Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 00:36
Behavioral task
behavioral1
Sample
85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3.exe
-
Size
264KB
-
MD5
c0b619b5d7711ea4bf9ed61392534e6e
-
SHA1
22b7e22dc25fb4deea7ea26000bf0d0ce17f908f
-
SHA256
85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3
-
SHA512
da5d598b2cdaecf428335011a9e0da9d9bed70dd0f675f557fcc319ccbf22d88bd4fdae1f6b24ad61aed2b1385d29d6590f3867f68c27b98c99c98723b5f1c48
-
SSDEEP
3072:I6fgkY5lF24ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424ho1mtye3lFDrFDs:I6Y3jKsFj5tPNki9HZd1sFj5tw
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emgioakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikqnlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdogedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpkmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhiddoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joggci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinhdmma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkdnqhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmdnfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiqldc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajmjcoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfigck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfegp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfoee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefbnacn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jagpdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aahfdihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknimnap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onlahm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiqpigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcajhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haqnea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgingm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcnoejch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmepkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbegbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lncfcgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncfcgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnchhllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fakdcnhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcllbhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdgcfmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gockgdeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejmpqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlhkgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jieaofmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpeld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcnoejch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmmpcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckkgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbpfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adaiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kambcbhb.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2360 Bjbndpmd.exe 1816 Bbmcibjp.exe 2712 Bigkel32.exe 2664 Cpfmmf32.exe 2660 Cnkjnb32.exe 2596 Cmpgpond.exe 2088 Dcllbhdn.exe 1572 Dmepkn32.exe 2892 Dfpaic32.exe 1980 Dokfme32.exe 580 Eegkpo32.exe 3012 Eeiheo32.exe 2056 Egmabg32.exe 2376 Emgioakg.exe 768 Ephbal32.exe 268 Ecfnmh32.exe 928 Eipgjaoi.exe 1600 Fpjofl32.exe 1776 Fgdgcfmb.exe 2212 Fmnopp32.exe 2944 Foolgh32.exe 2524 Feiddbbj.exe 1632 Flclam32.exe 1200 Fcmdnfad.exe 1584 Figmjq32.exe 2072 Fkhibino.exe 856 Fabaocfl.exe 2796 Fhljkm32.exe 2680 Fofbhgde.exe 2856 Fepjea32.exe 2584 Ggagmjbq.exe 1464 Gnkoid32.exe 1484 Gdegfn32.exe 716 Ggdcbi32.exe 2740 Gnnlocgk.exe 1656 Gdhdkn32.exe 2232 Gkalhgfd.exe 2952 Glchpp32.exe 1624 Gcmamj32.exe 1308 Gjgiidkl.exe 2668 Gqaafn32.exe 1348 Ggkibhjf.exe 2280 Gjifodii.exe 2756 Gqcnln32.exe 896 Hcajhi32.exe 2052 Hinbppna.exe 2340 Hkmollme.exe 1960 Hfbcidmk.exe 2692 Hiqoeplo.exe 2348 Hokhbj32.exe 2076 Hfepod32.exe 1568 Hgflflqg.exe 824 Homdhjai.exe 2840 Hejmpqop.exe 2236 Hghillnd.exe 3064 Hnbaif32.exe 1984 Haqnea32.exe 1756 Hgkfal32.exe 2504 Ijibng32.exe 2624 Iacjjacb.exe 2344 Igmbgk32.exe 1812 Icdcllpc.exe 1752 Igoomk32.exe 376 Iiqldc32.exe -
Loads dropped DLL 64 IoCs
