Analysis
-
max time kernel
21s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-01-2025 10:06
Behavioral task
behavioral1
Sample
fe1782e7e012dcae066e03cabc14da8fd4069b6d3db337334fdf6c3d871a9859N.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
120 seconds
General
-
Target
fe1782e7e012dcae066e03cabc14da8fd4069b6d3db337334fdf6c3d871a9859N.exe
-
Size
93KB
-
MD5
e6983829f12ec737f737e0a931e5bec0
-
SHA1
2b525905233750ec70252438009bad3a516cbae2
-
SHA256
fe1782e7e012dcae066e03cabc14da8fd4069b6d3db337334fdf6c3d871a9859
-
SHA512
e899b0e72706cc7571f1f766a3200d1bd12aa51145ac35ed19a3c20629711c8841b7eaef1ce5c0a7bf1a3a03cd179186f8a07635cd016eac8eae264cc565f36c
-
SSDEEP
1536:0jSn58K1IPfYnE32qk+oyqrP1DaYfMZRWuLsV+1B:0GnOK10fYES+oPgYfc0DV+1B
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjkfglom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqciha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncmei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqekhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaieai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipameehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokdaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbgakd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnlqemal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imidgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkdlaplh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biakbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niilmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqkgbkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpomnilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moflkfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njdbefnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eolljk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fondonbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jonqfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kloqiijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccileljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifahpnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmfpnqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgakd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aodqok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgqpjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdoeipjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dedkbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imidgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnqhddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lednal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfadc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phabdmgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaeiqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbodpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiniaboi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cemebcnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflnkjhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjolpkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqendf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpieggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjgclcjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfhnofg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjolpkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcqdidim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcfck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpjgdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmgnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poddphee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnjqifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbpmbndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaangfjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpihnbmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkmfn32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2616 Eiimci32.exe 2892 Ehlmnfeo.exe 2904 Fadagl32.exe 2836 Fljfdd32.exe 2660 Fnkblm32.exe 3052 Fdekigip.exe 2728 Fgcgebhd.exe 2520 Fplknh32.exe 2024 Fhccoe32.exe 1360 Fjdpgnee.exe 1260 Fqnhcgma.exe 2720 Fcmdpcle.exe 1800 Fkdlaplh.exe 2640 Fleihi32.exe 2236 Fdlqjf32.exe 1604 Fgjmfa32.exe 1796 Gmgenh32.exe 1896 Ggmjkapi.exe 1960 Gjkfglom.exe 1312 Gqendf32.exe 1772 Gohnpcmd.exe 1740 Gfbfln32.exe 924 