Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 23:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe
-
Size
113KB
-
MD5
89e01431fac78909ed079f6b0f10dea2
-
SHA1
c8a678d0da4ab01e89e7c7c2d7c6b16b4bfce962
-
SHA256
6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7
-
SHA512
4f526074908d15132d3f43a4fe3b3951e6b8bc8254b08385bb57ed1a8acf339f280a84f0e5e0c4dc2efa2eaf5389fe2c168b2ef41bb5e778ec0efb2ef1a9b0d9
-
SSDEEP
1536:mGfAZsUQYxjAWkXAN/3/aOAO617DWkZFfScD7SzCbHWrAW8wTWiliX:1ASYxda7OAOuGkZFfFSebHWrH8wTW0
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljnkodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obcffefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebknblho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkbnap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbkhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofofolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqfabdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epcddopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqeapo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijhhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpfbegei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhjgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koibpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lonlkcho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncipjieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Empomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnjnkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Occjjnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eldbkbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpogiglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnhefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdaojbjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eejjnhgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joblkegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cccdjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Genlgnhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnifaajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqojhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgccbhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdgkjopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccnlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andjgidl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdfqogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lofifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcaafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glckihcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiofnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cngcll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmclmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfkjgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiciig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjngbihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meljbqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nladco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojceef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefhlcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coafko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcggef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adiaommc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfdkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iianmlfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iifghk32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2728 Llbconkd.exe 2164 Loaokjjg.exe 2752 Lekghdad.exe 2744 Laahme32.exe 2652 Liipnb32.exe 2616 Lofifi32.exe 1808 Ladebd32.exe 2000 Lljipmdl.exe 1416 Lohelidp.exe 2804 Mgcjpkak.exe 408 Mojbaham.exe 1836 Mdgkjopd.exe 484 Mhcfjnhm.exe 1964 Mnpobefe.exe 2404 Mpnkopeh.exe 2516 Mkcplien.exe 1432 Mnblhddb.exe 896 Mdldeo32.exe 2896 Mgjpaj32.exe 2932 Mqbejp32.exe 1880 Mcaafk32.exe 2324 Nqeapo32.exe 1444 Nccnlk32.exe 1952 Nkobpmlo.exe 988 Ncfjajma.exe 2760 Nkaoemjm.exe 2860 Nbkgbg32.exe 2940 Noohlkpc.exe 2576 Nqpdcc32.exe 1620 Ndlpdbnj.exe 904 Ngjlpmnn.exe 3040 Ogliemkk.exe 2120 Ojkeah32.exe 584 Onfabgch.exe 2816 Occjjnap.exe 1084 Omlncc32.exe 2448 Opjkpo32.exe 1780 Ocefpnom.exe 780 Ofdclinq.exe 2368 Oaigib32.exe 2016 Oplgeoea.exe 1544 Olchjp32.exe 1480 Opodknco.exe 1676 Pndalkgf.exe 1600 Pfkimhhi.exe 1656 Penihe32.exe 2148 Ppcmfn32.exe 396 Padjmfdg.exe 2520 Pilbocej.exe 2216 Pljnkodm.exe 2696 Pbdfgilj.exe 2716 Pdecoa32.exe 2800 Pllkpn32.exe 1512 Paiche32.exe 1740 Pdhpdq32.exe 2636 Pnmdbi32.exe 2920 Palpneop.exe 848 Qjddgj32.exe 2440 Qigebglj.exe 2364 Qanmcdlm.exe 1156 Qdlipplq.exe 2460 Qjfalj32.exe 1584 Qiiahgjh.exe 1464 Qmenhe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe 2412 6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe 2728 Llbconkd.exe 2728 Llbconkd.exe 2164 Loaokjjg.exe 2164 Loaokjjg.exe 2752 Lekghdad.exe 2752 Lekghdad.exe 2744 Laahme32.exe 2744 Laahme32.exe 2652 Liipnb32.exe 2652 Liipnb32.exe 2616 Lofifi32.exe 2616 Lofifi32.exe 1808 Ladebd32.exe 1808 Ladebd32.exe 2000 Lljipmdl.exe 2000 Lljipmdl.exe 1416 Lohelidp.exe 1416 Lohelidp.exe 2804 Mgcjpkak.exe 2804 Mgcjpkak.exe 408 Mojbaham.exe 408 Mojbaham.exe 1836 Mdgkjopd.exe 1836 Mdgkjopd.exe 484 Mhcfjnhm.exe 484 Mhcfjnhm.exe 1964 Mnpobefe.exe 1964 Mnpobefe.exe 2404 Mpnkopeh.exe 2404 Mpnkopeh.exe 2516 