Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 20:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe
-
Size
67KB
-
MD5
1109937d8a4940314becd048e839b075
-
SHA1
6a15cf73a21dac001fa448b73068e87cea7b39ed
-
SHA256
249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276
-
SHA512
3801175e6c6ab6e4b3d2e0ab47ffbb4187cafa6d5aa874dba5e1f724211703a3825af21f833a827c8151ccb00ca15634f33985379296d972a1a33903bac40514
-
SSDEEP
1536:vf6ZTaBAMjlrlK4mSN9euoMsJifTduD4oTxw:vCZTaBoSNIursJibdMTxw
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghelfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgaok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beejng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnmfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocfigjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afgkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illgimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohcaoajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmddc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjpacfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kilfcpqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndohedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichllgfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgfqaiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfknbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhhfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqccfed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpnojioo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkpbcjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhmjbhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acpdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiknhbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iompkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjbdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphbeplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplkpgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilhhdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dookgcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdlkiepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lanaiahq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faigdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apoooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjdilgpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcagpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apalea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdgjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfpnmj32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2740 Biicik32.exe 2600 Ckjpacfp.exe 2900 Coelaaoi.exe 2880 Clilkfnb.exe 1656 Cohigamf.exe 536 Ckoilb32.exe 584 Cojema32.exe 2212 Cnobnmpl.exe 1628 Cpnojioo.exe 2772 Cldooj32.exe 684 Dndlim32.exe 908 Djklnnaj.exe 796 Dpeekh32.exe 2160 Dojald32.exe 316 Dbhnhp32.exe 896 Dookgcij.exe 1332 Eqpgol32.exe 1648 Ecqqpgli.exe 1536 Ekhhadmk.exe 1704 Edpmjj32.exe 888 Eqgnokip.exe 2448 Eplkpgnh.exe 2860 Fidoim32.exe 2792 Fekpnn32.exe 2856 Fpqdkf32.exe 2636 Flgeqgog.exe 2764 Fadminnn.exe 592 Fepiimfg.exe 2232 Fhneehek.exe 2112 Fbdjbaea.exe 2288 Fagjnn32.exe 1856 Fhqbkhch.exe 2832 Fllnlg32.exe 2372 Faigdn32.exe 1100 Gdgcpi32.exe 1636 Ghcoqh32.exe 2396 Gjakmc32.exe 1500 Gakcimgf.exe 1112 Ghelfg32.exe 2388 Ganpomec.exe 1052 Gdllkhdg.exe 2080 Gmdadnkh.exe 2136 Glgaok32.exe 560 Gbaileio.exe 2984 Gfmemc32.exe 2732 Gepehphc.exe 2812 Gikaio32.exe 2596 Gmgninie.exe 2664 Gpejeihi.exe 3064 Gbcfadgl.exe 688 Gfobbc32.exe 2556 Hpgfki32.exe 1632 Hojgfemq.exe 1184 Hedocp32.exe 2892 Hlngpjlj.exe 2500 Homclekn.exe 1892 Hbhomd32.exe 2452 Hakphqja.exe 2104 Heglio32.exe 612 Hhehek32.exe 2336 Hoopae32.exe 1992 Hmbpmapf.exe 836 Heihnoph.exe 1720 Hhgdkjol.exe -
Loads dropped DLL 64 IoCs
pid Process 1700 249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe 1700 249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe 2740 Biicik32.exe 2740 Biicik32.exe 2600 Ckjpacfp.exe 2600 Ckjpacfp.exe 2900 Coelaaoi.exe 2900 Coelaaoi.exe 2880 Clilkfnb.exe 2880 Clilkfnb.exe 1656 Cohigamf.exe 1656 Cohigamf.exe 536 Ckoilb32.exe 536 Ckoilb32.exe 584 Cojema32.exe 584 Cojema32.exe 2212 Cnobnmpl.exe 2212 Cnobnmpl.exe 1628 Cpnojioo.exe 1628 Cpnojioo.exe 2772 Cldooj32.exe 2772 Cldooj32.exe 684 Dndlim32.exe 684 Dndlim32.exe 908 Djklnnaj.exe 908 Djklnnaj.exe 796 Dpeekh32.exe 796 Dpeekh32.exe 2160 Dojald32.exe 2160 Dojald32.exe 316 Dbhnhp32.exe 316 Dbhnhp32.exe 896 Dookgcij.exe 896 Dookgcij.exe 1332 