Ghqchi32.exe 2116 Gmloigln.exe 976 Gcfgfack.exe 1588 Gbigao32.exe 2868 Gkaljdaf.exe 2784 Gfgpgmql.exe 2848 Gdjpcj32.exe 2828 Gkchpcoc.exe 2724 Gnbelong.exe 568 Hqpahkmj.exe 636 Hkfeec32.exe 780 Hndaao32.exe 1508 Hbpmbndm.exe 1112 Hngngo32.exe 1004 Hminbkql.exe 1296 Hccfoehi.exe 1752 Hgobpd32.exe 2152 Haggijgb.exe 2252 Hpjgdf32.exe 536 Hpmdjf32.exe 2624 Hbkpfa32.exe 2180 Ilceog32.exe 872 Ipoqofjh.exe 836 Ibmmkaik.exe 2044 Imcaijia.exe 388 Ilfadg32.exe 2284 Ipameehe.exe 2264 Ifkfap32.exe 2800 Ienfml32.exe 2896 Ilhnjfmi.exe 2936 Ipcjje32.exe 2704 Ibbffq32.exe 2200 Ieqbbl32.exe 2468 Iilocklc.exe 288 Iljkofkg.exe 2592 Iniglajj.exe 1388 Iagchmjn.exe 1792 Iecohl32.exe 2292 Idepdhia.exe 1940 Ilmgef32.exe 2064 Iokdaa32.exe 2980 Imndmnob.exe -
Loads dropped DLL 64 IoCs
pid Process 2124 fe1782e7e012dcae066e03cabc14da8fd4069b6d3db337334fdf6c3d871a9859N.exe 2124 fe1782e7e012dcae066e03cabc14da8fd4069b6d3db337334fdf6c3d871a9859N.exe 2616 Eiimci32.exe 2616 Eiimci32.exe 2892 Ehlmnfeo.exe 2892 Ehlmnfeo.exe 2904 Fadagl32.exe 2904 Fadagl32.exe 2836 Fljfdd32.exe 2836 Fljfdd32.exe 2660 Fnkblm32.exe 2660 Fnkblm32.exe 3052 Fdekigip.exe 3052 Fdekigip.exe 2728 Fgcgebhd.exe 2728 Fgcgebhd.exe 2520 Fplknh32.exe 2520 Fplknh32.exe 2024 Fhccoe32.exe 2024 Fhccoe32.exe 1360 Fjdpgnee.exe 1360 Fjdpgnee.exe 1260 Fqnhcgma.exe 1260 Fqnhcgma.exe 2720 Fcmdpcle.exe 2720 Fcmdpcle.exe 1800 Fkdlaplh.exe 1800 Fkdlaplh.exe 2640 Fleihi32.exe 2640 Fleihi32.exe 2236 Fdlqjf32.exe 2236 Fdlqjf32.exe 1604 Fgjmfa32.exe 1604 Fgjmfa32.exe 1796 Gmgenh32.exe 1796 Gmgenh32.exe 1896 Ggmjkapi.exe 1896 Ggmjkapi.exe 1960 Gjkfglom.exe 1960 Gjkfglom.exe 1312 Gqendf32.exe 1312 Gqendf32.exe 1772 Gohnpcmd.exe 1772 Gohnpcmd.exe 1740 Gfbfln32.exe 1740 Gfbfln32.exe 924 Ghqchi32.exe 924 Ghqchi32.exe 2116 Gmloigln.exe 2116 Gmloigln.exe 976 Gcfgfack.exe 976 Gcfgfack.exe 1588 Gbigao32.exe 1588 Gbigao32.exe 2868 Gkaljdaf.exe 2868 Gkaljdaf.exe 2784 Gfgpgmql.exe 2784 Gfgpgmql.exe 2848 Gdjpcj32.exe 2848 Gdjpcj32.exe 2828 Gkchpcoc.exe 2828 Gkchpcoc.exe 2724 Gnbelong.exe 2724 Gnbelong.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ipgpcc32.exe Imidgh32.exe File opened for modification C:\Windows\SysWOW64\Mpeebhhf.exe Mliibj32.exe File opened for modification C:\Windows\SysWOW64\Joicje32.exe Jmggcmgg.exe File opened for modification C:\Windows\SysWOW64\Dhdddnep.exe Dpmlcpdm.exe File opened for modification C:\Windows\SysWOW64\Fehmlh32.exe Falakjag.exe File created C:\Windows\SysWOW64\Ggmjkapi.exe Gmgenh32.exe File opened for modification C:\Windows\SysWOW64\Aogmdk32.exe Alhaho32.exe File created C:\Windows\SysWOW64\Cafbmdbh.exe Cngfqi32.exe File created C:\Windows\SysWOW64\Imkqmh32.exe Ijmdql32.exe File created C:\Windows\SysWOW64\Chfkjibh.dll Jigagocd.exe File opened for modification C:\Windows\SysWOW64\Fmholgpj.exe Fkjbpkag.exe File created C:\Windows\SysWOW64\Jffakm32.exe Jnojjp32.exe File opened for modification C:\Windows\SysWOW64\Ofmiea32.exe Onfadc32.exe File created C:\Windows\SysWOW64\Omekgakg.exe Onbkle32.exe File opened for modification C:\Windows\SysWOW64\Pejcab32.exe Pbkgegad.exe File created C:\Windows\SysWOW64\Jgglia32.dll Qlcgmpkp.exe File created C:\Windows\SysWOW64\Cncmei32.exe Ckdpinhf.exe File opened for modification C:\Windows\SysWOW64\Nmjicn32.exe Necqbp32.exe File created C:\Windows\SysWOW64\Ododdlcd.exe Oaaghp32.exe File created C:\Windows\SysWOW64\Pjopen32.dll Ojilqf32.exe File created C:\Windows\SysWOW64\Nfdgdh32.dll Kldchgag.exe File opened for modification C:\Windows\SysWOW64\Hbkpfa32.exe Hpmdjf32.exe File created C:\Windows\SysWOW64\Ncance32.dll Ienfml32.exe File created C:\Windows\SysWOW64\Dhdddnep.exe Dpmlcpdm.exe File created C:\Windows\SysWOW64\Jligibpk.dll Obopobhe.exe File opened for modification C:\Windows\SysWOW64\Mqjehngm.exe Mjpmkdpp.exe File created C:\Windows\SysWOW64\Pdgnnfme.dll Plfhdlfb.exe File created C:\Windows\SysWOW64\Gjolpkhj.exe Ggppdpif.exe File created C:\Windows\SysWOW64\Pbjkiamp.dll Hqkmahpp.exe File created C:\Windows\SysWOW64\Cafamgkk.dll Dmopge32.exe File opened for modification C:\Windows\SysWOW64\Kpblne32.exe Khkdmh32.exe File created C:\Windows\SysWOW64\Kadhen32.exe Kcahjqfa.exe File created C:\Windows\SysWOW64\Neemgp32.exe Nbgakd32.exe File created C:\Windows\SysWOW64\Boifinfg.exe Bqffna32.exe File created C:\Windows\SysWOW64\Nccmng32.exe Nqdaal32.exe File opened for modification C:\Windows\SysWOW64\Nqkgbkdj.exe Nidoamch.exe File created C:\Windows\SysWOW64\Agboqe32.dll