Analysis
-
max time kernel
59s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 15:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe
-
Size
94KB
-
MD5
a81e98b1f96b1a8ab32921088eec5710
-
SHA1
80d7c900da742da86234ff216b5e7cf63a984af8
-
SHA256
80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8
-
SHA512
39695af6aeb514902c29dd1a3df1831acabff1aef4f431aa4171947b19ac268e740f82d00df758a4102d3ae7e4a98791b75d644f7a4f13d6fbf37ea2586658db
-
SSDEEP
1536:4tL/eDsm5BitovNa0SaTEn8AcKwPgY2LHAkMQ262AjCsQ2PCZZrqOlNfVSLUKkJ0:4tL/2fgBJkgpH9MQH2qC7ZQOlzSLUK64
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqfogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbodbaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kncpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdpmjfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baampb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqdbapoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcaccd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnccpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onbhdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idkpfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhcqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkegljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggmnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcjenkhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfcgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhdkppgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmqgmcba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnodfbdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnodfbdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcqfih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnnijocj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifdec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bndhle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knggqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knggqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhgfbpdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najhngpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mepaqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmakkqqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Habgqehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdnbend.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhbdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndjhmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dciemfcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limjeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcaccd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecjkobg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkooed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcbimj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebofpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfegg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Incdocab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balmjmeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgacebm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihmifhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaadblog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfijkij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqgdgcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llncgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiacamhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlemaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalqlibl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habgqehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limjeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmqgmcba.exe -
Executes dropped EXE 64 IoCs
pid Process 1748 Bpqgcq32.exe 2892 Bndhle32.exe 2720 Cngebd32.exe 2748 Ccfjpkkg.exe 2860 Chcbhbio.exe 2644 Cchfek32.exe 1800 Dbpplglj.exe 1304 Dhjhhacg.exe 2020 Djnafi32.exe 2480 Dnkjlg32.exe 2388 Dmqgmcba.exe 2016 Efkhkifo.exe 1160 Eilamd32.exe 2376 Elmjoo32.exe 2044 Empclg32.exe 1756 Fmbpaf32.exe 1784 Finjag32.exe 1488 Fokcjnbp.exe 1232 Gkdpdnfa.exe 1972 Ghhanbek.exe 2564 Ggmnoo32.exe 1944 Gpebhd32.exe 1720 Ggpjdohp.exe 1372 Hibpli32.exe 2740 Hobeipoc.exe 2936 Hhjjbe32.exe 2636 Hkkcdq32.exe 2616 Idcgmf32.exe 2712 Iqjhbgoj.exe 2568 Ikplopnp.exe 848 Idhqheep.exe 2660 Ijeiplcg.exe 2504 Iqoamf32.exe 976 Igijjqba.exe 700 Iqanbf32.exe 2968 Jjibkl32.exe 1100 Jjgbeo32.exe 2428 Kjiojo32.exe 2168 Kcaccd32.exe 2272 Knggqm32.exe 2496 Kphdhenb.exe 1716 Kjnhennh.exe 2288 Kpkqnelp.exe 2500 Kjpekn32.exe 2264 Kajmhhcb.exe 1116 Kbljop32.exe 2276 Kiebljpm.exe 2232 Ldkficpc.exe 3060 Lihoaj32.exe 2624 Lpbgndfg.exe 2852 Leoofkdo.exe 2728 Logdoq32.exe 2584 Lhohhf32.exe 2668 Lbemeo32.exe 940 Lhaenf32.exe 936 Lmomfm32.exe 2408 Mggbobde.exe 2484 Mgiodb32.exe 2628 Mglkja32.exe 2472 Mpdpcg32.exe 2788 Meqhkn32.exe 1964 Mgpeealk.exe 2492 Mpiinfbk.exe 1736 Neeafmqb.exe -