Eqpgol32.exe 1332 Eqpgol32.exe 1648 Ecqqpgli.exe 1648 Ecqqpgli.exe 1536 Ekhhadmk.exe 1536 Ekhhadmk.exe 1704 Edpmjj32.exe 1704 Edpmjj32.exe 888 Eqgnokip.exe 888 Eqgnokip.exe 2448 Eplkpgnh.exe 2448 Eplkpgnh.exe 2860 Fidoim32.exe 2860 Fidoim32.exe 2792 Fekpnn32.exe 2792 Fekpnn32.exe 2856 Fpqdkf32.exe 2856 Fpqdkf32.exe 2636 Flgeqgog.exe 2636 Flgeqgog.exe 2764 Fadminnn.exe 2764 Fadminnn.exe 592 Fepiimfg.exe 592 Fepiimfg.exe 2232 Fhneehek.exe 2232 Fhneehek.exe 2112 Fbdjbaea.exe 2112 Fbdjbaea.exe 2288 Fagjnn32.exe 2288 Fagjnn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cldooj32.exe Cpnojioo.exe File created C:\Windows\SysWOW64\Nkmdpm32.exe Nhohda32.exe File opened for modification C:\Windows\SysWOW64\Annbhi32.exe Afgkfl32.exe File created C:\Windows\SysWOW64\Plgifc32.dll Apoooa32.exe File opened for modification C:\Windows\SysWOW64\Glgaok32.exe Gmdadnkh.exe File created C:\Windows\SysWOW64\Hpgfki32.exe Gfobbc32.exe File opened for modification C:\Windows\SysWOW64\Hhehek32.exe Heglio32.exe File created C:\Windows\SysWOW64\Hoaebk32.dll Kjdilgpc.exe File opened for modification C:\Windows\SysWOW64\Lmlhnagm.exe Lfbpag32.exe File created C:\Windows\SysWOW64\Nckjkl32.exe Nplmop32.exe File created C:\Windows\SysWOW64\Khknah32.dll Eplkpgnh.exe File created C:\Windows\SysWOW64\Jgcdki32.exe Jnkpbcjg.exe File opened for modification C:\Windows\SysWOW64\Kiijnq32.exe Kjfjbdle.exe File created C:\Windows\SysWOW64\Lfpclh32.exe Lcagpl32.exe File created C:\Windows\SysWOW64\Mmneda32.exe Legmbd32.exe File created C:\Windows\SysWOW64\Mfkbpc32.dll Oaiibg32.exe File opened for modification C:\Windows\SysWOW64\Ichllgfb.exe Iompkh32.exe File created C:\Windows\SysWOW64\Qkhgoi32.dll Jgcdki32.exe File created C:\Windows\SysWOW64\Mpcnkg32.dll Lanaiahq.exe File created C:\Windows\SysWOW64\Cophek32.dll Achojp32.exe File opened for modification C:\Windows\SysWOW64\Bfpnmj32.exe Bpfeppop.exe File opened for modification C:\Windows\SysWOW64\Bonoflae.exe Bhdgjb32.exe File opened for modification C:\Windows\SysWOW64\Afnagk32.exe Acpdko32.exe File opened for modification C:\Windows\SysWOW64\Cilibi32.exe Cfnmfn32.exe File opened for modification C:\Windows\SysWOW64\Jjdmmdnh.exe Jgfqaiod.exe File created C:\Windows\SysWOW64\Ibcidp32.dll Kiijnq32.exe File opened for modification C:\Windows\SysWOW64\Labkdack.exe Lndohedg.exe File created C:\Windows\SysWOW64\Aepjgc32.dll Lndohedg.exe File created C:\Windows\SysWOW64\Kjbgng32.dll Nlcnda32.exe File created C:\Windows\SysWOW64\Oepbgcpb.dll Oappcfmb.exe File opened for modification C:\Windows\SysWOW64\Afiglkle.exe Apoooa32.exe File created C:\Windows\SysWOW64\Efhhaddp.dll Djklnnaj.exe File created C:\Windows\SysWOW64\Hlngpjlj.exe Hedocp32.exe File created C:\Windows\SysWOW64\Iianmb32.dll Ijbdha32.exe File created C:\Windows\SysWOW64\Kaldcb32.exe Knmhgf32.exe File created C:\Windows\SysWOW64\Ndjfeo32.exe Nlcnda32.exe File created C:\Windows\SysWOW64\Pkfceo32.exe Pdlkiepd.exe File created C:\Windows\SysWOW64\Afcklihm.dll Ichllgfb.exe File created C:\Windows\SysWOW64\Enlejpga.dll Jfknbe32.exe File opened for modification C:\Windows\SysWOW64\Llcefjgf.exe Lghjel32.exe File opened for modification C:\Windows\SysWOW64\Qbplbi32.exe Pndpajgd.exe File created C:\Windows\SysWOW64\Idlgcclp.dll Aniimjbo.exe File opened for modification C:\Windows\SysWOW64\Bhfcpb32.exe Bonoflae.exe File created C:\Windows\SysWOW64\Ogmhkmki.exe Ocalkn32.exe File created C:\Windows\SysWOW64\Ifbgfk32.dll Ogmhkmki.exe File created C:\Windows\SysWOW64\Higeofeq.dll Ghcoqh32.exe File created C:\Windows\SysWOW64\Lfdmggnm.exe Lcfqkl32.exe File created C:\Windows\SysWOW64\Nlcnda32.exe Niebhf32.exe File created C:\Windows\SysWOW64\Ohhkjp32.exe Oqacic32.exe File opened for modification C:\Windows\SysWOW64\Pkfceo32.exe Pdlkiepd.exe File created C:\Windows\SysWOW64\Afnagk32.exe Acpdko32.exe File opened for modification C:\Windows\SysWOW64\Qodlkm32.exe Qgmdjp32.exe File created C:\Windows\SysWOW64\Nacehmno.dll Qgmdjp32.exe File opened for modification C:\Windows\SysWOW64\Dojald32.exe Dpeekh32.exe File opened for modification C:\Windows\SysWOW64\Ihgainbg.exe Ijdqna32.exe File created C:\Windows\SysWOW64\Onpjghhn.exe Olonpp32.exe File created C:\Windows\SysWOW64\Bqjfjb32.dll Onpjghhn.exe File created C:\Windows\SysWOW64\Lhnnjk32.dll Pjbjhgde.exe File created C:\Windows\SysWOW64\Qeohnd32.exe Qbplbi32.exe File created C:\Windows\SysWOW64\Nmmfff32.dll Boplllob.exe File opened for modification C:\Windows\SysWOW64\Bmeimhdj.exe Bobhal32.exe File opened for modification C:\Windows\SysWOW64\Hoopae32.exe Hhehek32.exe File created