Mkcplien.exe 2516 Mkcplien.exe 1432 Mnblhddb.exe 1432 Mnblhddb.exe 896 Mdldeo32.exe 896 Mdldeo32.exe 2896 Mgjpaj32.exe 2896 Mgjpaj32.exe 2932 Mqbejp32.exe 2932 Mqbejp32.exe 1880 Mcaafk32.exe 1880 Mcaafk32.exe 2324 Nqeapo32.exe 2324 Nqeapo32.exe 1444 Nccnlk32.exe 1444 Nccnlk32.exe 1952 Nkobpmlo.exe 1952 Nkobpmlo.exe 988 Ncfjajma.exe 988 Ncfjajma.exe 2760 Nkaoemjm.exe 2760 Nkaoemjm.exe 2860 Nbkgbg32.exe 2860 Nbkgbg32.exe 2940 Noohlkpc.exe 2940 Noohlkpc.exe 2576 Nqpdcc32.exe 2576 Nqpdcc32.exe 1620 Ndlpdbnj.exe 1620 Ndlpdbnj.exe 904 Ngjlpmnn.exe 904 Ngjlpmnn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lgdcgo32.dll Ncnjeh32.exe File created C:\Windows\SysWOW64\Cgqmpkfg.exe Cojeomee.exe File created C:\Windows\SysWOW64\Kllhoh32.dll Noohlkpc.exe File created C:\Windows\SysWOW64\Agmdmp32.dll Ocefpnom.exe File created C:\Windows\SysWOW64\Eaqkcimg.exe Enbogmnc.exe File created C:\Windows\SysWOW64\Faeihnam.dll Hdefnjkj.exe File created C:\Windows\SysWOW64\Ceipknjl.dll Iqapnjli.exe File created C:\Windows\SysWOW64\Cpcpnokb.dll Idohdhbo.exe File created C:\Windows\SysWOW64\Nacgfd32.dll Beadgdli.exe File created C:\Windows\SysWOW64\Cgjgol32.exe Cdkkcp32.exe File created C:\Windows\SysWOW64\Noohlkpc.exe Nbkgbg32.exe File opened for modification C:\Windows\SysWOW64\Pilbocej.exe Padjmfdg.exe File created C:\Windows\SysWOW64\Dkjpdcfj.exe Dmgoif32.exe File created C:\Windows\SysWOW64\Pnenhc32.dll Empomd32.exe File created C:\Windows\SysWOW64\Klfgipmk.dll Iianmlfn.exe File created C:\Windows\SysWOW64\Nklopg32.exe Nhmbdl32.exe File created C:\Windows\SysWOW64\Bflpbe32.dll Pjjkfe32.exe File created C:\Windows\SysWOW64\Ieqili32.dll Qpcjeaad.exe File created C:\Windows\SysWOW64\Cbnlbf32.dll Ebknblho.exe File created C:\Windows\SysWOW64\Nbihoo32.dll Ghaeoe32.exe File opened for modification C:\Windows\SysWOW64\Hqochjnk.exe Halcmn32.exe File created C:\Windows\SysWOW64\Bceeqi32.exe Bknmok32.exe File created C:\Windows\SysWOW64\Mnblhddb.exe Mkcplien.exe File created C:\Windows\SysWOW64\Qigebglj.exe Qjddgj32.exe File created C:\Windows\SysWOW64\Doabjbci.exe Dqobnf32.exe File created C:\Windows\SysWOW64\Lbpbbd32.dll Djdjalea.exe File opened for modification C:\Windows\SysWOW64\Imhqbkbm.exe Inepgn32.exe File created C:\Windows\SysWOW64\Aphdkpjd.dll Mobaef32.exe File opened for modification C:\Windows\SysWOW64\Onjgkf32.exe Ooggpiek.exe File created C:\Windows\SysWOW64\Oiahnnji.exe Oqkpmaif.exe File opened for modification C:\Windows\SysWOW64\Coafko32.exe Ckfjjqhd.exe File opened for modification C:\Windows\SysWOW64\Cbbomjnn.exe Cngcll32.exe File opened for modification C:\Windows\SysWOW64\Cqglng32.exe Cofofolh.exe File created C:\Windows\SysWOW64\Ccgnelll.exe Cpiaipmh.exe File created C:\Windows\SysWOW64\Dochelmj.exe Dkgldm32.exe File opened for modification C:\Windows\SysWOW64\Dhgccbhp.exe Dfhgggim.exe File created C:\Windows\SysWOW64\Fbaghgop.dll Bkhjamcf.exe File opened for modification C:\Windows\SysWOW64\Dfkjgm32.exe Dghjkpck.exe File created C:\Windows\SysWOW64\Joppeeif.exe Imacijjb.exe File created C:\Windows\SysWOW64\Apkihofl.exe Ammmlcgi.exe File created C:\Windows\SysWOW64\Allgoa32.exe Afpogk32.exe File created C:\Windows\SysWOW64\Ckfjjqhd.exe Bfiabjjm.exe File created C:\Windows\SysWOW64\Klmbjh32.exe Kiofnm32.exe File created C:\Windows\SysWOW64\Kmclmm32.exe Kihpmnbb.exe File created C:\Windows\SysWOW64\Leegbnan.exe Lbgkfbbj.exe File opened for modification C:\Windows\SysWOW64\Donojm32.exe Dlpbna32.exe File created C:\Windows\SysWOW64\Eccjdobp.dll Efjpkj32.exe File opened for modification C:\Windows\SysWOW64\Omlncc32.exe Occjjnap.exe File created C:\Windows\SysWOW64\Cmnfop32.dll Agkako32.exe File opened for modification C:\Windows\SysWOW64\Bkhjamcf.exe Bhjneadb.exe File created C:\Windows\SysWOW64\Hecebm32.exe Hagianlf.exe File created C:\Windows\SysWOW64\Icfbkded.exe Iokfjf32.exe File created C:\Windows\SysWOW64\Jgdinn32.dll Mhkfnlme.exe File created C:\Windows\SysWOW64\Cdokfc32.dll Obhpad32.exe File created C:\Windows\SysWOW64\Bknmok32.exe Blkmdodf.exe File created C:\Windows\SysWOW64\Djicmk32.exe Dbbklnpj.exe File created C:\Windows\SysWOW64\Dblknlpo.dll Hhoeii32.exe File created C:\Windows\SysWOW64\Hcdifa32.exe Hljaigmo.exe File opened for modification C:\Windows\SysWOW64\Ccqhdmbc.exe Cpbkhabp.exe File opened for modification C:\Windows\SysWOW64\Iblola32.exe Iomcpe32.exe File created C:\Windows\SysWOW64\Cahcle32.dll Khojcj32.exe File opened for modification C:\Windows\SysWOW64\Mhflcm32.exe Mehpga32.exe File opened for modification C:\Windows\SysWOW64\Okbapi32.exe Oggeokoq.exe File created C:\Windows\SysWOW64\Bgnjpcle.dll Baclaf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5392 5252 WerFault.exe 575 