Loads dropped DLL 64 IoCs
pid Process 1088 80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe 1088 80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe 1748 Bpqgcq32.exe 1748 Bpqgcq32.exe 2892 Bndhle32.exe 2892 Bndhle32.exe 2720 Cngebd32.exe 2720 Cngebd32.exe 2748 Ccfjpkkg.exe 2748 Ccfjpkkg.exe 2860 Chcbhbio.exe 2860 Chcbhbio.exe 2644 Cchfek32.exe 2644 Cchfek32.exe 1800 Dbpplglj.exe 1800 Dbpplglj.exe 1304 Dhjhhacg.exe 1304 Dhjhhacg.exe 2020 Djnafi32.exe 2020 Djnafi32.exe 2480 Dnkjlg32.exe 2480 Dnkjlg32.exe 2388 Dmqgmcba.exe 2388 Dmqgmcba.exe 2016 Efkhkifo.exe 2016 Efkhkifo.exe 1160 Eilamd32.exe 1160 Eilamd32.exe 2376 Elmjoo32.exe 2376 Elmjoo32.exe 2044 Empclg32.exe 2044 Empclg32.exe 1756 Fmbpaf32.exe 1756 Fmbpaf32.exe 1784 Finjag32.exe 1784 Finjag32.exe 1488 Fokcjnbp.exe 1488 Fokcjnbp.exe 1232 Gkdpdnfa.exe 1232 Gkdpdnfa.exe 1972 Ghhanbek.exe 1972 Ghhanbek.exe 2564 Ggmnoo32.exe 2564 Ggmnoo32.exe 1944 Gpebhd32.exe 1944 Gpebhd32.exe 1720 Ggpjdohp.exe 1720 Ggpjdohp.exe 1372 Hibpli32.exe 1372 Hibpli32.exe 2740 Hobeipoc.exe 2740 Hobeipoc.exe 2936 Hhjjbe32.exe 2936 Hhjjbe32.exe 2636 Hkkcdq32.exe 2636 Hkkcdq32.exe 2616 Idcgmf32.exe 2616 Idcgmf32.exe 2712 Iqjhbgoj.exe 2712 Iqjhbgoj.exe 2568 Ikplopnp.exe 2568 Ikplopnp.exe 848 Idhqheep.exe 848 Idhqheep.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Neeafmqb.exe Mpiinfbk.exe File opened for modification C:\Windows\SysWOW64\Aaodlode.exe Aidpgmfj.exe File created C:\Windows\SysWOW64\Fcjenkhm.exe Effdef32.exe File created C:\Windows\SysWOW64\Hhhnpj32.dll Lfladgdh.exe File created C:\Windows\SysWOW64\Edlmdj32.dll Omjljg32.exe File created C:\Windows\SysWOW64\Nhdmil32.dll Glabajgk.exe File created C:\Windows\SysWOW64\Efakjgni.exe Eqdbapoa.exe File created C:\Windows\SysWOW64\Pmimabbk.dll Geogpemb.exe File opened for modification C:\Windows\SysWOW64\Bnigcb32.exe Aepbjlci.exe File opened for modification C:\Windows\SysWOW64\Ckdnbend.exe Cciincqi.exe File created C:\Windows\SysWOW64\Obohhd32.dll Idhcqn32.exe File created C:\Windows\SysWOW64\Efnekmmb.dll Jhdkppgi.exe File created C:\Windows\SysWOW64\Achclf32.dll Pogede32.exe File created C:\Windows\SysWOW64\Efchog32.exe Eqfogp32.exe File opened for modification C:\Windows\SysWOW64\Lhaenf32.exe Lbemeo32.exe File created C:\Windows\SysWOW64\Cpfcgh32.exe Cbbcmdfa.exe File created C:\Windows\SysWOW64\Apofkl32.dll Ghkplk32.exe File opened for modification C:\Windows\SysWOW64\Ikpnhi32.exe Ioinchpo.exe File opened for modification C:\Windows\SysWOW64\Nmnckj32.exe Mdenaded.exe File created C:\Windows\SysWOW64\Iolgaa32.dll Mdenaded.exe File opened for modification C:\Windows\SysWOW64\Fnbodbaq.exe Fejkklkp.exe File created C:\Windows\SysWOW64\Kdabfp32.exe Kjlnig32.exe File opened for modification C:\Windows\SysWOW64\Pnalqqbf.exe Pnooka32.exe File created C:\Windows\SysWOW64\Bpfnbkfk.exe Afniif32.exe File created C:\Windows\SysWOW64\Pomhbchn.exe Pbigio32.exe File created C:\Windows\SysWOW64\Oikiojik.dll Bpqgcq32.exe File opened for modification C:\Windows\SysWOW64\Ogejocjq.exe Omofbk32.exe File created C:\Windows\SysWOW64\Qjjikafh.exe Qaadblog.exe File created C:\Windows\SysWOW64\Idhqheep.exe Ikplopnp.exe File created C:\Windows\SysWOW64\Logdoq32.exe Leoofkdo.exe File created C:\Windows\SysWOW64\Ngfgco32.exe Nmnckj32.exe File created C:\Windows\SysWOW64\Nfjkapmp.dll Elmjoo32.exe File opened for modification C:\Windows\SysWOW64\Mggbobde.exe Lmomfm32.exe File opened for modification C:\Windows\SysWOW64\Igamokdm.exe Ijmlegfd.exe File created C:\Windows\SysWOW64\Bgnplmep.dll Lahojd32.exe File opened for modification C:\Windows\SysWOW64\Kakfkg32.exe Kbfijkij.exe File created C:\Windows\SysWOW64\Hfbicg32.exe Gjlinfgm.exe File created C:\Windows\SysWOW64\Omofbk32.exe Ofeneqcn.exe File created C:\Windows\SysWOW64\Mmmcqlml.dll Aldhih32.exe File created C:\Windows\SysWOW64\Pmcllj32.dll Balmjmeh.exe File created C:\Windows\SysWOW64\Jdpofi32.dll Nkjbhlpf.exe File created C:\Windows\SysWOW64\Hibpli32.exe Ggpjdohp.exe File opened for modification C:\Windows\SysWOW64\Pqhblm32.exe Pogede32.exe File created C:\Windows\SysWOW64\Fnebdhci.exe Fiijladb.exe File created C:\Windows\SysWOW64\Dhfeomon.dll Ghhanbek.exe File opened for modification C:\Windows\SysWOW64\Kajmhhcb.exe Kjpekn32.exe File created C:\Windows\SysWOW64\Aiakfn32.dll Cchfek32.exe File created C:\Windows\SysWOW64\Hkcfikea.exe Hhbmgp32.exe File created C:\Windows\SysWOW64\Neeafmqb.exe