C:\Windows\SysWOW64\Kacgbnfl.dll Lphhenhc.exe File opened for modification C:\Windows\SysWOW64\Pndpajgd.exe Pkfceo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3640 3592 WerFault.exe 289 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgojpjem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mabgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niebhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbbhgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfeppop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpejeihi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnfnfgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieidmbcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjfjbdle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeaedd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkameaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmgninie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgfki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaldcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onpjghhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moidahcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeohnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knklagmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmhkmki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijpnfif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blmfea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplkpgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpcbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kconkibf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Melfncqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkklljmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhkjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbelipa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbafl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonoflae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fidoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhllob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onbgmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpeekh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhhadmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkacb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhljdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdmggnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqccfed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileiplhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgkfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohigamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplmop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollajp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfobbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakphqja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhjki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Labkdack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illgimph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pngphgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhideol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilibi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcefjgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphbeplm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcoqh32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaolidlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afkdakjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iianmb32.dll" Ijbdha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhohda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogkkfmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll" Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkepk32.dll" Nkmdpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqacic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iompkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ileiplhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkhofjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll" Cpnojioo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdghad32.dll" Hpgfki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkacaml.dll" Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pngphgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll" Aaheie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afkdakjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmbbdq32.dll" Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hojgfemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beejng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocdmaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dookgcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilcmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmffb32.dll" Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbhhkda.dll" Pfbelipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll" Qeohnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acpdko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckoilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgheann.dll" Inkccpgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll" Bejdiffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdmohgl.dll" Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjapln32.dll" Heihnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfcekqe.dll" Jjpcbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biicik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfhnffp.dll" Fidoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fadminnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll" Amqccfed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aijpnfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll" Bobhal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bejdiffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhhaddp.dll" Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onbgmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqacic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hibeif32.dll" Ohaeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjfjb32.dll" Onpjghhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdlklmn.dll" Gakcimgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpnecca.dll" Jqlhdo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2740 1700 249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe 30 PID 1700 wrote to memory of 2740 1700 249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe 30 PID 1700 wrote to memory of 2740 1700 249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe 30 PID 1700 wrote to memory of 2740 1700 249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe 30 PID 2740 wrote to memory of 2600 2740 Biicik32.exe 31 PID 2740 wrote to memory of 2600 2740 Biicik32.exe 31 PID 2740 wrote to memory of 2600 2740 Biicik32.exe 31 PID 2740 wrote to memory of 2600 2740 Biicik32.exe 31 PID 2600 wrote to memory of 2900 2600 Ckjpacfp.exe 32 PID 2600 wrote to memory of 2900 2600 Ckjpacfp.exe 32 PID 2600 wrote to memory of 2900 2600 Ckjpacfp.exe 32 PID 2600 wrote to memory of 2900 2600 Ckjpacfp.exe 32 PID 2900 wrote to memory of 2880 2900 Coelaaoi.exe 33 PID 2900 wrote to memory of 2880 2900 Coelaaoi.exe 33 PID 2900 wrote to memory of 2880 2900 Coelaaoi.exe 33 PID 2900 wrote to memory of 2880 2900 Coelaaoi.exe 33 PID 2880 wrote to memory of 1656 2880 Clilkfnb.exe 34 PID 2880 wrote to memory of 1656 2880 Clilkfnb.exe 34 PID 2880 wrote to memory of 1656 2880 Clilkfnb.exe 34 PID 2880 wrote to memory of 1656 2880 Clilkfnb.exe 34 PID 1656 wrote to memory of 536 1656 Cohigamf.exe 35 PID 1656 wrote to memory of 536 1656 Cohigamf.exe 35 PID 1656 wrote to memory of 536 1656 Cohigamf.exe 35 PID 1656 wrote to memory of 536 1656 Cohigamf.exe 35 PID 536 wrote to memory of 584 536 Ckoilb32.exe 36 PID 536 wrote to memory of 584 536 Ckoilb32.exe 36 PID 536 wrote to memory of 584 536 Ckoilb32.exe 36 PID 536 wrote to memory of 584 536 Ckoilb32.exe 36 PID 584 wrote to memory of 2212 584 Cojema32.exe 37 PID 584 wrote to memory of 2212 584 Cojema32.exe 37 PID 584 wrote to memory of 2212 584 Cojema32.exe 37 PID 584 wrote to memory of 2212 584 Cojema32.exe 37 PID 2212 wrote to memory of 1628 2212 Cnobnmpl.exe 38 PID 2212 wrote to memory of 1628 2212 Cnobnmpl.exe 38 PID 2212 wrote to memory of 1628 2212 Cnobnmpl.exe 38 PID 2212 wrote to memory of 1628 2212 Cnobnmpl.exe 38 PID 1628 wrote to memory of 2772 1628 Cpnojioo.exe 39 PID 1628 wrote to memory of 2772 1628 Cpnojioo.exe 39 PID 1628 wrote to memory of 2772 1628 Cpnojioo.exe 39 PID 1628 wrote to memory of 2772 1628 Cpnojioo.exe 39 PID 2772 wrote to memory of 684 2772 Cldooj32.exe 40 PID 2772 wrote to memory of 684 2772 Cldooj32.exe 40 PID 2772 wrote to memory of 684 2772 Cldooj32.exe 40 PID 2772 wrote to memory of 684 2772 Cldooj32.exe 40 PID 684 wrote to memory of 908 684 Dndlim32.exe 41 PID 684 wrote to memory of 908 684 Dndlim32.exe 41 PID 684 wrote to memory of 908 684 Dndlim32.exe 41 PID 684 wrote to memory of 908 684 Dndlim32.exe 41 