Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 21:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
53cb355a987ce49bbe851ac38f8a4e2ef05f0f23456947101e3445cd2475b87f.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
53cb355a987ce49bbe851ac38f8a4e2ef05f0f23456947101e3445cd2475b87f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
53cb355a987ce49bbe851ac38f8a4e2ef05f0f23456947101e3445cd2475b87f.exe
-
Size
84KB
-
MD5
50250663c7ea613f00d1d618e7c75223
-
SHA1
36a858b221619cd32c05544c56f8aa60dfae30c5
-
SHA256
53cb355a987ce49bbe851ac38f8a4e2ef05f0f23456947101e3445cd2475b87f
-
SHA512
9a4f48e03cd21b42266763054d7fd82e217358c494cc0928ad7cbd433fcb07b69feef4401fb679654994f09513b7e435286538b6d3a09dfd6ab3b4ea5760127a
-
SSDEEP
1536:lywfT5ZoWO+xa4cm7caRsK+e6N6U9XSREXHfVPfMVwNKT1iqWUPGc4T7VLd:Uow+xa4cm7d2K+dN6U9CREXdXNKT1nty
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Japciodd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpdglhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omckoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkebafoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqiqjlga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejcmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gockgdeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loclai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iogpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phklaacg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfcgbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgocmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaejojjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfcop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fakdcnhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fijbco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjaeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khjgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlqjone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piabdiep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qldhkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfckcoen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbabho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcnahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmhahkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbabho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebckmaec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgmfgfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjilgdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icncgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknafhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blinefnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpckece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deondj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieponofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmfcop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjmfjmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khjgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbdleol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fliook32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqnjek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajehnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apppkekc.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2796 Ldjbkb32.exe 2780 Lanbdf32.exe 2576 Lhhkapeh.exe 2552 Lgkkmm32.exe 3008 Lkggmldl.exe 2892 Ljldnhid.exe 2396 Lljpjchg.exe 1356 Lgpdglhn.exe 1580 Ljnqdhga.exe 2844 Llmmpcfe.exe 2896 Mcfemmna.exe 1112 Mqjefamk.exe 3064 Mciabmlo.exe 1444 Mlafkb32.exe 2316 Mkdffoij.exe 1044 Mdmkoepk.exe 936 Mkfclo32.exe 908 Mobomnoq.exe 2248 Mdogedmh.exe 1644 Mkipao32.exe 1512 Modlbmmn.exe 3028 Mimpkcdn.exe 280 Ngpqfp32.exe 992 Nqhepeai.exe 2480 Ncfalqpm.exe 2708 Nnleiipc.exe 2668 Nqjaeeog.exe 888 Nnnbni32.exe 3004 Nqmnjd32.exe 2724 Njeccjcd.exe 2276 Nqokpd32.exe 1152 Njgpij32.exe 340 Nijpdfhm.exe 1704 Ofnpnkgf.exe 1732 Omhhke32.exe 1484 Olkifaen.exe 588 Opfegp32.exe 2172 Olmela32.exe 2068 Onlahm32.exe 2108 Oefjdgjk.exe 1952 Oiafee32.exe 2448 Odkgec32.exe 2528 Olbogqoe.exe 2484 Omckoi32.exe 2164 Oejcpf32.exe 1360 Odmckcmq.exe 2240 Oflpgnld.exe 272 Ojglhm32.exe 2824 Pmehdh32.exe 2744 Pdppqbkn.exe 2564 Phklaacg.exe 3000 Pfnmmn32.exe 2596 Piliii32.exe 2648 Ppfafcpb.exe 308 Pdbmfb32.exe 2868 Pfpibn32.exe 