Analysis
-
max time kernel
88s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 21:07
Behavioral task
behavioral1
Sample
9db65159da1bd8ec8121aa5b313d7742a3aabbef690727b342b46248faefd0a3.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
9db65159da1bd8ec8121aa5b313d7742a3aabbef690727b342b46248faefd0a3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
9db65159da1bd8ec8121aa5b313d7742a3aabbef690727b342b46248faefd0a3.exe
-
Size
512KB
-
MD5
2bd8795c2e1a5e2d977f2c121e53e6e9
-
SHA1
8ab736299e556dcdbf414c103e235fcc47ac1f60
-
SHA256
9db65159da1bd8ec8121aa5b313d7742a3aabbef690727b342b46248faefd0a3
-
SHA512
4c2ed3d7494cac5cfe3a13778076133e0b7090b3a71be71248302805eeea6dc2437432b4eab6d51e1e981d0129e3d17884dcf62e41636d4eed8c04c2649d9e52
-
SSDEEP
6144:zDBYUUZP8VU5tTO/ENURQPTlyl48pArv8kEVS1aHx:zFyUG5t1sI5yl48pArv8o4R
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpgfbom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khojcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjifodii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgkfal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmegjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immjnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpddgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlael32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmeeepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fppaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfahaaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djlfma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlahdkjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhogaamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfebdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemhjlha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bacihmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhleh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkkim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opihgfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlbdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmnjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddbjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhiepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcilf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlmljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmckeidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlljaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Monhjgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbookpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjedmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laahme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfidqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdgkicek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkmie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqjhcfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ockinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbngfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igeddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flfkoeoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmqkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kodghqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iadbqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oniebmda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpcokdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lofifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hagianlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pioeoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklopg32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 372 Kjahej32.exe 572 Lcjlnpmo.exe 2920 Lfmbek32.exe 2968 Lbcbjlmb.exe 2732 Mcjhmcok.exe 2700 Mnomjl32.exe 1060 Mjfnomde.exe 2072 Mcnbhb32.exe 1756 Mikjpiim.exe 2144 Mcqombic.exe 1676 Mimgeigj.exe 2016 Mpgobc32.exe 3028 Nedhjj32.exe 2744 Npjlhcmd.exe 3024 Nefdpjkl.exe 2808 Nlqmmd32.exe 1892 Nameek32.exe 1368 Nhgnaehm.exe 1572 Njfjnpgp.exe 1708 Nbmaon32.exe 2408 Neknki32.exe 2556 Nlefhcnc.exe 2600 Nncbdomg.exe 2636 Nenkqi32.exe 2468 Nhlgmd32.exe 2988 Odchbe32.exe 2420 Oippjl32.exe 892 Opihgfop.exe 2760 Obhdcanc.exe 2068 Ojomdoof.exe 1564 Olpilg32.exe 772 Objaha32.exe 2008 Oidiekdn.exe 2256 Opnbbe32.exe 1948 Obmnna32.exe 236 Oiffkkbk.exe 956 Opqoge32.exe 904 Oabkom32.exe 2676 Piicpk32.exe 1408 Pkjphcff.exe 2848 Padhdm32.exe 376 Phnpagdp.exe 1360 Pohhna32.exe 1256 Pafdjmkq.exe 2300 Phqmgg32.exe 3096 Pojecajj.exe 3156 Paiaplin.exe 3224 Phcilf32.exe 3284 Pkaehb32.exe 3348 Paknelgk.exe 3412 Pcljmdmj.exe 3472 Pkcbnanl.exe 3532 Pleofj32.exe 3588 Qcogbdkg.exe 3644 Qiioon32.exe 3696 Qpbglhjq.exe 3748 Qgmpibam.exe 3808 Alihaioe.exe 3860 Agolnbok.exe 3912 Allefimb.exe 3968 Aaimopli.exe 4020 Alnalh32.exe 4072 Aakjdo32.exe 1376 Akcomepg.exe -
Loads dropped DLL 64 IoCs
