Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 19:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae.exe
-
Size
67KB
-
MD5
edbc11f0b4f0a9f3964923415573569f
-
SHA1
b55197b342c4b1ad0a66c85d80070c4a02e19b76
-
SHA256
4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae
-
SHA512
4eeb217f92821bf354e3f343e626f81c0fdcdc55039dea1f9dd6619683bc38f0b8a84247e442704dbcc39fdf380117f5cd950fc52e7771b4f2cfdb9a141d03b9
-
SSDEEP
1536:T5rHFSi7vy7pt2yGWn9pwIdsJifTduD4oTxw:F8i7vyGJWpwEsJibdMTxw
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojhafnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplgeoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faijggao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdhgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijiaabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opqoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahbekjcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdhmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpqlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobomnoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojeomee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgnelll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akdafn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odedge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igceej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obmpgjbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfbbjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhpdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmnahilc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iianmlfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefhlcdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loaokjjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhqjen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebcmfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdndjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnahilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfnmmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goddjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkihbho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhjamcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciopdca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkhoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnminke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijlaloaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhhbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbfhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndggib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boeoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klecfkff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpfjomf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdkbjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djocbqpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibejdjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkoobhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boifga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfqfpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbipe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiecgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paafmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjbkb32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 768 Fgldnkkf.exe 2976 Fogibnha.exe 1976 Gkpfmnlb.exe 2188 Gonocmbi.exe 2808 Ggicgopd.exe 2952 Gkglnm32.exe 2708 Hmkeke32.exe 2724 Hnjbeh32.exe 2096 Hjacjifm.exe 564 Hfhcoj32.exe 1196 Hboddk32.exe 1952 Inhanl32.exe 3032 Ibejdjln.exe 2748 Ihdpbq32.exe 2256 Iamdkfnc.exe 1496 Jikeeh32.exe 1752 Jimbkh32.exe 1688 Jhbold32.exe 864 Jajcdjca.exe 2288 Jehlkhig.exe 524 Koaqcn32.exe 1732 Kdpfadlm.exe 2564 Klngkfge.exe 1560 Kddomchg.exe 1980 Loqmba32.exe 2532 Lcofio32.exe 2796 Lhknaf32.exe 2776 Lfoojj32.exe 2676 Lnjcomcf.exe 2988 Lddlkg32.exe 2616 Mqklqhpg.exe 2892 Mgedmb32.exe 1152 Mjcaimgg.exe 1704 Mmbmeifk.exe 1932 Mggabaea.exe 3044 Mnaiol32.exe 2956 Mcnbhb32.exe 1860 Mmgfqh32.exe 3036 Mcqombic.exe 2184 Mimgeigj.exe 1744 Nidmfh32.exe 1772 Nbmaon32.exe 1672 Neknki32.exe 544 Nlefhcnc.exe 2116 Nenkqi32.exe 308 Ohncbdbd.exe 1624 Omklkkpl.exe 1576 Odedge32.exe 1328 Oplelf32.exe 2480 Objaha32.exe 2900 Ompefj32.exe 2740 Oekjjl32.exe 3056 Opqoge32.exe 2704 Oabkom32.exe 2636 Plgolf32.exe 624 Pkmlmbcd.exe 1676 Pebpkk32.exe 1948 Pgcmbcih.exe 2872 Pmmeon32.exe 3028 Pidfdofi.exe 916 Pcljmdmj.exe 3016 Qdlggg32.exe 1392 Qiioon32.exe 888 Qgmpibam.exe -
Loads dropped DLL 64 IoCs