Mpiinfbk.exe File created C:\Windows\SysWOW64\Lgngjn32.dll Nklmdcfo.exe File created C:\Windows\SysWOW64\Omgefipb.exe Ogjmnbak.exe File created C:\Windows\SysWOW64\Agclbdll.exe Ajplipmb.exe File opened for modification C:\Windows\SysWOW64\Ikkemiji.exe Hacqdd32.exe File opened for modification C:\Windows\SysWOW64\Lkgmfneb.exe Lbnininb.exe File opened for modification C:\Windows\SysWOW64\Baampb32.exe Bgglpd32.exe File created C:\Windows\SysWOW64\Blenbe32.dll Gjlinfgm.exe File created C:\Windows\SysWOW64\Iaogjhmg.exe Ifhfeggb.exe File opened for modification C:\Windows\SysWOW64\Aidpgmfj.exe Aiacamhm.exe File created C:\Windows\SysWOW64\Jbgdkg32.dll Lghkma32.exe File created C:\Windows\SysWOW64\Aidpgmfj.exe Aiacamhm.exe File created C:\Windows\SysWOW64\Lpbgndfg.exe Lihoaj32.exe File created C:\Windows\SysWOW64\Balmjmeh.exe Blodbffq.exe File opened for modification C:\Windows\SysWOW64\Lifdec32.exe Kcilml32.exe File opened for modification C:\Windows\SysWOW64\Fmbpaf32.exe Empclg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3656 3272 WerFault.exe 319 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnckj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agclbdll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjibkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjffphpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomhbchn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqabl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dciemfcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoabgggf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqcipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqfogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjkbnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckdnbend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aldhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baqfel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgefipb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndhle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcaccd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacdeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhbdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhcqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limjeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdpdnfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhddbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlemaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Incdocab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najhngpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqoamf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgglpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdigakji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcilml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgmfneb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihmifhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamafbjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjihpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onbhdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjmodpoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfladgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbhppd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbckjfip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhniijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjdlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjlinfgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmomfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiijladb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkfipna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgacebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaadblog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqhblm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgqkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejejopho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncpng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omofbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjopoifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkcfikea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbfijkij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofidn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llncgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkapbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnkjlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnebdhci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peipkjge.