pid Process 276 85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3.exe 276 85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3.exe 2360 Bjbndpmd.exe 2360 Bjbndpmd.exe 1816 Bbmcibjp.exe 1816 Bbmcibjp.exe 2712 Bigkel32.exe 2712 Bigkel32.exe 2664 Cpfmmf32.exe 2664 Cpfmmf32.exe 2660 Cnkjnb32.exe 2660 Cnkjnb32.exe 2596 Cmpgpond.exe 2596 Cmpgpond.exe 2088 Dcllbhdn.exe 2088 Dcllbhdn.exe 1572 Dmepkn32.exe 1572 Dmepkn32.exe 2892 Dfpaic32.exe 2892 Dfpaic32.exe 1980 Dokfme32.exe 1980 Dokfme32.exe 580 Eegkpo32.exe 580 Eegkpo32.exe 3012 Eeiheo32.exe 3012 Eeiheo32.exe 2056 Egmabg32.exe 2056 Egmabg32.exe 2376 Emgioakg.exe 2376 Emgioakg.exe 768 Ephbal32.exe 768 Ephbal32.exe 268 Ecfnmh32.exe 268 Ecfnmh32.exe 928 Eipgjaoi.exe 928 Eipgjaoi.exe 1600 Fpjofl32.exe 1600 Fpjofl32.exe 1776 Fgdgcfmb.exe 1776 Fgdgcfmb.exe 2212 Fmnopp32.exe 2212 Fmnopp32.exe 2944 Foolgh32.exe 2944 Foolgh32.exe 2524 Feiddbbj.exe 2524 Feiddbbj.exe 1632 Flclam32.exe 1632 Flclam32.exe 1200 Fcmdnfad.exe 1200 Fcmdnfad.exe 1584 Figmjq32.exe 1584 Figmjq32.exe 2072 Fkhibino.exe 2072 Fkhibino.exe 856 Fabaocfl.exe 856 Fabaocfl.exe 2796 Fhljkm32.exe 2796 Fhljkm32.exe 2680 Fofbhgde.exe 2680 Fofbhgde.exe 2856 Fepjea32.exe 2856 Fepjea32.exe 2584 Ggagmjbq.exe 2584 Ggagmjbq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lepaccmo.exe Ladebd32.exe File created C:\Windows\SysWOW64\Lfpeln32.dll Eipgjaoi.exe File created C:\Windows\SysWOW64\Nhbcdh32.dll Keqkofno.exe File opened for modification C:\Windows\SysWOW64\Hfjbmb32.exe Hqnjek32.exe File created C:\Windows\SysWOW64\Ppkjac32.exe Piabdiep.exe File created C:\Windows\SysWOW64\Bpifad32.dll Piabdiep.exe File opened for modification C:\Windows\SysWOW64\Hqgddm32.exe Hkjkle32.exe File created C:\Windows\SysWOW64\Fejcohho.dll Hokhbj32.exe File created C:\Windows\SysWOW64\Qpjqdl32.dll Kaglcgdc.exe File created C:\Windows\SysWOW64\Fieacp32.dll Opfegp32.exe File opened for modification C:\Windows\SysWOW64\Kmimcbja.exe Khldkllj.exe File created C:\Windows\SysWOW64\Joggci32.exe Jlhkgm32.exe File opened for modification C:\Windows\SysWOW64\Lpabpcdf.exe Lncfcgeb.exe File created C:\Windows\SysWOW64\Mkhngh32.dll Pnchhllf.exe File created C:\Windows\SysWOW64\Mahildbb.dll Qejpoi32.exe File created C:\Windows\SysWOW64\Colpld32.exe Ciagojda.exe File opened for modification C:\Windows\SysWOW64\Dlgjldnm.exe Demaoj32.exe File created C:\Windows\SysWOW64\Fepjea32.exe Fofbhgde.exe File opened for modification C:\Windows\SysWOW64\Hgflflqg.exe Hfepod32.exe File created C:\Windows\SysWOW64\Lffkcfke.dll Omckoi32.exe File created C:\Windows\SysWOW64\Kaglcgdc.exe Koipglep.exe File opened for modification C:\Windows\SysWOW64\Ejcmmp32.exe Eakhdj32.exe File opened for modification C:\Windows\SysWOW64\Gecpnp32.exe Gojhafnb.exe File opened for modification C:\Windows\SysWOW64\Gnnlocgk.exe Ggdcbi32.exe File created C:\Windows\SysWOW64\Qhihii32.dll Cqaiph32.exe File created C:\Windows\SysWOW64\Kpdcfoph.exe Kgkonj32.exe File created C:\Windows\SysWOW64\Gcmamj32.exe Glchpp32.exe File created C:\Windows\SysWOW64\Jaadfcpf.dll Ijibng32.exe File opened for modification C:\Windows\SysWOW64\Cmkfji32.exe Cfanmogq.exe File created C:\Windows\SysWOW64\Bjkeingq.dll Jfieigio.exe File opened for modification C:\Windows\SysWOW64\Lgingm32.exe Ldjbkb32.exe File created C:\Windows\SysWOW64\Obgmpo32.dll Bkbdabog.exe File created C:\Windows\SysWOW64\Glnhjjml.exe Gecpnp32.exe File created C:\Windows\SysWOW64\Ccqhkcib.dll Ggagmjbq.exe File opened for modification C:\Windows\SysWOW64\Pioeoi32.exe Pfpibn32.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe 85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3.exe File created C:\Windows\SysWOW64\Nokhie32.dll Nflchkii.exe File created C:\Windows\SysWOW64\Fcmdnfad.exe Flclam32.exe File created C:\Windows\SysWOW64\Cbgobp32.exe Cmkfji32.exe File opened for modification C:\Windows\SysWOW64\Dhpgfeao.exe Deakjjbk.exe File created C:\Windows\SysWOW64\Jigbebhb.exe Jfieigio.exe File created C:\Windows\SysWOW64\Bilfjg32.dll Ohipla32.exe File created C:\Windows\SysWOW64\Gaagcpdl.exe Gockgdeh.exe File created C:\Windows\SysWOW64\Lkjcap32.dll Hqkmplen.exe File created C:\Windows\SysWOW64\Nklcci32.dll Bhonjg32.exe File created C:\Windows\SysWOW64\Qbceme32.dll Glklejoo.exe File created C:\Windows\SysWOW64\Ldgnklmi.exe Llpfjomf.exe File created C:\Windows\SysWOW64\Gnnlocgk.exe Ggdcbi32.exe File opened for modification C:\Windows\SysWOW64\Ijibng32.exe Hgkfal32.exe File opened for modification C:\Windows\SysWOW64\Glklejoo.exe Fgocmc32.exe File created C:\Windows\SysWOW64\Fbieeo32.dll Kpdcfoph.exe File created C:\Windows\SysWOW64\Djihcnji.dll Ccpeld32.exe File created C:\Windows\SysWOW64\Ehnfpifm.exe Epbbkf32.exe File opened for modification C:\Windows\SysWOW64\Fakdcnhh.exe Flnlkgjq.exe File created C:\Windows\SysWOW64\Ggkibhjf.exe Gqaafn32.exe File created C:\Windows\SysWOW64\Ojgidcjn.dll Omhhke32.exe File created C:\Windows\SysWOW64\Pfpibn32.exe Ppfafcpb.exe File created C:\Windows\SysWOW64\Licpomcb.dll Ejcmmp32.exe File opened for modification C:\Windows\SysWOW64\Fhljkm32.exe Fabaocfl.exe File