2760 Pjleclph.exe 1708 Pioeoi32.exe 2188 Plmbkd32.exe 2924 Pddjlb32.exe 956 Peefcjlg.exe 2512 Piabdiep.exe 2496 Piabdiep.exe 1824 Pmmneg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2124 53cb355a987ce49bbe851ac38f8a4e2ef05f0f23456947101e3445cd2475b87f.exe 2124 53cb355a987ce49bbe851ac38f8a4e2ef05f0f23456947101e3445cd2475b87f.exe 2796 Ldjbkb32.exe 2796 Ldjbkb32.exe 2780 Lanbdf32.exe 2780 Lanbdf32.exe 2576 Lhhkapeh.exe 2576 Lhhkapeh.exe 2552 Lgkkmm32.exe 2552 Lgkkmm32.exe 3008 Lkggmldl.exe 3008 Lkggmldl.exe 2892 Ljldnhid.exe 2892 Ljldnhid.exe 2396 Lljpjchg.exe 2396 Lljpjchg.exe 1356 Lgpdglhn.exe 1356 Lgpdglhn.exe 1580 Ljnqdhga.exe 1580 Ljnqdhga.exe 2844 Llmmpcfe.exe 2844 Llmmpcfe.exe 2896 Mcfemmna.exe 2896 Mcfemmna.exe 1112 Mqjefamk.exe 1112 Mqjefamk.exe 3064 Mciabmlo.exe 3064 Mciabmlo.exe 1444 Mlafkb32.exe 1444 Mlafkb32.exe 2316 Mkdffoij.exe 2316 Mkdffoij.exe 1044 Mdmkoepk.exe 1044 Mdmkoepk.exe 936 Mkfclo32.exe 936 Mkfclo32.exe 908 Mobomnoq.exe 908 Mobomnoq.exe 2248 Mdogedmh.exe 2248 Mdogedmh.exe 1644 Mkipao32.exe 1644 Mkipao32.exe 1512 Modlbmmn.exe 1512 Modlbmmn.exe 3028 Mimpkcdn.exe 3028 Mimpkcdn.exe 280 Ngpqfp32.exe 280 Ngpqfp32.exe 992 Nqhepeai.exe 992 Nqhepeai.exe 2480 Ncfalqpm.exe 2480 Ncfalqpm.exe 2708 Nnleiipc.exe 2708 Nnleiipc.exe 2668 Nqjaeeog.exe 2668 Nqjaeeog.exe 888 Nnnbni32.exe 888 Nnnbni32.exe 3004 Nqmnjd32.exe 3004 Nqmnjd32.exe 2724 Njeccjcd.exe 2724 Njeccjcd.exe 2276 Nqokpd32.exe 2276 Nqokpd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cfanmogq.exe Ccbbachm.exe File created C:\Windows\SysWOW64\Demaoj32.exe Dboeco32.exe File created C:\Windows\SysWOW64\Ejcmmp32.exe Efhqmadd.exe File created C:\Windows\SysWOW64\Ieponofk.exe Ibacbcgg.exe File created C:\Windows\SysWOW64\Kablnadm.exe Kocpbfei.exe File created C:\Windows\SysWOW64\Pgodelnq.dll Kdeaelok.exe File opened for modification C:\Windows\SysWOW64\Omhhke32.exe Ofnpnkgf.exe File created C:\Windows\SysWOW64\Aknngo32.exe Agbbgqhh.exe File created C:\Windows\SysWOW64\Jkbcekmn.dll Kdbepm32.exe File opened for modification C:\Windows\SysWOW64\Blinefnd.exe Bjjaikoa.exe File opened for modification C:\Windows\SysWOW64\Hqkmplen.exe Hmpaom32.exe File created C:\Windows\SysWOW64\Hfjbmb32.exe Hclfag32.exe File created C:\Windows\SysWOW64\Piliii32.exe Pfnmmn32.exe File opened for modification C:\Windows\SysWOW64\Pdbmfb32.exe Ppfafcpb.exe File created C:\Windows\SysWOW64\Qbnphngk.exe Qobdgo32.exe File created C:\Windows\SysWOW64\Hcepqh32.exe Hqgddm32.exe File created C:\Windows\SysWOW64\Klecfkff.exe Khjgel32.exe File created C:\Windows\SysWOW64\Obgmpo32.dll Bnapnm32.exe File opened for modification C:\Windows\SysWOW64\Ghgfekpn.exe Gdkjdl32.exe File opened for modification C:\Windows\SysWOW64\Kjeglh32.exe Khgkpl32.exe File created C:\Windows\SysWOW64\Bkknac32.exe Blinefnd.exe File created C:\Windows\SysWOW64\Faphfl32.dll Iknafhjb.exe File created C:\Windows\SysWOW64\Mebgijei.dll Jcqlkjae.exe File created C:\Windows\SysWOW64\Mcfemmna.exe Llmmpcfe.exe File created C:\Windows\SysWOW64\Plbkfdba.exe Phfoee32.exe File created C:\Windows\SysWOW64\Efjmbaba.exe Edlafebn.exe File opened for modification C:\Windows\SysWOW64\Gcgqgd32.exe Gpidki32.exe File created C:\Windows\SysWOW64\Hnbbcale.dll Gajqbakc.exe File created C:\Windows\SysWOW64\Kjcijlpq.dll Hffibceh.exe File created C:\Windows\SysWOW64\Npepbkgb.dll Ccpeld32.exe File opened for modification C:\Windows\SysWOW64\Cqdfehii.exe Cjjnhnbl.exe File opened for modification C:\Windows\SysWOW64\Lgfjggll.exe Ldgnklmi.exe File created C:\Windows\SysWOW64\Mqjefamk.exe Mcfemmna.exe File created C:\Windows\SysWOW64\Nnleiipc.exe Ncfalqpm.exe File created C:\Windows\SysWOW64\Ijcngenj.exe Igebkiof.exe File created C:\Windows\SysWOW64\Eplpdepa.dll Jnmiag32.exe File created C:\Windows\SysWOW64\Ljnqdhga.exe Lgpdglhn.exe File opened for modification C:\Windows\SysWOW64\Fgocmc32.exe Fdpgph32.exe File created C:\Windows\SysWOW64\Gnlnhm32.dll Gdkjdl32.exe File created C:\Windows\SysWOW64\Pkbnjifp.dll Gockgdeh.exe File created C:\Windows\SysWOW64\Oopqjabc.dll Lkjmfjmi.exe File created C:\Windows\SysWOW64\Lhhkapeh.exe Lanbdf32.exe File created C:\Windows\SysWOW64\Dlfqea32.dll Pioeoi32.exe File created C:\Windows\SysWOW64\Agioom32.dll Kapohbfp.exe File created C:\Windows\SysWOW64\Ahfalc32.dll Qoeamo32.exe File created C:\Windows\SysWOW64\Elibpg32.exe Ehnfpifm.exe File created C:\Windows\SysWOW64\Apjlggne.dll Njeccjcd.exe File created C:\Windows\SysWOW64\Mkkiehdc.dll Pdbmfb32.exe File created C:\Windows\SysWOW64\Qhihii32.dll Cqaiph32.exe File created C:\Windows\SysWOW64\Difqji32.exe Dfhdnn32.exe File created C:\Windows\SysWOW64\Kbjbge32.exe Jplfkjbd.