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkkcdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neeafmqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnigcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhdkj32.dll" Habgqehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdedo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Finjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacomcbc.dll" Mglkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjffk32.dll" Iaogjhmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioinchpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcjaj32.dll" Neeafmqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqhblm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgepjejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqpifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjdhm32.dll" Ebofpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekemci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqfogp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llncgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omofbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaadblog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noljad32.dll" Fcjenkhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knogdkml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbgacebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnooka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmllbfom.dll" Iolacn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfcgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koboce32.dll" Lhohhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofeneqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aalqlibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcllj32.dll" Balmjmeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgjcc32.dll" Ckdnbend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhfkk32.dll" Dhjhhacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abofmakh.dll" Meqhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pflpecpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjldknb.dll" Aaodlode.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agclbdll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpqgcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miocjebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppbdcaed.dll" Ldkficpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmjnlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oohbhqjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpepfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkooed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklfiilm.dll" Geadee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooihdn32.dll" Jhlllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohccgfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiphelln.dll" Kbljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplfpa32.dll" Blbhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flejbmfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geogpemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcilml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcaccd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiqhbi32.dll" Lihoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apcjbeea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfgdhkki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjfhdham.dll" Ekemci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbckjfip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affbdo32.dll" Dbpplglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnffni32.dll" Eilamd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kajmhhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkgdgc32.dll" Hkcfikea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apobfj32.dll" Pfoakokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqimeai.dll" Dfaokckn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1088 wrote to memory of 1748 1088 80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe 29 PID 1088 wrote to memory of 1748 1088 80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe 29 PID 1088 wrote to memory of 1748 1088 80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe 29 PID 1088 wrote to memory of 1748 1088 80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe 29 PID 1748 wrote to memory of 2892 1748 Bpqgcq32.exe 30 PID 1748 wrote to memory of 2892 1748 Bpqgcq32.exe 30 PID 1748 wrote to memory of 2892 1748 Bpqgcq32.exe 30 PID 1748 wrote to memory of 2892 1748 Bpqgcq32.exe 30 PID 2892 wrote to memory of 2720 2892 Bndhle32.exe 31 PID 2892 wrote to memory of 2720 2892 