Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 21:22
Behavioral task
behavioral1
Sample
33072e7e4029f749519f5003d03ddc8c699958ae8b6d71e36f6745f8d1fa07da.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
33072e7e4029f749519f5003d03ddc8c699958ae8b6d71e36f6745f8d1fa07da.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
33072e7e4029f749519f5003d03ddc8c699958ae8b6d71e36f6745f8d1fa07da.exe
-
Size
395KB
-
MD5
f7b838eb6ed156861f78e28531a766e5
-
SHA1
dd661aaf87cc40de09f70e8cffa14fa642ab4224
-
SHA256
33072e7e4029f749519f5003d03ddc8c699958ae8b6d71e36f6745f8d1fa07da
-
SHA512
b33396cae84bb4ef4d8eedc0ef306072f6d8e22b0e3b4357939fd5789c17f7cddfc047a2b874ede0d131d0ddf5f96ca0c9ab3bc3a37e1bdc97aa601f655b1c54
-
SSDEEP
6144:Ya0Lr/is4y70u4HXs4yr0u490u4Ds4yvW8lM:5wV4O0dHc4i0d90dA4X
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjdfjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghfnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnglnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaigib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alodeacc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmaijdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdaglmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinbppna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnflae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihdnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjdopeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abegfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popgboae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjfnomde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ladebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehkcpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmeoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emoldlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggipg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eepmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfcfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkofg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpobefe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfqfpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnfhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjdjjdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Depbfhpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olebgfao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joblkegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjpil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcpdfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcdldknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daipqhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmojkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlmnogkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amgjnepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjcjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ainkcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjoii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njdqka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnghpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpceebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkelpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgpgjepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgkki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjhbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjbmelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqnbhf32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1288 Pdldnomh.exe 2316 Qjhmfekp.exe 2240 Qqbecp32.exe 2972 Amnocpdk.exe 2996 Abmdafpp.exe 2692 Agjmim32.exe 2552 Bccjdnbi.exe 3044 Bbjdjjdn.exe 2492 Bjallg32.exe 3036 Cbajkiof.exe 2756 Cikbhc32.exe 1084 Cedpbd32.exe 2764 Cffljlpc.exe 536 Dpqnhadq.exe 272 Dkfbfjdf.exe 2008 Dlgnmb32.exe 1488 Dbafjlaa.exe 1712 Depbfhpe.exe 1524 Dljkcb32.exe 1688 Dohgomgf.exe 2612 Dgoopkgh.exe 396 Dhplhc32.exe 1916 Dpgcip32.exe 304 Daipqhdg.exe 2152 Dlndnacm.exe 1572 Domqjm32.exe 2176 Ddiibc32.exe 2400 Elqaca32.exe 2156 Eoompl32.exe 2820 Eamilh32.exe 2784 Ehgbhbgn.exe 2740 Ekfndmfb.exe 2544 Eapfagno.exe 1472 Ehjona32.exe 3048 Ekhkjm32.exe 2196 Eabcggll.exe 3032 Edqocbkp.exe 1696 Egokonjc.exe 1668 Elldgehk.exe 1788 Egahen32.exe 2376 Enkpahon.exe 1780 Eolmip32.exe 564 Fgcejm32.exe 2088 Fheabelm.exe 1768 Foojop32.exe 2636 Ffibkj32.exe 2248 Fkejcq32.exe 2236 Fbpbpkpj.exe 2696 Fhikme32.exe 2680 Foccjood.exe 2620 Fdpkbf32.exe 2224 Fkjdopeh.exe 2276 Fqglggcp.exe 1660 Fgadda32.exe 2648 Gnkmqkbi.exe 1496 Gcheib32.exe 1332 Gjbmelgm.exe 2084 Gegabegc.exe 928 Ggfnopfg.exe 1544 Gqnbhf32.exe 2160 Gcmoda32.exe 2076 Gjfgqk32.exe 2664 Gaqomeke.exe 3064 Gfmgelil.exe -
Loads dropped DLL 64 IoCs