Ieqbbl32.exe File created C:\Windows\SysWOW64\Gqidme32.exe Gnjhaj32.exe File created C:\Windows\SysWOW64\Gqkqbe32.exe Glpdbfek.exe File created C:\Windows\SysWOW64\Bklicbjm.dll Imkqmh32.exe File opened for modification C:\Windows\SysWOW64\Damhmc32.exe Dmalmdcg.exe File created C:\Windows\SysWOW64\Ahjldnpp.dll Jffakm32.exe File opened for modification C:\Windows\SysWOW64\Hfalaj32.exe Hbepplkh.exe File created C:\Windows\SysWOW64\Mhlcnl32.exe Mdahnmck.exe File opened for modification C:\Windows\SysWOW64\Plfhdlfb.exe Phklcn32.exe File created C:\Windows\SysWOW64\Cienge32.dll Acnpjj32.exe File created C:\Windows\SysWOW64\Akfhog32.dll Eojoelcm.exe File created C:\Windows\SysWOW64\Abmgojdb.dll Emfbgg32.exe File created C:\Windows\SysWOW64\Kjlgaa32.exe Kgmkef32.exe File created C:\Windows\SysWOW64\Bkpdpg32.dll Bqffna32.exe File created C:\Windows\SysWOW64\Ibmmkaik.exe Ipoqofjh.exe File opened for modification C:\Windows\SysWOW64\Kloqiijm.exe Kbflqccl.exe File created C:\Windows\SysWOW64\Kmpfgklo.exe Kfenjq32.exe File created C:\Windows\SysWOW64\Alfjlh32.dll Fehmlh32.exe File created C:\Windows\SysWOW64\Jljkakol.dll Jehbfjia.exe File opened for modification C:\Windows\SysWOW64\Niilmi32.exe Nbodpo32.exe File created C:\Windows\SysWOW64\Fqnhcgma.exe Fjdpgnee.exe File created C:\Windows\SysWOW64\Hminbkql.exe Hngngo32.exe File created C:\Windows\SysWOW64\Abdpfmcb.dll Omekgakg.exe File opened for modification C:\Windows\SysWOW64\Fkjbpkag.exe Fcbjon32.exe File opened for modification C:\Windows\SysWOW64\Hpjgdf32.exe Haggijgb.exe File opened for modification C:\Windows\SysWOW64\Kkaaee32.exe Kloqiijm.exe File created C:\Windows\SysWOW64\Lgjcdc32.exe Ldlghhde.exe File created C:\Windows\SysWOW64\Lnmkpadn.dll Hngngo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6640 6616 WerFault.exe 597 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbnckg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaangfjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlqjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Damhmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbenpqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnjfffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagfffbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfalaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigagocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiniaboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pelpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmgenh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdoeipjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iceiibef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbehbqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdplmflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdhcinme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfookk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcqdidim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimfmeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nehjmppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkafib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndhpqma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgphke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alhaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckijdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqidme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johlpoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbjgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphlck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljejgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niaihojk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlnaghp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemebcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmloigln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgpgjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiekadkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmhcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnaekil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojeda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqdcgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qggoeilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jonqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjikk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifgllbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbmgkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmggcmgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaaee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdahnmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddinn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnqhddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpnbcfkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lccepqdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipameehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjqglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbndqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdakoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmmpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obijpgcf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmengo32.dll" Pobgjhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekohm32.dll" Dlfina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnlodlcj.dll" Eehqme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cebplg32.dll" Gpfggeai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iljkofkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlcgmpkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfhnofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkndiabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbicp32.dll" Jdbhcfjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcfhpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbbhpegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmkkbbd.dll" Fkeedo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njaoeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkgqpjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjahfkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnojjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngcbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gekdej32.dll" Fleihi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhffikob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmopge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhdddnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlfacbk.dll" Ljfckodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hklhca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfalaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbokda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkchpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnhce32.dll" Ipcjje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmjaadjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efkjha32.dll" Eaangfjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqkmahpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbigao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilhnjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkdpgdb.dll" Omjeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahoamplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljagk32.dll" Kpiihgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pahjgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihikk32.dll" Bdoeipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcdgffab.dll" Cpbiolnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncemobj.dll" Nidoamch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmphlbc.dll" Bjlnaghp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iilocklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knbjgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nilpmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmqnh32.dll" Jlpmndba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekmid32.dll" Ifoljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdmfdgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpdbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghmohcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnoaliln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhccoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edocjp32.dll" Lgdafeln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fljfdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfenjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieqbbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaaghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpfmejbd.dll" Cbqekhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kimfdido.dll" Iabcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkgliff.dll" Mjkmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfiekc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbkgegad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnenfjdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkndiabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfllpb32.dll" Gcgpiq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2616 