Bndhle32.exe 31 PID 2892 wrote to memory of 2720 2892 Bndhle32.exe 31 PID 2892 wrote to memory of 2720 2892 Bndhle32.exe 31 PID 2720 wrote to memory of 2748 2720 Cngebd32.exe 32 PID 2720 wrote to memory of 2748 2720 Cngebd32.exe 32 PID 2720 wrote to memory of 2748 2720 Cngebd32.exe 32 PID 2720 wrote to memory of 2748 2720 Cngebd32.exe 32 PID 2748 wrote to memory of 2860 2748 Ccfjpkkg.exe 33 PID 2748 wrote to memory of 2860 2748 Ccfjpkkg.exe 33 PID 2748 wrote to memory of 2860 2748 Ccfjpkkg.exe 33 PID 2748 wrote to memory of 2860 2748 Ccfjpkkg.exe 33 PID 2860 wrote to memory of 2644 2860 Chcbhbio.exe 34 PID 2860 wrote to memory of 2644 2860 Chcbhbio.exe 34 PID 2860 wrote to memory of 2644 2860 Chcbhbio.exe 34 PID 2860 wrote to memory of 2644 2860 Chcbhbio.exe 34 PID 2644 wrote to memory of 1800 2644 Cchfek32.exe 35 PID 2644 wrote to memory of 1800 2644 Cchfek32.exe 35 PID 2644 wrote to memory of 1800 2644 Cchfek32.exe 35 PID 2644 wrote to memory of 1800 2644 Cchfek32.exe 35 PID 1800 wrote to memory of 1304 1800 Dbpplglj.exe 36 PID 1800 wrote to memory of 1304 1800 Dbpplglj.exe 36 PID 1800 wrote to memory of 1304 1800 Dbpplglj.exe 36 PID 1800 wrote to memory of 1304 1800 Dbpplglj.exe 36 PID 1304 wrote to memory of 2020 1304 Dhjhhacg.exe 37 PID 1304 wrote to memory of 2020 1304 Dhjhhacg.exe 37 PID 1304 wrote to memory of 2020 1304 Dhjhhacg.exe 37 PID 1304 wrote to memory of 2020 1304 Dhjhhacg.exe 37 PID 2020 wrote to memory of 2480 2020 Djnafi32.exe 38 PID 2020 wrote to memory of 2480 2020 Djnafi32.exe 38 PID 2020 wrote to memory of 2480 2020 Djnafi32.exe 38 PID 2020 wrote to memory of 2480 2020 Djnafi32.exe 38 PID 2480 wrote to memory of 2388 2480 Dnkjlg32.exe 39 PID 2480 wrote to memory of 2388 2480 Dnkjlg32.exe 39 PID 2480 wrote to memory of 2388 2480 Dnkjlg32.exe 39 PID 2480 wrote to memory of 2388 2480 Dnkjlg32.exe 39 PID 2388 wrote to memory of 2016 2388 Dmqgmcba.exe 40 PID 2388 wrote to memory of 2016 2388 Dmqgmcba.exe 40 PID 2388 wrote to memory of 2016 2388 Dmqgmcba.exe 40 PID 2388 wrote to memory of 2016 2388 Dmqgmcba.exe 40 PID 2016 wrote to memory of 1160 2016 Efkhkifo.exe 41 PID 2016 wrote to memory of 1160 2016 Efkhkifo.exe 41 PID 2016 wrote to memory of 1160 2016 Efkhkifo.exe 41 PID 2016 wrote to memory of 1160 2016 Efkhkifo.exe 41 PID 1160 wrote to memory of 2376 1160 Eilamd32.exe 42 PID 1160 wrote to memory of 2376 1160 Eilamd32.exe 42 PID 1160 wrote to memory of 2376 1160 Eilamd32.exe 42 PID 1160 wrote to memory of 2376 1160 Eilamd32.exe 42 PID 2376 wrote to memory of 2044 2376 Elmjoo32.exe 43 PID 2376 wrote to memory of 2044 2376 Elmjoo32.exe 43 PID 2376 wrote to memory of 2044 2376 Elmjoo32.exe 43 PID 2376 wrote to memory of 2044 2376 Elmjoo32.exe 43 PID 2044 wrote to memory of 1756 2044 Empclg32.exe 44 PID 2044 wrote to memory of 1756 2044 Empclg32.exe 44 PID 2044 wrote to memory of 1756 2044 Empclg32.exe 44 PID 2044 wrote to memory of 1756 2044 Empclg32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe"C:\Users\Admin\AppData\Local\Temp\80d528ad65d01e42adee84ea873956c38f15691fab0f633d00e6285173280aa8N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Bpqgcq32.exeC:\Windows\system32\Bpqgcq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Bndhle32.exeC:\Windows\system32\Bndhle32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Cngebd32.exeC:\Windows\system32\Cngebd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Ccfjpkkg.exeC:\Windows\system32\Ccfjpkkg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Chcbhbio.exeC:\Windows\system32\Chcbhbio.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Cchfek32.exeC:\Windows\system32\Cchfek32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Dbpplglj.exeC:\Windows\system32\Dbpplglj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Dhjhhacg.exeC:\Windows\system32\Dhjhhacg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Djnafi32.exeC:\Windows\system32\Djnafi32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Dnkjlg32.exeC:\Windows\system32\Dnkjlg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Dmqgmcba.exeC:\Windows\system32\Dmqgmcba.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Efkhkifo.exeC:\Windows\system32\Efkhkifo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Eilamd32.exeC:\Windows\system32\Eilamd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Elmjoo32.exeC:\Windows\system32\Elmjoo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Empclg32.exeC:\Windows\system32\Empclg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Fmbpaf32.exeC:\Windows\system32\Fmbpaf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Finjag32.exeC:\Windows\system32\Finjag32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Fokcjnbp.exeC:\Windows\system32\Fokcjnbp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Gkdpdnfa.exeC:\Windows\system32\Gkdpdnfa.