pid Process 2520 33072e7e4029f749519f5003d03ddc8c699958ae8b6d71e36f6745f8d1fa07da.exe 2520 33072e7e4029f749519f5003d03ddc8c699958ae8b6d71e36f6745f8d1fa07da.exe 1288 Pdldnomh.exe 1288 Pdldnomh.exe 2316 Qjhmfekp.exe 2316 Qjhmfekp.exe 2240 Qqbecp32.exe 2240 Qqbecp32.exe 2972 Amnocpdk.exe 2972 Amnocpdk.exe 2996 Abmdafpp.exe 2996 Abmdafpp.exe 2692 Agjmim32.exe 2692 Agjmim32.exe 2552 Bccjdnbi.exe 2552 Bccjdnbi.exe 3044 Bbjdjjdn.exe 3044 Bbjdjjdn.exe 2492 Bjallg32.exe 2492 Bjallg32.exe 3036 Cbajkiof.exe 3036 Cbajkiof.exe 2756 Cikbhc32.exe 2756 Cikbhc32.exe 1084 Cedpbd32.exe 1084 Cedpbd32.exe 2764 Cffljlpc.exe 2764 Cffljlpc.exe 536 Dpqnhadq.exe 536 Dpqnhadq.exe 272 Dkfbfjdf.exe 272 Dkfbfjdf.exe 2008 Dlgnmb32.exe 2008 Dlgnmb32.exe 1488 Dbafjlaa.exe 1488 Dbafjlaa.exe 1712 Depbfhpe.exe 1712 Depbfhpe.exe 1524 Dljkcb32.exe 1524 Dljkcb32.exe 1688 Dohgomgf.exe 1688 Dohgomgf.exe 2612 Dgoopkgh.exe 2612 Dgoopkgh.exe 396 Dhplhc32.exe 396 Dhplhc32.exe 1916 Dpgcip32.exe 1916 Dpgcip32.exe 304 Daipqhdg.exe 304 Daipqhdg.exe 2152 Dlndnacm.exe 2152 Dlndnacm.exe 1572 Domqjm32.exe 1572 Domqjm32.exe 2176 Ddiibc32.exe 2176 Ddiibc32.exe 2400 Elqaca32.exe 2400 Elqaca32.exe 2156 Eoompl32.exe 2156 Eoompl32.exe 2820 Eamilh32.exe 2820 Eamilh32.exe 2784 Ehgbhbgn.exe 2784 Ehgbhbgn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gckobc32.dll Gaagcpdl.exe File created C:\Windows\SysWOW64\Knpkmqgb.dll Bjallg32.exe File created C:\Windows\SysWOW64\Dpqnhadq.exe Cffljlpc.exe File created C:\Windows\SysWOW64\Pabgjc32.dll Ilofhffj.exe File created C:\Windows\SysWOW64\Llkcqmgj.dll Nbpeoc32.exe File created C:\Windows\SysWOW64\Fjlmpfhg.exe Fcbecl32.exe File opened for modification C:\Windows\SysWOW64\Gncldi32.exe Gdkgkcpq.exe File created C:\Windows\SysWOW64\Hcgjmo32.exe Hahnac32.exe File created C:\Windows\SysWOW64\Ambnnc32.dll Cbajkiof.exe File opened for modification C:\Windows\SysWOW64\Mbpipp32.exe Mgjebg32.exe File opened for modification C:\Windows\SysWOW64\Aqonbm32.exe Aihfap32.exe File opened for modification C:\Windows\SysWOW64\Eppcmncq.exe Eejopecj.exe File created C:\Windows\SysWOW64\Hclfag32.exe Hifbdnbi.exe File opened for modification C:\Windows\SysWOW64\Diqmcgca.exe Dbgdgm32.exe File created C:\Windows\SysWOW64\Dkjgfien.dll Jfjhbo32.exe File opened for modification C:\Windows\SysWOW64\Jkmeoa32.exe Jdcmbgkj.exe File created C:\Windows\SysWOW64\Aihfap32.exe Afjjed32.exe File opened for modification C:\Windows\SysWOW64\Dhpemm32.exe Dphmloih.exe File opened for modification C:\Windows\SysWOW64\Hmoofdea.exe Hcgjmo32.exe File created C:\Windows\SysWOW64\Hmmdin32.exe Hklhae32.exe File opened for modification C:\Windows\SysWOW64\Mdldeo32.exe Mnblhddb.exe File created C:\Windows\SysWOW64\Gnklmfhi.dll Fbimkpmm.exe File opened for modification C:\Windows\SysWOW64\Joblkegc.exe Jihdnk32.exe File created C:\Windows\SysWOW64\Onkckhkp.dll Loclai32.exe File opened for modification C:\Windows\SysWOW64\Hmjlhfof.exe Hfpdkl32.exe File opened for modification C:\Windows\SysWOW64\Mgjebg32.exe Melifl32.exe File opened for modification C:\Windows\SysWOW64\Plaimk32.exe Palepb32.exe File opened for modification C:\Windows\SysWOW64\Bkjdndjo.exe Bqeqqk32.exe File created C:\Windows\SysWOW64\Oinhifdq.dll Bfioia32.exe File opened for modification C:\Windows\SysWOW64\Jfgebjnm.exe Jpmmfp32.exe File created C:\Windows\SysWOW64\Ikedjg32.dll Fdnjkh32.exe File created C:\Windows\SysWOW64\Cmnici32.dll Dkjpdcfj.exe File created C:\Windows\SysWOW64\Doiddc32.dll Imnbbi32.exe File opened for modification C:\Windows\SysWOW64\Lhelbh32.exe Lnpgeopa.exe File created C:\Windows\SysWOW64\Djepmm32.dll Egajnfoe.exe File created C:\Windows\SysWOW64\Faonom32.exe Fdkmeiei.exe File opened for modification C:\Windows\SysWOW64\Cagienkb.exe Cgoelh32.exe File created C:\Windows\SysWOW64\Hcgqbmgm.dll Keoabo32.exe File created C:\Windows\SysWOW64\Ogdhik32.exe Oqkpmaif.exe File created C:\Windows\SysWOW64\Ellcac32.dll Gqnbhf32.exe File created C:\Windows\SysWOW64\Lbnpkmfg.exe Lkdhoc32.exe File opened for modification C:\Windows\SysWOW64\Jbqmhnbo.exe Iihiphln.exe File opened for modification C:\Windows\SysWOW64\Amjpgdik.exe Ajldkhjh.exe File created C:\Windows\SysWOW64\Bfjkphjd.exe Appbcn32.exe File created C:\Windows\SysWOW64\Fbfjkj32.exe Fllaopcg.exe File opened for modification C:\Windows\SysWOW64\Hjfcpo32.exe Hhhgcc32.exe File created C:\Windows\SysWOW64\Ofehob32.dll Eijdkcgn.exe File created C:\Windows\SysWOW64\Ibagdh32.dll Figmjq32.exe File opened for modification C:\Windows\SysWOW64\Ichmgl32.exe Iichjc32.exe File opened for modification C:\Windows\SysWOW64\Elgfkhpi.exe Ebnabb32.exe File opened for modification C:\Windows\SysWOW64\Bjpdhifk.exe Bllcnega.exe File created C:\Windows\SysWOW64\Hdaefhgm.dll Diqmcgca.exe File opened for modification C:\Windows\SysWOW64\Dhiphb32.exe Dnckki32.exe File opened for modification C:\Windows\SysWOW64\Dgoopkgh.exe Dohgomgf.exe File created C:\Windows\SysWOW64\Ebmjlg32.dll Ihbcmaje.exe File created C:\Windows\SysWOW64\Elkofg32.exe Eafkhn32.exe File opened for modification C:\Windows\SysWOW64\Hdbpekam.exe Hgnokgcc.exe File opened for modification C:\Windows\SysWOW64\Ehkcpc32.exe Eaqkcimg.exe File created C:\Windows\SysWOW64\Eacghhkd.exe Endklmlq.exe File opened for modification C:\Windows\SysWOW64\Oknhdjko.exe Obecld32.exe File created C:\Windows\SysWOW64\Chfbgn32.exe Cfeepelg.exe File created C:\Windows\SysWOW64\Copjdhib.exe Chfbgn32.exe File opened for modification C:\Windows\SysWOW64\Dfpaic32.exe Dmgmpnhl.exe File created C:\Windows\SysWOW64\Ammbof32.dll Olpbaa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4468 4240 WerFault.exe 1042 