2124 fe1782e7e012dcae066e03cabc14da8fd4069b6d3db337334fdf6c3d871a9859N.exe 29 PID 2124 wrote to memory of 2616 2124 fe1782e7e012dcae066e03cabc14da8fd4069b6d3db337334fdf6c3d871a9859N.exe 29 PID 2124 wrote to memory of 2616 2124 fe1782e7e012dcae066e03cabc14da8fd4069b6d3db337334fdf6c3d871a9859N.exe 29 PID 2124 wrote to memory of 2616 2124 fe1782e7e012dcae066e03cabc14da8fd4069b6d3db337334fdf6c3d871a9859N.exe 29 PID 2616 wrote to memory of 2892 2616 Eiimci32.exe 30 PID 2616 wrote to memory of 2892 2616 Eiimci32.exe 30 PID 2616 wrote to memory of 2892 2616 Eiimci32.exe 30 PID 2616 wrote to memory of 2892 2616 Eiimci32.exe 30 PID 2892 wrote to memory of 2904 2892 Ehlmnfeo.exe 31 PID 2892 wrote to memory of 2904 2892 Ehlmnfeo.exe 31 PID 2892 wrote to memory of 2904 2892 Ehlmnfeo.exe 31 PID 2892 wrote to memory of 2904 2892 Ehlmnfeo.exe 31 PID 2904 wrote to memory of 2836 2904 Fadagl32.exe 32 PID 2904 wrote to memory of 2836 2904 Fadagl32.exe 32 PID 2904 wrote to memory of 2836 2904 Fadagl32.exe 32 PID 2904 wrote to memory of 2836 2904 Fadagl32.exe 32 PID 2836 wrote to memory of 2660 2836 Fljfdd32.exe 33 PID 2836 wrote to memory of 2660 2836 Fljfdd32.exe 33 PID 2836 wrote to memory of 2660 2836 Fljfdd32.exe 33 PID 2836 wrote to memory of 2660 2836 Fljfdd32.exe 33 PID 2660 wrote to memory of 3052 2660 Fnkblm32.exe 34 PID 2660 wrote to memory of 3052 2660 Fnkblm32.exe 34 PID 2660 wrote to memory of 3052 2660 Fnkblm32.exe 34 PID 2660 wrote to memory of 3052 2660 Fnkblm32.exe 34 PID 3052 wrote to memory of 2728 3052 Fdekigip.exe 35 PID 3052 wrote to memory of 2728 3052 Fdekigip.exe 35 PID 3052 wrote to memory of 2728 3052 Fdekigip.exe 35 PID 3052 wrote to memory of 2728 3052 Fdekigip.exe 35 PID 2728 wrote to memory of 2520 2728 Fgcgebhd.exe 36 PID 2728 wrote to memory of 2520 2728 Fgcgebhd.exe 36 PID 2728 wrote to memory of 2520 2728 Fgcgebhd.exe 36 PID 2728 wrote to memory of 2520 2728 Fgcgebhd.exe 36 PID 2520 wrote to memory of 2024 2520 Fplknh32.exe 37 PID 2520 wrote to memory of 2024 2520 Fplknh32.exe 37 PID 2520 wrote to memory of 2024 2520 Fplknh32.exe 37 PID 2520 wrote to memory of 2024 2520 Fplknh32.exe 37 PID 2024 wrote to memory of 1360 2024 Fhccoe32.exe 38 PID 2024 wrote to memory of 1360 2024 Fhccoe32.exe 38 PID 2024 wrote to memory of 1360 2024 Fhccoe32.exe 38 PID 2024 wrote to memory of 1360 2024 Fhccoe32.exe 38 PID 1360 wrote to memory of 1260 1360 Fjdpgnee.exe 39 PID 1360 wrote to memory of 1260 1360 Fjdpgnee.exe 39 PID 1360 wrote to memory of 1260 1360 Fjdpgnee.exe 39 PID 1360 wrote to memory of 1260 1360 Fjdpgnee.exe 39 PID 1260 wrote to memory of 2720 1260 Fqnhcgma.exe 40 PID 1260 wrote to memory of 2720 1260 Fqnhcgma.exe 40 PID 1260 wrote to memory of 2720 1260 Fqnhcgma.exe 40 PID 1260 wrote to memory of 2720 1260 Fqnhcgma.exe 40 PID 2720 wrote to memory of 1800 2720 Fcmdpcle.exe 41 PID 2720 wrote to memory of 1800 2720 Fcmdpcle.exe 41 PID 2720 wrote to memory of 1800 2720 Fcmdpcle.exe 41 PID 2720 wrote to memory of 1800 2720 Fcmdpcle.exe 41 PID 1800 wrote to memory of 2640 1800 Fkdlaplh.exe 42 PID 1800 wrote to memory of 2640 1800 Fkdlaplh.exe 42 PID 1800 wrote to memory of 2640 1800 Fkdlaplh.exe 42 PID 1800 wrote to memory of 2640 1800 Fkdlaplh.exe 42 PID 2640 wrote to memory of 2236 2640 Fleihi32.exe 43 PID 2640 wrote to memory of 2236 2640 Fleihi32.exe 43 PID 2640 wrote to memory of 2236 2640 Fleihi32.exe 43 PID 2640 wrote to memory of 2236 2640 Fleihi32.exe 43 PID 2236 wrote to memory of 1604 2236 Fdlqjf32.exe 44 PID 2236 wrote to memory of 1604 2236 Fdlqjf32.exe 44 PID 2236 wrote to memory of 1604 2236 Fdlqjf32.exe 44 PID 2236 wrote to memory of 1604 2236 Fdlqjf32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe1782e7e012dcae066e03cabc14da8fd4069b6d3db337334fdf6c3d871a9859N.exe"C:\Users\Admin\AppData\Local\Temp\fe1782e7e012dcae066e03cabc14da8fd4069b6d3db337334fdf6c3d871a9859N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Eiimci32.exeC:\Windows\system32\Eiimci32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ehlmnfeo.exeC:\Windows\system32\Ehlmnfeo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Fnkblm32.exeC:\Windows\system32\Fnkblm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Fgcgebhd.exeC:\Windows\system32\Fgcgebhd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Fplknh32.exeC:\Windows\system32\Fplknh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Fjdpgnee.exeC:\Windows\system32\Fjdpgnee.