pid Process 2672 9db65159da1bd8ec8121aa5b313d7742a3aabbef690727b342b46248faefd0a3.exe 2672 9db65159da1bd8ec8121aa5b313d7742a3aabbef690727b342b46248faefd0a3.exe 372 Kjahej32.exe 372 Kjahej32.exe 572 Lcjlnpmo.exe 572 Lcjlnpmo.exe 2920 Lfmbek32.exe 2920 Lfmbek32.exe 2968 Lbcbjlmb.exe 2968 Lbcbjlmb.exe 2732 Mcjhmcok.exe 2732 Mcjhmcok.exe 2700 Mnomjl32.exe 2700 Mnomjl32.exe 1060 Mjfnomde.exe 1060 Mjfnomde.exe 2072 Mcnbhb32.exe 2072 Mcnbhb32.exe 1756 Mikjpiim.exe 1756 Mikjpiim.exe 2144 Mcqombic.exe 2144 Mcqombic.exe 1676 Mimgeigj.exe 1676 Mimgeigj.exe 2016 Mpgobc32.exe 2016 Mpgobc32.exe 3028 Nedhjj32.exe 3028 Nedhjj32.exe 2744 Npjlhcmd.exe 2744 Npjlhcmd.exe 3024 Nefdpjkl.exe 3024 Nefdpjkl.exe 2808 Nlqmmd32.exe 2808 Nlqmmd32.exe 1892 Nameek32.exe 1892 Nameek32.exe 1368 Nhgnaehm.exe 1368 Nhgnaehm.exe 1572 Njfjnpgp.exe 1572 Njfjnpgp.exe 1708 Nbmaon32.exe 1708 Nbmaon32.exe 2408 Neknki32.exe 2408 Neknki32.exe 2556 Nlefhcnc.exe 2556 Nlefhcnc.exe 2600 Nncbdomg.exe 2600 Nncbdomg.exe 2636 Nenkqi32.exe 2636 Nenkqi32.exe 2280 Onfoin32.exe 2280 Onfoin32.exe 2988 Odchbe32.exe 2988 Odchbe32.exe 2420 Oippjl32.exe 2420 Oippjl32.exe 892 Opihgfop.exe 892 Opihgfop.exe 2760 Obhdcanc.exe 2760 Obhdcanc.exe 2068 Ojomdoof.exe 2068 Ojomdoof.exe 1564 Olpilg32.exe 1564 Olpilg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dmgmpnhl.exe Djiqdb32.exe File created C:\Windows\SysWOW64\Kjaaeimj.dll Kljdkpfl.exe File created C:\Windows\SysWOW64\Lgingm32.exe Ldjbkb32.exe File created C:\Windows\SysWOW64\Mkibjgli.exe Mobaef32.exe File created C:\Windows\SysWOW64\Hnmcli32.exe Hkogpn32.exe File created C:\Windows\SysWOW64\Afpapcnc.exe Amglgn32.exe File created C:\Windows\SysWOW64\Gdgqdaoh.dll Cbblda32.exe File opened for modification C:\Windows\SysWOW64\Jaecod32.exe Jbbccgmp.exe File opened for modification C:\Windows\SysWOW64\Fnejdiep.exe Fpbihl32.exe File created C:\Windows\SysWOW64\Pmpiei32.dll Lmckeidj.exe File created C:\Windows\SysWOW64\Lloeec32.dll Bcjcme32.exe File created C:\Windows\SysWOW64\Aeqbijmn.dll Nflchkii.exe File created C:\Windows\SysWOW64\Fjnignob.exe Ebfqfpop.exe File opened for modification C:\Windows\SysWOW64\Ekghcq32.exe Eclcon32.exe File created C:\Windows\SysWOW64\Gmkjgfmf.exe Gfabkl32.exe File opened for modification C:\Windows\SysWOW64\Lbkaoalg.exe Lpldcfmd.exe File opened for modification C:\Windows\SysWOW64\Mdogedmh.exe Mbqkiind.exe File created C:\Windows\SysWOW64\Danpemej.exe Dnpciaef.exe File created C:\Windows\SysWOW64\Bnochnpm.exe Bkpglbaj.exe File created C:\Windows\SysWOW64\Bgppdkib.dll Iblola32.exe File created C:\Windows\SysWOW64\Eglghm32.dll Mokdja32.exe File created C:\Windows\SysWOW64\Plcaioco.dll Nedhjj32.exe File created C:\Windows\SysWOW64\Ecfnmh32.exe Eaebeoan.exe File opened for modification C:\Windows\SysWOW64\Njnmbk32.exe Ngpqfp32.exe File created C:\Windows\SysWOW64\Dggajf32.dll Omhhke32.exe File opened for modification C:\Windows\SysWOW64\Hjmlhbbg.exe Hdpcokdo.exe File created C:\Windows\SysWOW64\Dabahf32.dll Mhcfjnhm.exe File opened for modification C:\Windows\SysWOW64\Bfdenafn.exe Bdcifi32.exe File created C:\Windows\SysWOW64\Nhnipd32.dll Aaipghcn.exe File created C:\Windows\SysWOW64\Djgaeaao.dll Iomcpe32.exe File created C:\Windows\SysWOW64\Jeaahk32.exe Jijacjnc.exe File created C:\Windows\SysWOW64\Eaakbg32.dll Lkifkdjm.exe File created C:\Windows\SysWOW64\Mnmbme32.exe Mebnic32.exe File created C:\Windows\SysWOW64\Hcajhi32.exe Gmhbkohm.exe File opened for modification C:\Windows\SysWOW64\Dmmpolof.exe Djocbqpb.exe File opened for modification C:\Windows\SysWOW64\Hcjilgdb.exe Hmpaom32.exe File opened for modification C:\Windows\SysWOW64\Oehicoom.exe Okpdjjil.exe File opened for modification C:\Windows\SysWOW64\Knfopnkk.exe Kenjgi32.exe File created C:\Windows\SysWOW64\Pngjcj32.dll Nkfkidmk.exe File created C:\Windows\SysWOW64\Ogmkne32.exe Odnobj32.exe File created C:\Windows\SysWOW64\Npbdcgjh.dll Nhgnaehm.exe File created C:\Windows\SysWOW64\Ekfaij32.exe Ecoihm32.exe File created C:\Windows\SysWOW64\Maflig32.dll Jkfpjf32.exe File created C:\Windows\SysWOW64\Pdlkggmp.dll Laleof32.exe File created C:\Windows\SysWOW64\Mbendkpn.dll Afeaei32.exe File created C:\Windows\SysWOW64\Lnhjhg32.dll Bpbmqe32.exe File created C:\Windows\SysWOW64\Lklikj32.exe Ladebd32.exe File created C:\Windows\SysWOW64\Lolijfnc.dll Pdhpdq32.exe File opened for modification C:\Windows\SysWOW64\Dbadagln.exe Dglpdomh.exe File created C:\Windows\SysWOW64\Bejehklc.dll Lmbabj32.exe File created C:\Windows\SysWOW64\Mncmib32.dll Aeenapck.exe File created C:\Windows\SysWOW64\Nncojg32.dll Igmbgk32.exe File created C:\Windows\SysWOW64\Boandf32.dll Iifghk32.exe File created C:\Windows\SysWOW64\Qaemlqhb.dll Cojeomee.exe File created C:\Windows\SysWOW64\Bpmkbl32.exe Bbikig32.exe File created C:\Windows\SysWOW64\Hjhobagi.dll Ddhaie32.exe File created C:\Windows\SysWOW64\Ijkocg32.exe Igmbgk32.exe File opened for modification C:\Windows\SysWOW64\Bdfahaaa.exe Bojipjcj.exe File opened for modification C:\Windows\SysWOW64\Gekhgh32.exe Goapjnoo.exe File created C:\Windows\SysWOW64\Lccmhojk.dll Lggbmbfc.exe File created C:\Windows\SysWOW64\Allefimb.exe Agolnbok.exe File created C:\Windows\SysWOW64\Hqnapb32.exe Homdhjai.exe File opened for modification C:\Windows\SysWOW64\Epqgopbi.exe Efhcej32.exe File created C:\Windows\SysWOW64\Gbccnjjb.dll Gdhdkn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4760 4288 WerFault.exe 976 