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmnam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlkfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modlbmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgkpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegkpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjbkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlahm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaflgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgjgomc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faonom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpdhifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amoibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edqocbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcnqama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbkgbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oknhdjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfeepelg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgclio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkija32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbqmhnbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajcdjca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elldgehk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfkmdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklpjlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieofkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hapklimq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnnnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmepkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldiehbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajqbakc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhgcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbajbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgadda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkaghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnebjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkibhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iichjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchhqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmepdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqalaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnocipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiilge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlckbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcaiiejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijfch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jihdnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfjmake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daipqhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmahg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqjdgmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fleifl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlqjkk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npneccok.dll" Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpaphegf.dll" Mhqjen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmnclmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdecea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ichmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egncgo32.dll" Ohfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehngihn.dll" Qkghgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fapgblob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npkdnnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loqhnifk.dll" Ihhcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niedqnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akgddhmc.dll" Ggnmbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flocfmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikbkegk.dll" Hfepod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jefbnacn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfebhmbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbamn32.dll" Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiqcmnn.dll" Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcgjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjedgmpi.dll" Pbigmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnbaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keppajog.dll" Imbjcpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnpobefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfdgq32.dll" Ijqjgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cedpbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhafhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgfjhcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbqkeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nebhgckp.dll" Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilnomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhigm32.dll" Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbccb32.dll" Bhonjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnmacpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaejidpg.dll" Abdbflnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmcilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlgnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aakepajf.dll" Fkejcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmiil32.dll" Kfbfkmeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnodgbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egcfdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdfahce.dll" Ekhkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obdojcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hafimk32.dll" Pljcllqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgmpnhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foolgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfckcoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqahpi32.dll" Dncibp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ladebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kghpoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefhdnca.dll" Kgclio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mainndaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dandbm32.dll" Pjahakgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" Cepipm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnmfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koipglep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifoqjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchoid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfgdmjlp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1288 2520 33072e7e4029f749519f5003d03ddc8c699958ae8b6d71e36f6745f8d1fa07da.exe 30 PID 2520 wrote to memory of 1288 2520 33072e7e4029f749519f5003d03ddc8c699958ae8b6d71e36f6745f8d1fa07da.exe 30 PID 2520 wrote to memory of 1288 2520 33072e7e4029f749519f5003d03ddc8c699958ae8b6d71e36f6745f8d1fa07da.exe 30 PID 2520 wrote to memory of 1288 2520 33072e7e4029f749519f5003d03ddc8c699958ae8b6d71e36f6745f8d1fa07da.exe 30 PID 1288 wrote to memory of 2316 1288 Pdldnomh.exe 31 PID 1288 wrote to memory of 2316 1288 Pdldnomh.exe 31 PID 1288 wrote to memory of 2316 1288 Pdldnomh.exe 31 PID 1288 wrote to memory of 2316 1288 Pdldnomh.exe 31 PID 2316 wrote to memory of 2240 2316 Qjhmfekp.exe 32 PID 2316 wrote to memory of 2240 2316 Qjhmfekp.exe 32 PID 2316 wrote to memory of 2240 2316 Qjhmfekp.exe 32 PID 2316 wrote to memory of 2240 2316 Qjhmfekp.exe 32 PID 2240 wrote to memory of 2972 2240 Qqbecp32.exe 33 PID 2240 wrote to memory of 2972 2240 Qqbecp32.exe 33 PID 2240 wrote to memory of 2972 2240 Qqbecp32.exe 33 PID 2240 wrote to memory of 2972 2240 Qqbecp32.exe 33 PID 2972 wrote to memory of 2996 2972 Amnocpdk.exe 34 PID 2972 wrote to memory of 2996 2972 Amnocpdk.exe 34 PID 2972 wrote to memory of 2996 2972 Amnocpdk.exe 34 PID 2972 wrote to memory of 2996 2972 Amnocpdk.exe 34 PID 2996 wrote to memory of 2692 2996 Abmdafpp.exe 35 PID 2996 wrote to memory of 2692 2996 Abmdafpp.exe 35 PID 2996 wrote to memory of 2692 2996 Abmdafpp.exe 35 PID 2996 wrote to memory of 2692 2996 Abmdafpp.exe 35 PID 2692 wrote to memory of 2552 2692 Agjmim32.exe 36 PID 2692 wrote to memory of 2552 2692 Agjmim32.exe 36 PID 2692 wrote to memory of 2552 2692 Agjmim32.exe 36 PID 2692 wrote to memory of 2552 2692 Agjmim32.exe 36 PID 2552 wrote to memory of 3044 2552 Bccjdnbi.exe 37 PID 2552 wrote to memory of 3044 2552 Bccjdnbi.exe 37 PID 2552 wrote to memory of 3044 2552 Bccjdnbi.exe 37 PID 2552 wrote to memory of 3044 2552 Bccjdnbi.exe 37 PID 3044 wrote to memory of 2492 3044 Bbjdjjdn.exe 38 PID 3044 wrote to memory of 2492 3044 Bbjdjjdn.exe 38 PID 3044 wrote to memory of 2492 3044 Bbjdjjdn.exe 38 PID 3044 wrote to memory of 2492 3044 Bbjdjjdn.exe 38 PID 2492 wrote to memory of 3036 2492 Bjallg32.exe 39 PID 2492 wrote to memory of 3036 2492 Bjallg32.exe 39 PID 2492 wrote to memory of 3036 2492 Bjallg32.exe 39 PID 2492 wrote to memory of 3036 2492 Bjallg32.exe 39 PID 3036 wrote to memory of 2756 3036 Cbajkiof.exe 40 PID 3036 wrote to memory of 2756 3036 Cbajkiof.exe 40 PID 3036 wrote to memory of 2756 3036 Cbajkiof.exe 40 PID 3036 wrote to memory of 2756 3036 Cbajkiof.exe 40 PID 2756 wrote to memory of 1084 2756 Cikbhc32.exe 41 PID 2756 wrote to memory of 1084 2756 Cikbhc32.exe 41 PID 2756 wrote to memory of 1084 2756 Cikbhc32.exe 41 PID 2756 wrote to memory of 1084 2756 Cikbhc32.exe 41 PID 1084 wrote to memory of 2764 1084 Cedpbd32.exe 42 PID 1084 wrote to memory of 2764 1084 Cedpbd32.exe 42 PID 1084 wrote to memory of 2764 1084 Cedpbd32.exe 42 PID 1084 wrote to memory of 2764 1084 Cedpbd32.exe 42 PID 2764 wrote to memory of 536 2764 Cffljlpc.exe 43 PID 2764 wrote to memory of 536 2764 Cffljlpc.exe 43 PID 2764 wrote to memory of 536 2764 Cffljlpc.exe 43 PID 2764 wrote to memory of 536 2764 Cffljlpc.exe 43 PID 536 wrote to memory of 272 536 Dpqnhadq.exe 44 PID 536 wrote to memory of 272 536 Dpqnhadq.exe 44 PID 536 wrote to memory of 272 536 Dpqnhadq.exe 44 PID 536 wrote to memory of 272 536 Dpqnhadq.exe 44 PID 272 wrote to memory of 2008 272 Dkfbfjdf.exe 45 PID 272 wrote to memory of 2008 272 Dkfbfjdf.exe 45 PID 272 wrote to memory of 2008 272 Dkfbfjdf.exe 45 PID 272 wrote to memory of 2008 272 Dkfbfjdf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\33072e7e4029f749519f5003d03ddc8c699958ae8b6d71e36f6745f8d1fa07da.exe"C:\Users\Admin\AppData\Local\Temp\33072e7e4029f749519f5003d03ddc8c699958ae8b6d71e36f6745f8d1fa07da.