pid Process 2044 4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae.exe 2044 4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae.exe 768 Fgldnkkf.exe 768 Fgldnkkf.exe 2976 Fogibnha.exe 2976 Fogibnha.exe 1976 Gkpfmnlb.exe 1976 Gkpfmnlb.exe 2188 Gonocmbi.exe 2188 Gonocmbi.exe 2808 Ggicgopd.exe 2808 Ggicgopd.exe 2952 Gkglnm32.exe 2952 Gkglnm32.exe 2708 Hmkeke32.exe 2708 Hmkeke32.exe 2724 Hnjbeh32.exe 2724 Hnjbeh32.exe 2096 Hjacjifm.exe 2096 Hjacjifm.exe 564 Hfhcoj32.exe 564 Hfhcoj32.exe 1196 Hboddk32.exe 1196 Hboddk32.exe 1952 Inhanl32.exe 1952 Inhanl32.exe 3032 Ibejdjln.exe 3032 Ibejdjln.exe 2748 Ihdpbq32.exe 2748 Ihdpbq32.exe 2256 Iamdkfnc.exe 2256 Iamdkfnc.exe 1496 Jikeeh32.exe 1496 Jikeeh32.exe 1752 Jimbkh32.exe 1752 Jimbkh32.exe 1688 Jhbold32.exe 1688 Jhbold32.exe 864 Jajcdjca.exe 864 Jajcdjca.exe 2288 Jehlkhig.exe 2288 Jehlkhig.exe 524 Koaqcn32.exe 524 Koaqcn32.exe 1732 Kdpfadlm.exe 1732 Kdpfadlm.exe 2564 Klngkfge.exe 2564 Klngkfge.exe 1560 Kddomchg.exe 1560 Kddomchg.exe 1980 Loqmba32.exe 1980 Loqmba32.exe 2532 Lcofio32.exe 2532 Lcofio32.exe 2796 Lhknaf32.exe 2796 Lhknaf32.exe 2776 Lfoojj32.exe 2776 Lfoojj32.exe 2676 Lnjcomcf.exe 2676 Lnjcomcf.exe 2988 Lddlkg32.exe 2988 Lddlkg32.exe 2616 Mqklqhpg.exe 2616 Mqklqhpg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dkdmfe32.exe Dnqlmq32.exe File created C:\Windows\SysWOW64\Eogolc32.exe Eikfdl32.exe File created C:\Windows\SysWOW64\Akkggpci.dll Bmlael32.exe File opened for modification C:\Windows\SysWOW64\Ceebklai.exe Cjonncab.exe File created C:\Windows\SysWOW64\Kgloog32.dll Cjonncab.exe File created C:\Windows\SysWOW64\Jhjbqo32.exe Ilcalnii.exe File created C:\Windows\SysWOW64\Kindeddf.exe Kgnkci32.exe File opened for modification C:\Windows\SysWOW64\Pfbfhm32.exe Pmjaohol.exe File opened for modification C:\Windows\SysWOW64\Cgadja32.exe Cbdkbjkl.exe File opened for modification C:\Windows\SysWOW64\Gdjcjf32.exe Glckihcg.exe File created C:\Windows\SysWOW64\Pfnoegaf.exe Paafmp32.exe File created C:\Windows\SysWOW64\Heiebkoj.dll Pfeeff32.exe File created C:\Windows\SysWOW64\Fdpojm32.dll Nlilqbgp.exe File created C:\Windows\SysWOW64\Eimcjl32.exe Eogolc32.exe File created C:\Windows\SysWOW64\Doejph32.dll Cdngip32.exe File created C:\Windows\SysWOW64\Pgcmbcih.exe Pebpkk32.exe File created C:\Windows\SysWOW64\Akdafn32.exe Ahchdb32.exe File created C:\Windows\SysWOW64\Hdaqnb32.dll Fodgkp32.exe File created C:\Windows\SysWOW64\Lajkbp32.exe Kjpceebh.exe File opened for modification C:\Windows\SysWOW64\Mpphdpcf.exe Mdigoo32.exe File created C:\Windows\SysWOW64\Egfjdchi.exe Enneln32.exe File created C:\Windows\SysWOW64\Nlefhcnc.exe Neknki32.exe File opened for modification C:\Windows\SysWOW64\Ahpifj32.exe Apedah32.exe File created C:\Windows\SysWOW64\Ibbklamb.dll Aomnhd32.exe File created C:\Windows\SysWOW64\Hmjoqo32.exe Hjlbdc32.exe File created C:\Windows\SysWOW64\Ammhpd32.dll Ljldnhid.exe File created C:\Windows\SysWOW64\Dboeco32.exe Dkdmfe32.exe File created C:\Windows\SysWOW64\Emgkhj32.exe Ecogodlk.exe File opened for modification C:\Windows\SysWOW64\Ebfqfpop.exe Einlmkhp.exe File opened for modification C:\Windows\SysWOW64\Ggklka32.exe Goddjc32.exe File opened for modification C:\Windows\SysWOW64\Faijggao.exe Eebibf32.exe File opened for modification C:\Windows\SysWOW64\Lhknaf32.exe Lcofio32.exe File created C:\Windows\SysWOW64\Imgnjb32.exe Ikfbbjdj.exe File created C:\Windows\SysWOW64\Bbhmhk32.dll Jhjbqo32.exe File opened for modification C:\Windows\SysWOW64\Apmcefmf.exe Anogijnb.exe File opened for modification C:\Windows\SysWOW64\Ijcngenj.exe Iegeonpc.exe File opened for modification C:\Windows\SysWOW64\Gjifodii.exe Gqaafn32.exe File created C:\Windows\SysWOW64\Dphhka32.exe Dbdham32.exe File created C:\Windows\SysWOW64\Ifcmmf32.dll Fpmned32.exe File created C:\Windows\SysWOW64\Oehicoom.exe Ojceef32.exe File created C:\Windows\SysWOW64\Mdigoo32.exe Mkacfiga.exe File opened for modification C:\Windows\SysWOW64\Fogdap32.exe Facdgl32.exe File created C:\Windows\SysWOW64\Dcdgqq32.dll Hboddk32.exe File created C:\Windows\SysWOW64\Kjkfeo32.dll Mnaiol32.exe File created C:\Windows\SysWOW64\Bceibfgj.exe Bmlael32.exe File opened for modification C:\Windows\SysWOW64\Lncfcgeb.exe Lgingm32.exe File created C:\Windows\SysWOW64\Ghgfmi32.dll Qobdgo32.exe File created C:\Windows\SysWOW64\Llepen32.exe Lekghdad.exe File created C:\Windows\SysWOW64\Obffbh32.dll Kfidqb32.exe File created C:\Windows\SysWOW64\Oipklb32.dll Okkkoj32.exe File created C:\Windows\SysWOW64\Ahpifj32.exe Apedah32.exe File created C:\Windows\SysWOW64\Eblgdl32.dll Mjilmejf.exe File created C:\Windows\SysWOW64\Jlhdnf32.dll Pmjaohol.exe File created C:\Windows\SysWOW64\Aaejojjq.exe Aklabp32.exe File created C:\Windows\SysWOW64\Igceej32.exe Ibfmmb32.exe File created C:\Windows\SysWOW64\Palpneop.exe Pdhpdq32.exe File created C:\Windows\SysWOW64\Fodgkp32.exe Fpokjd32.exe File created C:\Windows\SysWOW64\Ccgnelll.exe Cjoilfek.exe File created C:\Windows\SysWOW64\Ddnpnigl.dll Mhhiiloh.exe File created C:\Windows\SysWOW64\Mfakaoam.dll Bjbndpmd.exe File created C:\Windows\SysWOW64\Jdhifooi.exe Jmnqje32.exe File created C:\Windows\SysWOW64\Ipjkcehe.dll Obeacl32.exe File created C:\Windows\SysWOW64\Gnlnhm32.dll Gkcekfad.exe File