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflchkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcogbdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnklgkap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkifkdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmddgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adleoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdobdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijhhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfahaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbmoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbchkime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiclkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnokdaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkcem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addhcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilgjhena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpibn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnejim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibacbcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomcpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjaikoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhndnpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddaemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmollme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglalbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqlmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcedad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmmpcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiockd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndemg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkghqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laodmoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkefoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbjpqoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hflndjin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgfdlcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bodhjdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjbba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdogedmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmfnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikelhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabepp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghillnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagjqbam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmpnmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiffkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeclebja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmnjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afliclij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkeohhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmibmhoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjhnfof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaebeoan.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ladebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qanmcdlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfqlkfoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiakkcma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoeamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eakhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll" Imbjcpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpikik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piohgbng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obhdcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpkqklh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldjbkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmfmojcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcfgo32.dll" Lklikj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnicbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncgcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjahej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcbhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mifkfhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngeljh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknfeege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qooohcdo.dll" Hkbmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edoblfhf.dll" Gefolhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfennqnl.dll" Llpaha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmbhhfg.dll" Dbfbnddq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpdglhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgodcich.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aphehidc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieeqpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" Alnalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdhdn32.dll" Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfolo32.dll" Kpjhnfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpijio32.dll" Bknfeege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njldhk32.dll" Mhninb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbcaome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ockinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfenf32.dll" Ccnifd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegmaomi.dll" Oqepgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Calcpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhhhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagcpm32.dll" Mfeaiime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppcmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nggipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inalmqgb.dll" Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjjcdeh.dll" Iemalkgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bogjaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepiko32.dll" Deakjjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongcaafk.dll" Djocbqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaopfhd.dll" Ijopjhfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akdafn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efhcej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nikkkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecbfmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anbkipok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lofifi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 372 2672 9db65159da1bd8ec8121aa5b313d7742a3aabbef690727b342b46248faefd0a3.exe 31 PID 2672 wrote to memory of 372 2672 9db65159da1bd8ec8121aa5b313d7742a3aabbef690727b342b46248faefd0a3.exe 31 PID 2672 wrote to memory of 372 2672 9db65159da1bd8ec8121aa5b313d7742a3aabbef690727b342b46248faefd0a3.exe 31 PID 2672 wrote to memory of 372 2672 9db65159da1bd8ec8121aa5b313d7742a3aabbef690727b342b46248faefd0a3.exe 31 PID 372 wrote to memory of 572 372 Kjahej32.exe 32 PID 372 wrote to memory of 572 372 Kjahej32.exe 32 PID 372 wrote to memory of 572 372 Kjahej32.exe 32 PID 372 wrote to memory of 572 372 Kjahej32.exe 32 PID 572 wrote to memory of 2920 572 Lcjlnpmo.exe 33 PID 572 wrote to memory of 2920 572 Lcjlnpmo.exe 33 PID 572 wrote to memory of 2920 572 Lcjlnpmo.exe 33 PID 572 wrote to memory of 2920 572 Lcjlnpmo.exe 33 PID 2920 wrote to memory of 2968 2920 Lfmbek32.exe 34 PID 2920 wrote to memory of 2968 2920 Lfmbek32.exe 34 PID 2920 wrote to memory of 2968 2920 Lfmbek32.exe 34 PID 2920 wrote to memory of 2968 2920 Lfmbek32.exe 34 PID 2968 wrote to memory of 2732 2968 Lbcbjlmb.exe 35 PID 2968 wrote to memory of 2732 2968 Lbcbjlmb.exe 35 PID 2968 wrote to memory of 2732 2968 Lbcbjlmb.exe 35 PID 2968 wrote to memory of 2732 2968 Lbcbjlmb.exe 35 PID 2732 wrote to memory of 2700 2732 Mcjhmcok.exe 36 PID 2732 wrote to memory of 2700 2732 Mcjhmcok.exe 36 PID 2732 wrote to memory of 2700 2732 Mcjhmcok.exe 36 PID 2732 wrote to memory of 2700 2732 Mcjhmcok.exe 36 PID 2700 wrote to memory of 1060 2700 Mnomjl32.exe 37 PID 2700 wrote to memory of 1060 2700 Mnomjl32.exe 37 PID 2700 wrote to memory of 1060 2700 Mnomjl32.exe 37 PID 2700 wrote to memory of 1060 2700 Mnomjl32.exe 37 PID 1060 wrote to memory of 2072 1060 Mjfnomde.exe 38 PID 1060 wrote to memory of 2072 1060 Mjfnomde.exe 38 PID 1060 wrote to memory of 2072 1060 Mjfnomde.exe 38 PID 1060 wrote to memory of 2072 1060 Mjfnomde.exe 38 PID 2072 wrote to memory of 1756 2072 Mcnbhb32.exe 39 PID 2072 wrote to memory of 1756 2072 Mcnbhb32.exe 39 PID 2072 wrote to memory of 1756 2072 Mcnbhb32.exe 39 PID 2072 wrote to memory of 1756 2072 Mcnbhb32.exe 39 PID 1756 wrote to memory of 2144 1756 Mikjpiim.exe 40 PID 1756 wrote to memory of 2144 1756 Mikjpiim.exe 40 PID 1756 wrote to memory of 2144 1756 Mikjpiim.exe 40 PID 1756 wrote to memory of 2144 1756 Mikjpiim.exe 40 PID 2144 wrote to memory of 1676 2144 Mcqombic.exe 41 PID 2144 wrote to memory of 1676 2144 Mcqombic.exe 41 PID 2144 wrote to memory of 1676 2144 Mcqombic.exe 41 PID 2144 wrote to memory of 1676 2144 Mcqombic.exe 41 PID 1676 wrote to memory of 2016 1676 Mimgeigj.exe 42 PID 1676 wrote to memory of 2016 1676 Mimgeigj.exe 42 PID 1676 wrote to memory of 2016 1676 Mimgeigj.exe 42 PID 1676 wrote to memory of 2016 1676 Mimgeigj.exe 42 PID 2016 wrote to memory of 3028 2016 Mpgobc32.exe 43 PID 2016 wrote to memory of 3028 2016 Mpgobc32.exe 43 PID 2016 wrote to memory of 3028 2016 Mpgobc32.exe 43 PID 2016 wrote to memory of 3028 2016 Mpgobc32.exe 43 PID 3028 wrote to memory of 2744 3028 Nedhjj32.exe 44 PID 3028 wrote to memory of 2744 3028 Nedhjj32.exe 44 PID 3028 wrote to memory of 2744 3028 Nedhjj32.exe 44 PID 3028 wrote to memory of 2744 3028 Nedhjj32.exe 44 PID 2744 wrote to memory of 3024 2744 Npjlhcmd.exe 45 PID 2744 wrote to memory of 3024 2744 Npjlhcmd.exe 45 PID 2744 wrote to memory of 3024 2744 Npjlhcmd.exe 45 PID 2744 wrote to memory of 3024 2744 Npjlhcmd.exe 45 PID 3024 wrote to memory of 2808 3024 Nefdpjkl.exe 46 PID 3024 wrote to memory of 2808 3024 Nefdpjkl.exe 46 PID 3024 wrote to memory of 2808 3024 Nefdpjkl.exe 46 PID 3024 wrote to memory of 2808 3024 Nefdpjkl.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9db65159da1bd8ec8121aa5b313d7742a3aabbef690727b342b46248faefd0a3.exe"C:\Users\Admin\AppData\Local\Temp\9db65159da1bd8ec8121aa5b313d7742a3aabbef690727b342b46248faefd0a3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe26⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe27⤵