PID 908 wrote to memory of 796 908 Djklnnaj.exe 42 PID 908 wrote to memory of 796 908 Djklnnaj.exe 42 PID 908 wrote to memory of 796 908 Djklnnaj.exe 42 PID 908 wrote to memory of 796 908 Djklnnaj.exe 42 PID 796 wrote to memory of 2160 796 Dpeekh32.exe 43 PID 796 wrote to memory of 2160 796 Dpeekh32.exe 43 PID 796 wrote to memory of 2160 796 Dpeekh32.exe 43 PID 796 wrote to memory of 2160 796 Dpeekh32.exe 43 PID 2160 wrote to memory of 316 2160 Dojald32.exe 44 PID 2160 wrote to memory of 316 2160 Dojald32.exe 44 PID 2160 wrote to memory of 316 2160 Dojald32.exe 44 PID 2160 wrote to memory of 316 2160 Dojald32.exe 44 PID 316 wrote to memory of 896 316 Dbhnhp32.exe 45 PID 316 wrote to memory of 896 316 Dbhnhp32.exe 45 PID 316 wrote to memory of 896 316 Dbhnhp32.exe 45 PID 316 wrote to memory of 896 316 Dbhnhp32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe"C:\Users\Admin\AppData\Local\Temp\249ae06b30939761a05304402a30d9811d255a51d3e50e6f38301a6a7e189276.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Eqgnokip.exeC:\Windows\system32\Eqgnokip.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Flgeqgog.exeC:\Windows\system32\Flgeqgog.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Fepiimfg.exeC:\Windows\system32\Fepiimfg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe33⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe34⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe36⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe38⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe41⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe42⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe45⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe46⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe48⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe51⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe56⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe57⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe58⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe63⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe65⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe66⤵PID:3004
-
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe68⤵PID:1740
-
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe70⤵PID:2392
-
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe71⤵PID:2852
-
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe72⤵PID:1952
-
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe74⤵PID:2544
-
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe75⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe76⤵
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Ichllgfb.exeC:\Windows\system32\Ichllgfb.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe79⤵PID:2200
-
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe81⤵PID:2224
-
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe82⤵
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe83⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe84⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe85⤵
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe87⤵PID:2588
-
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe89⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe90⤵PID:2280
-
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe91⤵PID:1724
-
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe93⤵
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe94⤵PID:1056
-
C:\Windows\SysWOW64\Jbdonb32.exeC:\Windows\system32\Jbdonb32.exe95⤵PID:2376
-
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe96⤵PID:1484
-
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe100⤵PID:2628
-
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe101⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe104⤵PID:2064
-
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe107⤵
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe108⤵
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe109⤵PID:2804
-
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe111⤵
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe112⤵PID:1276
-
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe114⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe115⤵PID:2344
-
C:\Windows\SysWOW64\Kgcpjmcb.exeC:\Windows\system32\Kgcpjmcb.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe119⤵PID:3028
-
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe121⤵
- System Location Discovery: System Language Discovery
PID:1228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-