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Klecfkff.exe File created C:\Windows\SysWOW64\Kadica32.exe Koflgf32.exe File created C:\Windows\SysWOW64\Fogalkad.dll Nnleiipc.exe File created C:\Windows\SysWOW64\Odecjfnl.dll Alageg32.exe File created C:\Windows\SysWOW64\Fdgdji32.exe Fahhnn32.exe File created C:\Windows\SysWOW64\Lknocpdc.dll Fahhnn32.exe File opened for modification C:\Windows\SysWOW64\Fglfgd32.exe Fdnjkh32.exe File created C:\Windows\SysWOW64\Gonale32.exe Glpepj32.exe File opened for modification C:\Windows\SysWOW64\Baefnmml.exe Bkknac32.exe File created C:\Windows\SysWOW64\Eckfklnl.dll Dboeco32.exe File created C:\Windows\SysWOW64\Fooembgb.exe Fggmldfp.exe File created C:\Windows\SysWOW64\Kdbepm32.exe Kadica32.exe File created C:\Windows\SysWOW64\Onpeobjf.dll Khnapkjg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4724 4684 WerFault.exe 388 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeccjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobdgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkpglbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpgfeao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqhepeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlqjkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiddoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loclai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldhkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdhleh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonale32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepaccmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alageg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdiokbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggoqimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modlbmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbbachm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbmfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adaiee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpaom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageompfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeqga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfcgbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkmjoec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhkapeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfemmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlahm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aognbnkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkebafoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpcca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckilei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcodkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqaiph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piabdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoeamo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaejojjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnagmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmfnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iediin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkipao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piabdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeojcmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpepj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnhjjml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmbkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajehnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogpag32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhohnoea.dll" Eppefg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epbbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonpco.dll" Jgjkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henmilod.dll" Ojglhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojacgdmh.dll" Gpidki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kadica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaapcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll" Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlafkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmichb32.dll" Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnleiipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pddjlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmnkd32.dll" Emdeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgocmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lekghdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdck32.dll" Fdgdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gefmcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdkjdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpgmpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcjilgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdioqoen.dll" Omhhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooffgmde.dll" Peefcjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnebcjoe.dll" Pbigmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plbkfdba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbceme32.dll" Glklejoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnochnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqahpi32.dll" Dgknkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdngobg.dll" Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feachqgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hadcipbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcfemmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkpfm32.dll" Phklaacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll" Ladebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojglhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmpofck.dll" Demaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljphmekn.dll" Lhiddoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpkfe32.dll" Hcepqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefkh32.dll" Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkojbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njeccjcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfpibn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paocnkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmbpf32.dll" Bgdkkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmfmojcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlgjldnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modlbmmn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2796 2124 53cb355a987ce49bbe851ac38f8a4e2ef05f0f23456947101e3445cd2475b87f.exe 30 PID 2124 wrote to memory of 2796 2124 53cb355a987ce49bbe851ac38f8a4e2ef05f0f23456947101e3445cd2475b87f.exe 30 PID 2124 wrote to memory of 2796 2124 53cb355a987ce49bbe851ac38f8a4e2ef05f0f23456947101e3445cd2475b87f.exe 30 PID 2124 wrote to memory of 2796 2124 53cb355a987ce49bbe851ac38f8a4e2ef05f0f23456947101e3445cd2475b87f.exe 30 PID 2796 wrote to memory of 2780 2796 Ldjbkb32.exe 31 PID 2796 wrote to memory of 2780 2796 Ldjbkb32.exe 31 PID 2796 wrote to memory of 2780 2796 Ldjbkb32.exe 31 PID 2796 wrote to memory of 2780 2796 Ldjbkb32.exe 31 PID 2780 wrote to memory of 2576 2780 Lanbdf32.exe 32 PID 2780 wrote to memory of 2576 2780 Lanbdf32.exe 32 PID 2780 wrote to memory of 2576 2780 Lanbdf32.exe 32 PID 2780 wrote to memory of 2576 2780 Lanbdf32.exe 32 PID 2576 wrote to memory of 2552 2576 Lhhkapeh.exe 33 PID 2576 wrote to memory of 2552 2576 Lhhkapeh.exe 33 PID 2576 wrote to memory of 2552 2576 Lhhkapeh.exe 33 PID 2576 wrote to memory of 2552 2576 Lhhkapeh.exe 33 PID 2552 wrote to memory of 3008 2552 Lgkkmm32.exe 34 PID 2552 wrote to memory of 3008 2552 Lgkkmm32.exe 34 PID 2552 wrote to memory of 3008 2552 Lgkkmm32.exe 34 PID 2552 wrote to memory of 3008 2552 Lgkkmm32.exe 34 PID 3008 wrote to memory of 2892 3008 Lkggmldl.exe 35 PID 3008 wrote to memory of 2892 3008 Lkggmldl.exe 35 PID 3008 wrote to memory of 2892 3008 Lkggmldl.exe 35 PID 3008 wrote to memory of 2892 3008 Lkggmldl.exe 35 PID 2892 wrote to memory of 2396 2892 Ljldnhid.exe 36 PID 2892 wrote to memory of 2396 2892 Ljldnhid.exe 36 PID 2892 wrote to memory of 2396 2892 Ljldnhid.exe 36 PID 2892 wrote to memory of 2396 2892 Ljldnhid.exe 36 PID 2396 wrote to memory of 1356 2396 Lljpjchg.exe 37 PID 2396 wrote to memory of 1356 2396 Lljpjchg.exe 37 PID 2396 wrote to memory of 1356 2396 Lljpjchg.exe 37 PID 2396 wrote to memory of 1356 2396 Lljpjchg.exe 37 PID 1356 wrote to memory of 1580 1356 Lgpdglhn.exe 38 PID 1356 wrote to memory of 1580 1356 Lgpdglhn.exe 38 PID 1356 wrote to memory of 1580 1356 Lgpdglhn.exe 38 PID 1356 wrote to memory of 1580 1356 Lgpdglhn.exe 38 PID 1580 wrote to memory of 2844 1580 Ljnqdhga.exe 39 PID 1580 wrote to memory of 2844 1580 Ljnqdhga.exe 39 PID 1580 wrote to memory of 2844 1580 Ljnqdhga.exe 39 PID 1580 wrote to memory of 2844 1580 Ljnqdhga.exe 39 PID 2844 wrote to memory of 2896 2844 Llmmpcfe.exe 40 PID 2844 wrote to memory of 2896 2844 Llmmpcfe.exe 40 PID 2844 wrote to memory of 2896 2844 Llmmpcfe.exe 40 PID 2844 wrote to memory of 2896 2844 Llmmpcfe.exe 40 PID 2896 wrote to memory of 1112 2896 Mcfemmna.exe 41 PID 2896 wrote to memory of 1112 2896 Mcfemmna.exe 41 PID 2896 wrote to memory of 1112 2896 Mcfemmna.exe 41 PID 2896 wrote to memory of 1112 2896 Mcfemmna.exe 41 PID 1112 wrote to memory of 3064 1112 Mqjefamk.exe 42 PID 1112 wrote to memory of 3064 1112 Mqjefamk.exe 42 PID 1112 wrote to memory of 3064 1112 Mqjefamk.exe 42 PID 1112 wrote to memory of 3064 1112 Mqjefamk.exe 42 PID 3064 wrote to memory of 1444 3064 Mciabmlo.exe 43 PID 3064 wrote to memory of 1444 3064 Mciabmlo.exe 43 PID 3064 wrote to memory of 1444 3064 Mciabmlo.exe 43 PID 3064 wrote to memory of 1444 3064 Mciabmlo.exe 43 PID 1444 wrote to memory of 2316 1444 Mlafkb32.exe 44 PID 1444 wrote to memory of 2316 1444 Mlafkb32.exe 44 PID 1444 wrote to memory of 2316 1444 Mlafkb32.exe 44 PID 1444 wrote to memory of 2316 1444 Mlafkb32.exe 44 PID 2316 wrote to memory of 1044 2316 Mkdffoij.exe 45 PID 2316 wrote to memory of 1044 2316 Mkdffoij.exe 45 PID 2316 wrote to memory of 1044 2316 Mkdffoij.exe 45 PID 2316 wrote to memory of 1044 2316 Mkdffoij.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\53cb355a987ce49bbe851ac38f8a4e2ef05f0f23456947101e3445cd2475b87f.exe"C:\Users\Admin\AppData\Local\Temp\53cb355a987ce49bbe851ac38f8a4e2ef05f0f23456947101e3445cd2475b87f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ldjbkb32.exeC:\Windows\system32\Ldjbkb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Lanbdf32.exeC:\Windows\system32\Lanbdf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Ljldnhid.exeC:\Windows\system32\Ljldnhid.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Lljpjchg.exeC:\Windows\system32\Lljpjchg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Ljnqdhga.exeC:\Windows\system32\Ljnqdhga.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Mlafkb32.exeC:\Windows\system32\Mlafkb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Mkdffoij.exeC:\Windows\system32\Mkdffoij.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Mkfclo32.exeC:\Windows\system32\Mkfclo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Mdogedmh.exeC:\Windows\system32\Mdogedmh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Mkipao32.exeC:\Windows\system32\Mkipao32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Mimpkcdn.exeC:\Windows\system32\Mimpkcdn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280 -
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\SysWOW64\Ncfalqpm.exeC:\Windows\system32\Ncfalqpm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Nnleiipc.exeC:\Windows\system32\Nnleiipc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Njgpij32.exeC:\Windows\system32\Njgpij32.exe33⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe34⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe37⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe38⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe39⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe41⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe42⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe43⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe44⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe46⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Odmckcmq.exeC:\Windows\system32\Odmckcmq.exe47⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe48⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe50⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe51⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Pfnmmn32.exeC:\Windows\system32\Pfnmmn32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe54⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Ppfafcpb.exeC:\Windows\system32\Ppfafcpb.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:308 -