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Ghhanbek.exeC:\Windows\system32\Ghhanbek.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Ggmnoo32.exeC:\Windows\system32\Ggmnoo32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Gpebhd32.exeC:\Windows\system32\Gpebhd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Ggpjdohp.exeC:\Windows\system32\Ggpjdohp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Hibpli32.exeC:\Windows\system32\Hibpli32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Hobeipoc.exeC:\Windows\system32\Hobeipoc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Hhjjbe32.exeC:\Windows\system32\Hhjjbe32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Hkkcdq32.exeC:\Windows\system32\Hkkcdq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Idcgmf32.exeC:\Windows\system32\Idcgmf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Iqjhbgoj.exeC:\Windows\system32\Iqjhbgoj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Ikplopnp.exeC:\Windows\system32\Ikplopnp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Idhqheep.exeC:\Windows\system32\Idhqheep.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Ijeiplcg.exeC:\Windows\system32\Ijeiplcg.exe33⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Iqoamf32.exeC:\Windows\system32\Iqoamf32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Igijjqba.exeC:\Windows\system32\Igijjqba.exe35⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Iqanbf32.exeC:\Windows\system32\Iqanbf32.exe36⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Jjibkl32.exeC:\Windows\system32\Jjibkl32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Jjgbeo32.exeC:\Windows\system32\Jjgbeo32.exe38⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Kjiojo32.exeC:\Windows\system32\Kjiojo32.exe39⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Kcaccd32.exeC:\Windows\system32\Kcaccd32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Knggqm32.exeC:\Windows\system32\Knggqm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Kphdhenb.exeC:\Windows\system32\Kphdhenb.exe42⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Kjnhennh.exeC:\Windows\system32\Kjnhennh.exe43⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Kpkqnelp.exeC:\Windows\system32\Kpkqnelp.exe44⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Kjpekn32.exeC:\Windows\system32\Kjpekn32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Kajmhhcb.exeC:\Windows\system32\Kajmhhcb.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Kbljop32.exeC:\Windows\system32\Kbljop32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Kiebljpm.exeC:\Windows\system32\Kiebljpm.exe48⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ldkficpc.exeC:\Windows\system32\Ldkficpc.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Lihoaj32.exeC:\Windows\system32\Lihoaj32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Lpbgndfg.exeC:\Windows\system32\Lpbgndfg.exe51⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Leoofkdo.exeC:\Windows\system32\Leoofkdo.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Logdoq32.exeC:\Windows\system32\Logdoq32.exe53⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Lhohhf32.exeC:\Windows\system32\Lhohhf32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Lbemeo32.exeC:\Windows\system32\Lbemeo32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Lhaenf32.exeC:\Windows\system32\Lhaenf32.exe56⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Lmomfm32.exeC:\Windows\system32\Lmomfm32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Mggbobde.exeC:\Windows\system32\Mggbobde.exe58⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Mgiodb32.exeC:\Windows\system32\Mgiodb32.exe59⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Mglkja32.exeC:\Windows\system32\Mglkja32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Mpdpcg32.exeC:\Windows\system32\Mpdpcg32.exe61⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Meqhkn32.exeC:\Windows\system32\Meqhkn32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Mgpeealk.exeC:\Windows\system32\Mgpeealk.exe63⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Mpiinfbk.exeC:\Windows\system32\Mpiinfbk.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Neeafmqb.exeC:\Windows\system32\Neeafmqb.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Ndkogj32.exeC:\Windows\system32\Ndkogj32.exe66⤵PID:1728
-
C:\Windows\SysWOW64\Nnccpo32.exeC:\Windows\system32\Nnccpo32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:748 -
