704
-
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe87⤵PID:2216
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe89⤵PID:2844
-
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe90⤵PID:3032
-
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe91⤵PID:2348
-
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe92⤵PID:2612
-
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1368 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe97⤵PID:2196
-
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe98⤵PID:2432
-
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe99⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe100⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe101⤵PID:3028
-
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe102⤵PID:600
-
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe105⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe106⤵PID:356
-
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe107⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe108⤵PID:2668
-
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe111⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe112⤵PID:2532
-
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe113⤵PID:2764
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe114⤵PID:2480
-
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe116⤵PID:2472
-
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe117⤵PID:1448
-
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe119⤵PID:1352
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe120⤵PID:1792
-
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe121⤵PID:1708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-