created C:\Windows\SysWOW64\Jnagmc32.exe Iclbpj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1324 796 WerFault.exe 552 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnpkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgajg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbafalph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhknaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oecmogln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhhbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokilo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaejojjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddomchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomnhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkojbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdafn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaokjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqeapo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofdclinq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcaimgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkjheja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajqbakc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenkqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlahdkjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddlkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmeon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdhmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goddjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgingm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepjoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palpneop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnnlboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inepgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhgba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apnfno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmbcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppofado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcaafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmoilni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljjjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcmig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqngcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakooqih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqgjdbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhbgpia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjaikoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldiehbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efffpjmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdmfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdmph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igceej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpphdpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahimb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeldkonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgiidkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fccglehn.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddlkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjfphd.dll" Mjcaimgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlkglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfdhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkclikh.dll" Kindeddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fogdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goddjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajkbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaohl32.dll" Gkpfmnlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oabkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mffbkj32.dll" Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bllcnega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlecinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhheo32.dll" Fmnahilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchaehnb.dll" Loqmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcljmdmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eogolc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kidjdpie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbmome32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkkjeeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcbfd32.dll" Lajkbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafmhm32.dll" Ccgnelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofdclinq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ombddbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pebpkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjiflem.dll" Deondj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igceej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjbmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dphhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njalacon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endjeihi.dll" Clilmbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcjaeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmomfda.dll" Ecogodlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojcqog32.dll" Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkoobhhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anogijnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqbpk32.dll" Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdigoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apnfno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cncolfcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgedmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nllbdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolmkal.dll" Pljnkodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pljnkodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qekbgbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Babbng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll" Bjkhdacm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqjaeeog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eblelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eligcnhi.dll" Fogibnha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dipjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgkkmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcdhgn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 768 2044 4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae.exe 30 PID 2044 wrote to memory of 768 2044 4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae.exe 30 PID 2044 wrote to memory of 768 2044 4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae.exe 30 PID 2044 wrote to memory of 768 2044 4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae.exe 30 PID 768 wrote to memory of 2976 768 Fgldnkkf.exe 31 PID 768 wrote to memory of 2976 768 Fgldnkkf.exe 31 PID 768 wrote to memory of 2976 768 Fgldnkkf.exe 31 PID 768 wrote to memory of 2976 768 Fgldnkkf.exe 31 PID 2976 wrote to memory of 1976 2976 Fogibnha.exe 32 PID 2976 wrote to memory of 1976 2976 Fogibnha.exe 32 PID 2976 wrote to memory of 1976 2976 Fogibnha.exe 32 PID 2976 wrote to memory of 1976 2976 Fogibnha.exe 32 PID 1976 wrote to memory of 2188 1976 Gkpfmnlb.exe 33 PID 1976 wrote to memory of 2188 1976 Gkpfmnlb.exe 33 PID 1976 wrote to memory of 2188 1976 Gkpfmnlb.exe 33 PID 1976 wrote to memory of 2188 1976 Gkpfmnlb.exe 33 PID 2188 wrote to memory of 2808 2188 Gonocmbi.exe 34 PID 2188 wrote to memory of 2808 2188 Gonocmbi.exe 34 PID 2188 wrote to memory of 2808 2188 Gonocmbi.exe 34 PID 2188 wrote to memory of 2808 2188 Gonocmbi.exe 34 PID 2808 wrote to memory of 2952 2808 Ggicgopd.exe 35 PID 2808 wrote to memory of 2952 2808 Ggicgopd.exe 35 PID 2808 wrote to memory of 2952 2808 Ggicgopd.exe 35 PID 2808 wrote to memory of 2952 2808 Ggicgopd.exe 35 PID 2952 wrote to memory of 2708 2952 Gkglnm32.exe 36 PID 2952 wrote to memory of 2708 2952 Gkglnm32.exe 36 PID 2952 wrote to memory of 2708 2952 Gkglnm32.exe 36 PID 2952 wrote to memory of 2708 2952 Gkglnm32.exe 36 PID 2708 wrote to memory of 2724 2708 Hmkeke32.exe 37 PID 2708 wrote to memory of 2724 2708 Hmkeke32.exe 37 PID 2708 wrote to memory of 2724 2708 Hmkeke32.exe 37 PID 2708 wrote to memory of 2724 2708 Hmkeke32.exe 37 PID 2724 wrote to memory of 2096 2724 Hnjbeh32.exe 38 PID 2724 wrote to memory of 2096 2724 Hnjbeh32.exe 38 PID 2724 wrote to memory of 2096 2724 Hnjbeh32.exe 38 PID 2724 wrote to memory of 2096 2724 Hnjbeh32.exe 38 PID 2096 wrote to memory of 564 2096 Hjacjifm.exe 39 PID 2096 wrote to memory of 564 2096 Hjacjifm.exe 39 PID 2096 wrote to memory of 564 2096 Hjacjifm.exe 39 PID 2096 wrote to memory of 564 2096 Hjacjifm.exe 39 PID 564 wrote to memory of 1196 564 Hfhcoj32.exe 40 PID 564 wrote to memory of 1196 564 Hfhcoj32.exe 40 PID 564 wrote to memory of 1196 564 Hfhcoj32.exe 40 PID 564 wrote to memory of 1196 564 Hfhcoj32.exe 40 PID 1196 wrote to memory of 1952 1196 Hboddk32.exe 41 PID 1196 wrote to memory of 1952 1196 Hboddk32.exe 41 PID 1196 wrote to memory of 1952 1196 Hboddk32.exe 41 PID 1196 wrote to memory of 1952 1196 Hboddk32.exe 41 PID 1952 wrote to memory of 3032 1952 Inhanl32.exe 42 PID 1952 wrote to memory of 3032 1952 Inhanl32.exe 42 PID 1952 wrote to memory of 3032 1952 Inhanl32.exe 42 PID 1952 wrote to memory of 3032 1952 Inhanl32.exe 42 PID 3032 wrote to memory of 2748 3032 Ibejdjln.exe 43 PID 3032 wrote to memory of 2748 3032 Ibejdjln.exe 43 PID 3032 wrote to memory of 2748 3032 Ibejdjln.exe 43 PID 3032 wrote to memory of 2748 3032 Ibejdjln.exe 43 PID 2748 wrote to memory of 2256 2748 Ihdpbq32.exe 44 PID 2748 wrote to memory of 2256 2748 Ihdpbq32.exe 44 PID 2748 wrote to memory of 2256 2748 Ihdpbq32.exe 44 PID 2748 wrote to memory of 2256 2748 Ihdpbq32.exe 