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imogcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appbcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baclaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padjmfdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdafn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhpejbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpniokan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajldkhjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnckki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokkegmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklopg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joppeeif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmdjgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdekbgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhoeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecjmodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbnap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjaodmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkbmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojceef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmldfdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflfad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbomjnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagianlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halcmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjkfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocefpnom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palpneop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Penihe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcggef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meecaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlolnllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldjdlgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dochelmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkcplien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfjjqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfbkded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfnckhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooggpiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgannal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjpgdik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljipmdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfebhmbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgiked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeeff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljnkodm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnignob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chbihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfabgch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpebidam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofaolcmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdecoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngilalk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpaehl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejjnhgc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lohelidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkanohh.dll" Andjgidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpebidam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdemhj32.dll" Ckomqopi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqochjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlobbi32.dll" Hhfkihon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddcbgfn.dll" Maoalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfkmcdp.dll" Ddbmcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphjan32.dll" Ldpnoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdgkjopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palpneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknbgb32.dll" Allgoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpcfcddp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjngbihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdccacf.dll" Lmcilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oekehomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhndnpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkcfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecgjdong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopffl32.dll" Bhbmip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgjpaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmebcgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpdepqif.dll" Gigkbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odljflhj.dll" Nladco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onjgkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpblmaab.dll" Amhcad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beogaenl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqfabdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epnkip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiahnnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pllkpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbbomjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnginii.dll" Gcppkbia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kimjhnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kimjhnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddcimag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpokpklp.dll" Ecgjdong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebcmfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egpena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Occjjnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihkmh32.dll" Aaipghcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfkjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fenphjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hljaigmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbolili.dll" Pfqlkfoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnjalhpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emgkhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiebnjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkbbalfd.dll" Amjpgdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Albjnplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdajpkkj.dll" Blkmdodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canoml32.dll" Chjjde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkmefaan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjpgfbom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhhiiloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogdhik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oekehomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baclaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolmkal.dll" Pljnkodm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2728 2412 6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe 31 PID 2412 wrote to memory of 2728 2412 6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe 31 PID 2412 wrote to memory of 2728 2412 6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe 31 PID 2412 wrote to memory of 2728 2412 6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe 31 PID 2728 wrote to memory of 2164 2728 Llbconkd.exe 32 PID 2728 wrote to memory of 2164 2728 Llbconkd.exe 32 PID 2728 wrote to memory of 2164 2728 Llbconkd.exe 32 PID 2728 wrote to memory of 2164 2728 Llbconkd.exe 32 PID 2164 wrote to memory of 2752 2164 Loaokjjg.exe 33 PID 2164 wrote to memory of 2752 2164 Loaokjjg.exe 33 PID 2164 wrote to memory of 2752 2164 Loaokjjg.exe 33 PID 2164 wrote to memory of 2752 2164 Loaokjjg.exe 33 PID 2752 wrote to memory of 2744 2752 Lekghdad.exe 34 PID 2752 wrote to memory of 2744 2752 Lekghdad.exe 34 PID 2752 wrote to memory of 2744 2752 Lekghdad.exe 34 PID 2752 wrote to memory of 2744 2752 Lekghdad.exe 34 PID 2744 wrote to memory of 2652 2744 Laahme32.exe 35 PID 2744 wrote to memory of 2652 2744 Laahme32.exe 35 PID 2744 wrote to memory of 2652 2744 Laahme32.exe 35 PID 2744 wrote to memory of 2652 2744 Laahme32.exe 35 PID 2652 wrote to memory of 2616 2652 Liipnb32.exe 36 PID 2652 wrote to memory of 2616 2652 Liipnb32.exe 36 PID 2652 wrote to memory of 2616 2652 Liipnb32.exe 36 PID 2652 wrote to memory of 2616 2652 Liipnb32.exe 36 PID 2616 wrote to memory of 1808 2616 Lofifi32.exe 37 PID 2616 wrote to memory of 1808 2616 Lofifi32.exe 37 PID 2616 wrote to memory of 1808 2616 Lofifi32.exe 37 PID 2616 wrote to memory of 1808 2616 Lofifi32.exe 37 PID 1808 wrote to memory of 2000 1808 Ladebd32.exe 38 PID 1808 wrote to memory of 2000 1808 Ladebd32.exe 38 PID 1808 wrote to memory of 2000 1808 Ladebd32.exe 38 PID 1808 wrote to memory of 2000 1808 Ladebd32.exe 38 PID 2000 wrote to memory of 1416 2000 Lljipmdl.exe 39 PID 2000 wrote to memory of 1416 2000 Lljipmdl.exe 39 PID 2000 wrote to memory of 1416 2000 Lljipmdl.exe 39 PID 2000 wrote to memory of 1416 2000 Lljipmdl.exe 39 PID 1416 wrote to memory of 2804 1416 Lohelidp.exe 40 PID 1416 wrote to memory of 2804 1416 Lohelidp.exe 40 PID 1416 wrote to memory of 2804 1416 Lohelidp.exe 40 PID 1416 wrote to memory of 2804 1416 Lohelidp.exe 40 PID 2804 wrote to memory of 408 2804 Mgcjpkak.exe 41 PID 2804 wrote to memory of 408 2804 Mgcjpkak.exe 41 PID 2804 wrote to memory of 408 2804 Mgcjpkak.exe 41 PID 2804 wrote to memory of 408 2804 Mgcjpkak.exe 41 PID 408 wrote to memory of 1836 408 Mojbaham.exe 42 PID 408 wrote to memory of 1836 408 Mojbaham.exe 42 PID 408 wrote to memory of 1836 408 Mojbaham.exe 42 PID 408 wrote to memory of 1836 408 Mojbaham.exe 42 PID 1836 wrote to memory of 484 1836 Mdgkjopd.exe 43 PID 1836 wrote to memory of 484 1836 Mdgkjopd.exe 43 PID 1836 wrote to memory of 484 1836 Mdgkjopd.exe 43 PID 1836 wrote to memory of 484 1836 Mdgkjopd.exe 43 PID 484 wrote to memory of 1964 484 Mhcfjnhm.exe 44 PID 484 wrote to memory of 1964 484 Mhcfjnhm.exe 44 PID 484 wrote to memory of 1964 484 Mhcfjnhm.exe 44 PID 484 wrote to memory of 1964 484 Mhcfjnhm.exe 44 PID 1964 wrote to memory of 2404 1964 Mnpobefe.exe 45 PID 1964 wrote to memory of 2404 1964 Mnpobefe.exe 45 PID 1964 wrote to memory of 2404 1964 Mnpobefe.exe 45 PID 1964 wrote to memory of 2404 1964 Mnpobefe.exe 45 PID 2404 wrote to memory of 2516 2404 Mpnkopeh.exe 46 PID 2404 wrote to memory of 2516 2404 Mpnkopeh.exe 46 PID 2404 wrote to memory of 2516 2404 Mpnkopeh.exe 46 PID 2404 wrote to memory of 2516 2404 Mpnkopeh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe"C:\Users\Admin\AppData\Local\Temp\6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Llbconkd.exeC:\Windows\system32\Llbconkd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Liipnb32.exeC:\Windows\system32\Liipnb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Lljipmdl.exeC:\Windows\system32\Lljipmdl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Mojbaham.exeC:\Windows\system32\Mojbaham.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Mdgkjopd.exeC:\Windows\system32\Mdgkjopd.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Mpnkopeh.exeC:\Windows\system32\Mpnkopeh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Mnblhddb.exeC:\Windows\system32\Mnblhddb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432 -