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Fqnhcgma.exeC:\Windows\system32\Fqnhcgma.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Fcmdpcle.exeC:\Windows\system32\Fcmdpcle.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Fleihi32.exeC:\Windows\system32\Fleihi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Fgjmfa32.exeC:\Windows\system32\Fgjmfa32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Gqendf32.exeC:\Windows\system32\Gqendf32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Gohnpcmd.exeC:\Windows\system32\Gohnpcmd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Gfbfln32.exeC:\Windows\system32\Gfbfln32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Ghqchi32.exeC:\Windows\system32\Ghqchi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Gmloigln.exeC:\Windows\system32\Gmloigln.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Gcfgfack.exeC:\Windows\system32\Gcfgfack.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Gbigao32.exeC:\Windows\system32\Gbigao32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Gkaljdaf.exeC:\Windows\system32\Gkaljdaf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Gfgpgmql.exeC:\Windows\system32\Gfgpgmql.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Gnbelong.exeC:\Windows\system32\Gnbelong.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe33⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Hkfeec32.exeC:\Windows\system32\Hkfeec32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe35⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Hbpmbndm.exeC:\Windows\system32\Hbpmbndm.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Hngngo32.exeC:\Windows\system32\Hngngo32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1112 -
C:\Windows\SysWOW64\Hminbkql.exeC:\Windows\system32\Hminbkql.exe38⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Hccfoehi.exeC:\Windows\system32\Hccfoehi.exe39⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe40⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Haggijgb.exeC:\Windows\system32\Haggijgb.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Hpjgdf32.exeC:\Windows\system32\Hpjgdf32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe44⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe45⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ipoqofjh.exeC:\Windows\system32\Ipoqofjh.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Ibmmkaik.exeC:\Windows\system32\Ibmmkaik.exe47⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Imcaijia.exeC:\Windows\system32\Imcaijia.exe48⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Ilfadg32.exeC:\Windows\system32\Ilfadg32.exe49⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Ipameehe.exeC:\Windows\system32\Ipameehe.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Ifkfap32.exeC:\Windows\system32\Ifkfap32.exe51⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Ilhnjfmi.exeC:\Windows\system32\Ilhnjfmi.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Ipcjje32.exeC:\Windows\system32\Ipcjje32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Ibbffq32.exeC:\Windows\system32\Ibbffq32.exe55⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ieqbbl32.exeC:\Windows\system32\Ieqbbl32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Iilocklc.exeC:\Windows\system32\Iilocklc.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Iljkofkg.exeC:\Windows\system32\Iljkofkg.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Iniglajj.exeC:\Windows\system32\Iniglajj.exe59⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Iagchmjn.exeC:\Windows\system32\Iagchmjn.exe60⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe61⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Idepdhia.exeC:\Windows\system32\Idepdhia.exe62⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe63⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Iokdaa32.exeC:\Windows\system32\Iokdaa32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Imndmnob.exeC:\Windows\system32\Imndmnob.exe65⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Ieelnkpd.exeC:\Windows\system32\Ieelnkpd.exe66⤵PID:1444