44 PID 2256 wrote to memory of 1496 2256 Iamdkfnc.exe 45 PID 2256 wrote to memory of 1496 2256 Iamdkfnc.exe 45 PID 2256 wrote to memory of 1496 2256 Iamdkfnc.exe 45 PID 2256 wrote to memory of 1496 2256 Iamdkfnc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae.exe"C:\Users\Admin\AppData\Local\Temp\4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:524 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe35⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe36⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe38⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe39⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe40⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe41⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe42⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe43⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe47⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe48⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe50⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe51⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe53⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Pkmlmbcd.exeC:\Windows\system32\Pkmlmbcd.exe57⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe61⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe63⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe64⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Qgmpibam.exeC:\Windows\system32\Qgmpibam.exe65⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe66⤵
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe67⤵PID:2524
-
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe68⤵PID:2228
-
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1876 -
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe71⤵PID:2016
-
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe72⤵PID:2076
-
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe73⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe74⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe75⤵PID:1804
-
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe77⤵
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe78⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe79⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Bbmcibjp.exeC:\Windows\system32\Bbmcibjp.exe80⤵PID:2324
-
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe81⤵PID:2172
-
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe82⤵PID:616
-
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe83⤵PID:1756
-
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe84⤵PID:1556
-
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe85⤵PID:2276
-
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe86⤵PID:2488
-
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe87⤵PID:1800
-
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe88⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe89⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe90⤵PID:2800
-
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe91⤵PID:2932
-
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe93⤵PID:1352
-
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe94⤵PID:1784
-
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe95⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe96⤵PID:772
-
C:\Windows\SysWOW64\Dipjkn32.exeC:\Windows\system32\Dipjkn32.exe97⤵
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe98⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe99⤵PID:1324
-
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe100⤵PID:2204
-
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe101⤵PID:1540
-
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe102⤵
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe103⤵PID:2928
-
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe104⤵PID:2004
-
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe105⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe106⤵PID:1488
-
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe107⤵PID:1808
-
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe108⤵PID:3052
-
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe109⤵PID:1696
-
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe110⤵PID:1004
-
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1520 -
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe112⤵PID:680
-
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe113⤵PID:2536
-
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe114⤵PID:2464
-
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe117⤵PID:1648
-
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe118⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe119⤵
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Gjifodii.exeC:\Windows\system32\Gjifodii.exe120⤵PID:1816
-
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe121⤵PID:1164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-