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:304 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe33⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe34⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe35⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe37⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe39⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe41⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe42⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe43⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe44⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe45⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe46⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe47⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe49⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe50⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe51⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe52⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe54⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe56⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe57⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe59⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe60⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe62⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe63⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe64⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe65⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe66⤵PID:3068
-
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe67⤵PID:3120
-
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe68⤵
- Drops file in System32 directory
PID:3172 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe69⤵PID:3212
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe70⤵PID:3252
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe71⤵PID:3292
-
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe72⤵PID:3332
-
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe73⤵PID:3372
-
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe74⤵PID:3412
-
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe75⤵PID:3452
-
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3492 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe77⤵PID:3532
-
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe79⤵PID:3612
-
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe80⤵
- System Location Discovery: System Language Discovery
PID:3652 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe81⤵PID:3692
-
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe82⤵PID:3732
-
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe83⤵PID:3772
-
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe84⤵PID:3812
-
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe85⤵
- Modifies registry class
PID:3852 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe86⤵PID:3892
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe87⤵PID:3932
-
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe88⤵PID:3972
-
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe89⤵PID:4012
-
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe90⤵
- Drops file in System32 directory
PID:4052 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe91⤵PID:4092
-
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe92⤵PID:1152
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe93⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe94⤵PID:1220
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe95⤵PID:640
-
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe96⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe97⤵PID:1520
-
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe98⤵PID:2304
-
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe99⤵PID:884
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe100⤵PID:2992
-
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe101⤵PID:2168
-
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe103⤵PID:2532
-
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe104⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe105⤵PID:3040
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe106⤵PID:836
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe107⤵
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe108⤵PID:3164
-
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe109⤵PID:3220
-
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe110⤵PID:3260
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe111⤵
- System Location Discovery: System Language Discovery
PID:3308 -
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe112⤵
- Modifies registry class
PID:3364 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe113⤵PID:3420
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe114⤵PID:3484
-
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe115⤵PID:2344
-
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe116⤵PID:3564
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe117⤵PID:3620
-
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3660 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe119⤵PID:3716
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe120⤵PID:3756
-
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe121⤵
- Modifies registry class
PID:3832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-