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe58⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Pioeoi32.exeC:\Windows\system32\Pioeoi32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Plmbkd32.exeC:\Windows\system32\Plmbkd32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Pddjlb32.exeC:\Windows\system32\Pddjlb32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Peefcjlg.exeC:\Windows\system32\Peefcjlg.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Pmmneg32.exeC:\Windows\system32\Pmmneg32.exe65⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ppkjac32.exeC:\Windows\system32\Ppkjac32.exe66⤵PID:3068
-
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe67⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Phfoee32.exeC:\Windows\system32\Phfoee32.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe69⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Ppmgfb32.exeC:\Windows\system32\Ppmgfb32.exe70⤵PID:2584
-
C:\Windows\SysWOW64\Pblcbn32.exeC:\Windows\system32\Pblcbn32.exe71⤵PID:2672
-
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe72⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Qejpoi32.exeC:\Windows\system32\Qejpoi32.exe73⤵PID:2988
-
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe74⤵PID:828
-
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Qobdgo32.exeC:\Windows\system32\Qobdgo32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe77⤵PID:1304
-
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe78⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Qdompf32.exeC:\Windows\system32\Qdompf32.exe79⤵PID:2328
-
C:\Windows\SysWOW64\Qhkipdeb.exeC:\Windows\system32\Qhkipdeb.exe80⤵PID:2152
-
C:\Windows\SysWOW64\Qlfdac32.exeC:\Windows\system32\Qlfdac32.exe81⤵PID:1292
-
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:640 -
C:\Windows\SysWOW64\Qmhahkdj.exeC:\Windows\system32\Qmhahkdj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe84⤵PID:2092
-
C:\Windows\SysWOW64\Adaiee32.exeC:\Windows\system32\Adaiee32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Agpeaa32.exeC:\Windows\system32\Agpeaa32.exe86⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Aognbnkm.exeC:\Windows\system32\Aognbnkm.exe87⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Addfkeid.exeC:\Windows\system32\Addfkeid.exe89⤵PID:3052
-
C:\Windows\SysWOW64\Agbbgqhh.exeC:\Windows\system32\Agbbgqhh.exe90⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Aiaoclgl.exeC:\Windows\system32\Aiaoclgl.exe92⤵PID:596
-
C:\Windows\SysWOW64\Anljck32.exeC:\Windows\system32\Anljck32.exe93⤵PID:1768
-
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe94⤵PID:2116
-
C:\Windows\SysWOW64\Adfbpega.exeC:\Windows\system32\Adfbpega.exe95⤵PID:2432
-
C:\Windows\SysWOW64\Ageompfe.exeC:\Windows\system32\Ageompfe.exe96⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe97⤵
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Aclpaali.exeC:\Windows\system32\Aclpaali.exe99⤵
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Ajehnk32.exeC:\Windows\system32\Ajehnk32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe101⤵PID:3016
-
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Acnlgajg.exeC:\Windows\system32\Acnlgajg.exe103⤵PID:380
-
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe104⤵PID:1700
-
C:\Windows\SysWOW64\Ajhddk32.exeC:\Windows\system32\Ajhddk32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Bpbmqe32.exeC:\Windows\system32\Bpbmqe32.exe106⤵PID:2460
-
C:\Windows\SysWOW64\Boemlbpk.exeC:\Windows\system32\Boemlbpk.exe107⤵PID:1372
-
C:\Windows\SysWOW64\Bacihmoo.exeC:\Windows\system32\Bacihmoo.exe108⤵PID:1740
-
C:\Windows\SysWOW64\Bjjaikoa.exeC:\Windows\system32\Bjjaikoa.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Bkknac32.exeC:\Windows\system32\Bkknac32.exe111⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe112⤵PID:1280
-
C:\Windows\SysWOW64\Bfabnl32.exeC:\Windows\system32\Bfabnl32.exe113⤵PID:3012
-
C:\Windows\SysWOW64\Bhonjg32.exeC:\Windows\system32\Bhonjg32.exe114⤵PID:1684
-
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe115⤵PID:540
-
C:\Windows\SysWOW64\Bnlgbnbp.exeC:\Windows\system32\Bnlgbnbp.exe116⤵PID:2312
-
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Bkpglbaj.exeC:\Windows\system32\Bkpglbaj.exe119⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Bnochnpm.exeC:\Windows\system32\Bnochnpm.exe120⤵
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Bbjpil32.exeC:\Windows\system32\Bbjpil32.exe121⤵PID:2384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-