C:\Windows\SysWOW64\Mdldeo32.exeC:\Windows\system32\Mdldeo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Nqeapo32.exeC:\Windows\system32\Nqeapo32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Nccnlk32.exeC:\Windows\system32\Nccnlk32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Nkaoemjm.exeC:\Windows\system32\Nkaoemjm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Nbkgbg32.exeC:\Windows\system32\Nbkgbg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe33⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe34⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Onfabgch.exeC:\Windows\system32\Onfabgch.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:584 -
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Omlncc32.exeC:\Windows\system32\Omlncc32.exe37⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe38⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe40⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe41⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Oplgeoea.exeC:\Windows\system32\Oplgeoea.exe42⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe43⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe44⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe45⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe46⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe48⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe50⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe52⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe55⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Pdhpdq32.exeC:\Windows\system32\Pdhpdq32.exe56⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe57⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe60⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe61⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe62⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe63⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe64⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe65⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe66⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe67⤵PID:2492
-
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe68⤵PID:2072
-
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe69⤵PID:2580
-
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe70⤵PID:2976
-
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe71⤵PID:2908
-
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe72⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe73⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Aokckm32.exeC:\Windows\system32\Aokckm32.exe74⤵PID:2756
-
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe75⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe76⤵PID:2076
-
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe77⤵PID:1244
-
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe78⤵PID:2468
-
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe79⤵PID:2252
-
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe80⤵PID:1268
-
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe81⤵PID:292
-
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe83⤵PID:2484
-
C:\Windows\SysWOW64\Aeiecfga.exeC:\Windows\system32\Aeiecfga.exe84⤵PID:2840
-
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe85⤵PID:3008
-
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe86⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe88⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe89⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe90⤵
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe91⤵PID:1804
-
C:\Windows\SysWOW64\Bpebidam.exeC:\Windows\system32\Bpebidam.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1280 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe94⤵PID:560
-
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Bnicbh32.exeC:\Windows\system32\Bnicbh32.exe96⤵PID:2320
-
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe97⤵PID:1448
-
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe98⤵PID:2884
-
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe99⤵PID:2888
-
C:\Windows\SysWOW64\Bnlphh32.exeC:\Windows\system32\Bnlphh32.exe100⤵PID:2568
-
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe101⤵PID:2500
-
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe102⤵PID:852
-
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe103⤵PID:552
-
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe104⤵PID:2344
-
C:\Windows\SysWOW64\Bplijcle.exeC:\Windows\system32\Bplijcle.exe105⤵PID:320
-
C:\Windows\SysWOW64\Bckefnki.exeC:\Windows\system32\Bckefnki.exe106⤵PID:2136
-
C:\Windows\SysWOW64\Baneak32.exeC:\Windows\system32\Baneak32.exe107⤵PID:2872
-
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe108⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Coafko32.exeC:\Windows\system32\Coafko32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1500 -
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe111⤵PID:2820
-
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe112⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe113⤵PID:2168
-
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe116⤵PID:3064
-
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe117⤵PID:1472
-
C:\Windows\SysWOW64\Cofofolh.exeC:\Windows\system32\Cofofolh.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe119⤵PID:1320
-
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe120⤵PID:2608
-
C:\Windows\SysWOW64\Cgadja32.exeC:\Windows\system32\Cgadja32.exe121⤵PID:2200
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-