created C:\Windows\SysWOW64\Nqhepeai.exe Njnmbk32.exe File opened for modification C:\Windows\SysWOW64\Akpkmo32.exe Acicla32.exe File created C:\Windows\SysWOW64\Emdeok32.exe Ebnabb32.exe File created C:\Windows\SysWOW64\Hkjkle32.exe Gaagcpdl.exe File opened for modification C:\Windows\SysWOW64\Kdnkdmec.exe Kapohbfp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4452 4428 WerFault.exe 338 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppddpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flclam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhahanie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkelolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjefamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmccqbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfigck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflchkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkeohhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiddoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepjea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfepod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbaci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppfafcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbkpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deakjjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojhafnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijibng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldahkaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncnmane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladebd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcllbhdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokmmkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfemmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjkdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbchni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggoqimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glchpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmollme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmcibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgicg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdcfoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlahm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciagojda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glklejoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffibceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adaiee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdcbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqaafn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iladfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaqig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppinkcnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbnacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klecfkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaglcgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhhke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmmlgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiddbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeiheo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqaiph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnejim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijbco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejmpqop.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnnlocgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaihg32.dll" Ifolhann.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofbhgde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icdcllpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jenbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiggco32.dll" Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdecfn32.dll" Acicla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhljkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfbcidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jalcdhla.dll" Aahfdihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glklejoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpdcfoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnecigcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocndipc.dll" Iegeonpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbhebfck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibkmchbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijoclhk.dll" Mcknhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qejpoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aphjjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khljoh32.dll" Jfohgepi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohipla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjmif32.dll" Aognbnkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgidfcdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjnpn32.dll" Ldjbkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oejcpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cncmcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjcap32.dll" Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfnje32.dll" Glchpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epbahp32.dll" Ipjdameg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joggci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlfdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnpam32.dll" Blinefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbqkiind.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppmgfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blinefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gehiioaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqnjek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfglkheo.dll" Homdhjai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjdameg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpafapbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omhhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgdgcfmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqcnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbobli32.dll" Oioipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkmmlgik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nckkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogalkad.dll" Njpihk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 276 wrote to memory of 2360 276 85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3.exe 31 PID 276 wrote to memory of 2360 276 85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3.exe 31 PID 276 wrote to memory of 2360 276 85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3.exe 31 PID 276 wrote to memory of 2360 276 85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3.exe 31 PID 2360 wrote to memory of 1816 2360 Bjbndpmd.exe 32 PID 2360 wrote to memory of 1816 2360 Bjbndpmd.exe 32 PID 2360 wrote to memory of 1816 2360 Bjbndpmd.exe 32 PID 2360 wrote to memory of 1816 2360 Bjbndpmd.exe 32 PID 1816 wrote to memory of 2712 1816 Bbmcibjp.exe 33 PID 1816 wrote to memory of 2712 1816 Bbmcibjp.exe 33 PID 1816 wrote to memory of 2712 1816 Bbmcibjp.exe 33 PID 1816 wrote to memory of 2712 1816 Bbmcibjp.exe 33 PID 2712 wrote to memory of 2664 2712 Bigkel32.exe 34 PID 2712 wrote to memory of 2664 2712 Bigkel32.exe 34 PID 2712 wrote to memory of 2664 2712 Bigkel32.exe 34 PID 2712 wrote to memory of 2664 2712 Bigkel32.exe 34 PID 2664 wrote to memory of 2660 2664 Cpfmmf32.exe 35 PID 2664 wrote to memory of 2660 2664 Cpfmmf32.exe 35 PID 2664 wrote to memory of 2660 2664 Cpfmmf32.exe 35 PID 2664 wrote to memory of 2660 2664 Cpfmmf32.exe 35 PID 2660 wrote to memory of 2596 2660 Cnkjnb32.exe 36 PID 2660 wrote to memory of 2596 2660 Cnkjnb32.exe 36 PID 2660 wrote to memory of 2596 2660 Cnkjnb32.exe 36 PID 2660 wrote to memory of 2596 2660 Cnkjnb32.exe 36 PID 2596 wrote to memory of 2088 2596 Cmpgpond.exe 37 PID 2596 wrote to memory of 2088 2596 Cmpgpond.exe 37 PID 2596 wrote to memory of 2088 2596 Cmpgpond.exe 37 PID 2596 wrote to memory of 2088 2596 Cmpgpond.exe 37 PID 2088 wrote to memory of 1572 2088 Dcllbhdn.exe 38 PID 2088 wrote to memory of 1572 2088 Dcllbhdn.exe 38 PID 2088 wrote to memory of 1572 2088 Dcllbhdn.exe 38 PID 2088 wrote to memory of 1572 2088 Dcllbhdn.exe 38 PID 1572 wrote to memory of 2892 1572 Dmepkn32.exe 39 PID 1572 wrote to memory of 2892 1572 Dmepkn32.exe 39 PID 1572 wrote to memory of 2892 1572 Dmepkn32.exe 39 PID 1572 wrote to memory of 2892 1572 Dmepkn32.exe 39 PID 2892 wrote to memory of 1980 2892 Dfpaic32.exe 40 PID 2892 wrote to memory of 1980 2892 Dfpaic32.exe 40 PID 2892 wrote to memory of 1980 2892 Dfpaic32.exe 40 PID 2892 wrote to memory of 1980 2892 Dfpaic32.exe 40 PID 1980 wrote to memory of 580 1980 Dokfme32.exe 41 PID 1980 wrote to memory of 580 1980 Dokfme32.exe 41 PID 1980 wrote to memory of 580 1980 Dokfme32.exe 41 PID 1980 wrote to memory of 580 1980 Dokfme32.exe 41 PID 580 wrote to memory of 3012 580 Eegkpo32.exe 42 PID 580 wrote to memory of 3012 580 Eegkpo32.exe 42 PID 580 wrote to memory of 3012 580 Eegkpo32.exe 42 PID 580 wrote to memory of 3012 580 Eegkpo32.exe 42 PID 3012 wrote to memory of 2056 3012 Eeiheo32.exe 43 PID 3012 wrote to memory of 2056 3012 Eeiheo32.exe 43 PID 3012 wrote to memory of 2056 