-
C:\Windows\SysWOW64\Jhchjgoh.exeC:\Windows\system32\Jhchjgoh.exe67⤵PID:2572
-
C:\Windows\SysWOW64\Jonqfq32.exeC:\Windows\system32\Jonqfq32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Jalmcl32.exeC:\Windows\system32\Jalmcl32.exe69⤵PID:2028
-
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Jdjioh32.exeC:\Windows\system32\Jdjioh32.exe71⤵PID:2852
-
C:\Windows\SysWOW64\Jfiekc32.exeC:\Windows\system32\Jfiekc32.exe72⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Jigagocd.exeC:\Windows\system32\Jigagocd.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe74⤵PID:1700
-
C:\Windows\SysWOW64\Jdmfdgbj.exeC:\Windows\system32\Jdmfdgbj.exe75⤵
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Jfkbqcam.exeC:\Windows\system32\Jfkbqcam.exe76⤵PID:2012
-
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe77⤵PID:816
-
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe78⤵PID:1436
-
C:\Windows\SysWOW64\Jdobjgqg.exeC:\Windows\system32\Jdobjgqg.exe79⤵PID:1248
-
C:\Windows\SysWOW64\Jbbbed32.exeC:\Windows\system32\Jbbbed32.exe80⤵PID:2360
-
C:\Windows\SysWOW64\Jgmofbpk.exeC:\Windows\system32\Jgmofbpk.exe81⤵PID:1424
-
C:\Windows\SysWOW64\Jilkbn32.exeC:\Windows\system32\Jilkbn32.exe82⤵PID:1084
-
C:\Windows\SysWOW64\Jmggcmgg.exeC:\Windows\system32\Jmggcmgg.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe84⤵PID:1660
-
C:\Windows\SysWOW64\Jbdokceo.exeC:\Windows\system32\Jbdokceo.exe85⤵PID:700
-
C:\Windows\SysWOW64\Jgpklb32.exeC:\Windows\system32\Jgpklb32.exe86⤵PID:2132
-
C:\Windows\SysWOW64\Jinghn32.exeC:\Windows\system32\Jinghn32.exe87⤵PID:1664
-
C:\Windows\SysWOW64\Jlmddi32.exeC:\Windows\system32\Jlmddi32.exe88⤵PID:2920
-
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe89⤵PID:2712
-
C:\Windows\SysWOW64\Kbflqccl.exeC:\Windows\system32\Kbflqccl.exe90⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Kloqiijm.exeC:\Windows\system32\Kloqiijm.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Kkaaee32.exeC:\Windows\system32\Kkaaee32.exe92⤵
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe93⤵PID:1156
-
C:\Windows\SysWOW64\Kaliaphd.exeC:\Windows\system32\Kaliaphd.exe94⤵PID:3004
-
C:\Windows\SysWOW64\Kdjenkgh.exeC:\Windows\system32\Kdjenkgh.exe95⤵PID:2992
-
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe96⤵PID:3016
-
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Kejahn32.exeC:\Windows\system32\Kejahn32.exe98⤵PID:2948
-
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe99⤵
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Kobfqc32.exeC:\Windows\system32\Kobfqc32.exe100⤵PID:2668
-
C:\Windows\SysWOW64\Kapbmo32.exeC:\Windows\system32\Kapbmo32.exe101⤵PID:2692
-
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe102⤵PID:608
-
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe103⤵PID:1404
-
C:\Windows\SysWOW64\Kgmkef32.exeC:\Windows\system32\Kgmkef32.exe104⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Kjlgaa32.exeC:\Windows\system32\Kjlgaa32.exe105⤵PID:1572
-
C:\Windows\SysWOW64\Kngcbpjc.exeC:\Windows\system32\Kngcbpjc.exe106⤵PID:2372
-
C:\Windows\SysWOW64\Kabobo32.exeC:\Windows\system32\Kabobo32.exe107⤵PID:2548
-
C:\Windows\SysWOW64\Kdakoj32.exeC:\Windows\system32\Kdakoj32.exe108⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe109⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Ljndga32.exeC:\Windows\system32\Ljndga32.exe110⤵PID:1512
-
C:\Windows\SysWOW64\Lphlck32.exeC:\Windows\system32\Lphlck32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Lcfhpf32.exeC:\Windows\system32\Lcfhpf32.exe112⤵
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe113⤵PID:2796
-
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe114⤵PID:2676
-
C:\Windows\SysWOW64\Lpjiik32.exeC:\Windows\system32\Lpjiik32.exe115⤵PID:1996
-
C:\Windows\SysWOW64\Lcieef32.exeC:\Windows\system32\Lcieef32.exe116⤵PID:2376
-
C:\Windows\SysWOW64\Lgdafeln.exeC:\Windows\system32\Lgdafeln.exe117⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe118⤵PID:664
-
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe119⤵PID:2552
-
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe120⤵PID:956
-
C:\Windows\SysWOW64\Lckbkfbb.exeC:\Windows\system32\Lckbkfbb.exe121⤵PID:1532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-