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe34⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe35⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe36⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe37⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe39⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe40⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe42⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe44⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe45⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe46⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe47⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe48⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe49⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe51⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe52⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe53⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe54⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Pleofj32.exeC:\Windows\system32\Pleofj32.exe55⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe57⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe58⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Qgmpibam.exeC:\Windows\system32\Qgmpibam.exe59⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe60⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3860 -
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe62⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe63⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe65⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe66⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe67⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe68⤵PID:1976
-
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe69⤵PID:2844
-
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe70⤵PID:3008
-
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe71⤵PID:2100
-
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe72⤵PID:2444
-
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe73⤵PID:1028
-
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe74⤵PID:2208
-
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe75⤵PID:3108
-
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe76⤵PID:3168
-
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3264 -
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe78⤵
- Drops file in System32 directory
PID:3316 -
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe79⤵PID:3336
-
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe80⤵PID:3488
-
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe81⤵PID:3504
-
C:\Windows\SysWOW64\Bgcbhd32.exeC:\Windows\system32\Bgcbhd32.exe82⤵
- Modifies registry class
PID:3564 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe83⤵PID:3624
-
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe84⤵
- Modifies registry class
PID:3672 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe85⤵
- Drops file in System32 directory
PID:3732 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe86⤵PID:3828
-
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe87⤵PID:3800
-
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe88⤵PID:3880
-
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe89⤵
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe90⤵PID:4016
-
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe91⤵PID:2228
-
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe92⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe93⤵PID:2368
-
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe95⤵PID:2164
-
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe96⤵PID:1284
-
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe97⤵PID:1212
-
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe98⤵
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe99⤵PID:2388
-
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe101⤵PID:1556
-
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe102⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe103⤵PID:3148
-
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe104⤵PID:3208
-
C:\Windows\SysWOW64\Dcohghbk.exeC:\Windows\system32\Dcohghbk.exe105⤵PID:3364
-
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe106⤵
- Drops file in System32 directory
PID:3396 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe107⤵PID:3496
-
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe108⤵
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe109⤵PID:3684
-
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3716 -
C:\Windows\SysWOW64\Dbfbnddq.exeC:\Windows\system32\Dbfbnddq.exe111⤵
- Modifies registry class
PID:3816 -
C:\Windows\SysWOW64\Dipjkn32.exeC:\Windows\system32\Dipjkn32.exe112⤵PID:3796
-
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe113⤵PID:3920
-
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe114⤵PID:4004
-
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe115⤵PID:328
-
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe116⤵PID:284
-
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe117⤵PID:2232
-
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe118⤵PID:2584
-
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe119⤵PID:2400
-
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe120⤵PID:1464
-
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe121⤵PID:1956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-