3012 Eeiheo32.exe 43 PID 3012 wrote to memory of 2056 3012 Eeiheo32.exe 43 PID 2056 wrote to memory of 2376 2056 Egmabg32.exe 44 PID 2056 wrote to memory of 2376 2056 Egmabg32.exe 44 PID 2056 wrote to memory of 2376 2056 Egmabg32.exe 44 PID 2056 wrote to memory of 2376 2056 Egmabg32.exe 44 PID 2376 wrote to memory of 768 2376 Emgioakg.exe 45 PID 2376 wrote to memory of 768 2376 Emgioakg.exe 45 PID 2376 wrote to memory of 768 2376 Emgioakg.exe 45 PID 2376 wrote to memory of 768 2376 Emgioakg.exe 45 PID 768 wrote to memory of 268 768 Ephbal32.exe 46 PID 768 wrote to memory of 268 768 Ephbal32.exe 46 PID 768 wrote to memory of 268 768 Ephbal32.exe 46 PID 768 wrote to memory of 268 768 Ephbal32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3.exe"C:\Users\Admin\AppData\Local\Temp\85bbcc60ce36be5a9f6b6992796f2ce99d2edb69f2d7194a5c11ed75dae2cdd3.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Bbmcibjp.exeC:\Windows\system32\Bbmcibjp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe33⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe34⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:716 -
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe37⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe38⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe41⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe43⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Gjifodii.exeC:\Windows\system32\Gjifodii.exe44⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe47⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe53⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe56⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe61⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe64⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe66⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe67⤵PID:2724
-
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe69⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe71⤵PID:1284
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe72⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe73⤵PID:868
-
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe75⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe78⤵PID:1592
-
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe79⤵PID:1316
-
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe80⤵PID:1684
-
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe82⤵
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:648 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe84⤵PID:1508
-
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe87⤵
- System Location Discovery: System Language Discovery
PID:572 -
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe88⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe89⤵
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe91⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe92⤵PID:3000
-
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe93⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Kaglcgdc.exeC:\Windows\system32\Kaglcgdc.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe95⤵PID:1328
-
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe96⤵PID:484
-
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe97⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe98⤵PID:3052
-
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe99⤵PID:2540
-
C:\Windows\SysWOW64\Ldjbkb32.exeC:\Windows\system32\Ldjbkb32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:916 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe103⤵PID:2428
-
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe104⤵PID:2732
-
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe105⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe106⤵PID:2400
-
C:\Windows\SysWOW64\Lljpjchg.exeC:\Windows\system32\Lljpjchg.exe107⤵PID:2820
-
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe108⤵
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Lfbdci32.exeC:\Windows\system32\Lfbdci32.exe109⤵PID:2568
-
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe111⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe112⤵PID:1104
-
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe114⤵PID:1312
-
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe115⤵PID:1868
-
C:\Windows\SysWOW64\Mcknhm32.exeC:\Windows\system32\Mcknhm32.exe116⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe118⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe119⤵PID:2804
-
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe120⤵
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Mdogedmh.exeC:\Windows\system32\Mdogedmh.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-