C:\Windows\SysWOW64\Ndohbiae.exeC:\Windows\system32\Ndohbiae.exe68⤵PID:1080
-
C:\Windows\SysWOW64\Nnhmkohe.exeC:\Windows\system32\Nnhmkohe.exe69⤵PID:1280
-
C:\Windows\SysWOW64\Nklmdcfo.exeC:\Windows\system32\Nklmdcfo.exe70⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Ofeneqcn.exeC:\Windows\system32\Ofeneqcn.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Omofbk32.exeC:\Windows\system32\Omofbk32.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Ogejocjq.exeC:\Windows\system32\Ogejocjq.exe73⤵PID:2844
-
C:\Windows\SysWOW64\Omdpmjfe.exeC:\Windows\system32\Omdpmjfe.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Oikpbklj.exeC:\Windows\system32\Oikpbklj.exe75⤵PID:3024
-
C:\Windows\SysWOW64\Pfoakokc.exeC:\Windows\system32\Pfoakokc.exe76⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Pogede32.exeC:\Windows\system32\Pogede32.exe77⤵
- Drops file in System32 directory
PID:524 -
C:\Windows\SysWOW64\Pqhblm32.exeC:\Windows\system32\Pqhblm32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Pknfif32.exeC:\Windows\system32\Pknfif32.exe79⤵PID:2096
-
C:\Windows\SysWOW64\Pciknh32.exeC:\Windows\system32\Pciknh32.exe80⤵PID:2164
-
C:\Windows\SysWOW64\Pnooka32.exeC:\Windows\system32\Pnooka32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Pnalqqbf.exeC:\Windows\system32\Pnalqqbf.exe82⤵PID:1444
-
C:\Windows\SysWOW64\Pflpecpa.exeC:\Windows\system32\Pflpecpa.exe83⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Qaadblog.exeC:\Windows\system32\Qaadblog.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Qjjikafh.exeC:\Windows\system32\Qjjikafh.exe85⤵PID:2524
-
C:\Windows\SysWOW64\Qlkebi32.exeC:\Windows\system32\Qlkebi32.exe86⤵PID:1572
-
C:\Windows\SysWOW64\Qecjkobg.exeC:\Windows\system32\Qecjkobg.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Aiacamhm.exeC:\Windows\system32\Aiacamhm.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Aidpgmfj.exeC:\Windows\system32\Aidpgmfj.exe89⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Aaodlode.exeC:\Windows\system32\Aaodlode.exe90⤵
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Aldhih32.exeC:\Windows\system32\Aldhih32.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\Amfeqpij.exeC:\Windows\system32\Amfeqpij.exe92⤵PID:2620
-
C:\Windows\SysWOW64\Afniif32.exeC:\Windows\system32\Afniif32.exe93⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Bpfnbkfk.exeC:\Windows\system32\Bpfnbkfk.exe94⤵PID:2192
-
C:\Windows\SysWOW64\Bmjnlp32.exeC:\Windows\system32\Bmjnlp32.exe95⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Bkooed32.exeC:\Windows\system32\Bkooed32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Bgepjejb.exeC:\Windows\system32\Bgepjejb.exe97⤵
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Blbhbl32.exeC:\Windows\system32\Blbhbl32.exe98⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Bgglpd32.exeC:\Windows\system32\Bgglpd32.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Baampb32.exeC:\Windows\system32\Baampb32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1772 -
C:\Windows\SysWOW64\Cnodfbdj.exeC:\Windows\system32\Cnodfbdj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:820 -
C:\Windows\SysWOW64\Ccnici32.exeC:\Windows\system32\Ccnici32.exe102⤵PID:2512
-
C:\Windows\SysWOW64\Dcqfih32.exeC:\Windows\system32\Dcqfih32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Dccbohlj.exeC:\Windows\system32\Dccbohlj.exe104⤵PID:2280
-
C:\Windows\SysWOW64\Dfaokckn.exeC:\Windows\system32\Dfaokckn.exe105⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Dkngckie.exeC:\Windows\system32\Dkngckie.exe106⤵PID:2068
-
C:\Windows\SysWOW64\Dbhppd32.exeC:\Windows\system32\Dbhppd32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Dnopdf32.exeC:\Windows\system32\Dnopdf32.exe108⤵PID:3052
-
C:\Windows\SysWOW64\Dhddbo32.exeC:\Windows\system32\Dhddbo32.exe109⤵
- System Location Discovery: System Language Discovery
PID:740 -
C:\Windows\SysWOW64\Eqpifq32.exeC:\Windows\system32\Eqpifq32.exe110⤵
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Ekemci32.exeC:\Windows\system32\Ekemci32.exe111⤵
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\Ebofpc32.exeC:\Windows\system32\Ebofpc32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Ejjjef32.exeC:\Windows\system32\Ejjjef32.exe113⤵PID:1724
-
C:\Windows\SysWOW64\Eqdbapoa.exeC:\Windows\system32\Eqdbapoa.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Efakjgni.exeC:\Windows\system32\Efakjgni.exe115⤵PID:2508
-
C:\Windows\SysWOW64\Eqfogp32.exeC:\Windows\system32\Eqfogp32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Efchog32.exeC:\Windows\system32\Efchog32.exe117⤵PID:2896
-
C:\Windows\SysWOW64\Eqilmp32.exeC:\Windows\system32\Eqilmp32.exe118⤵PID:2864
-
C:\Windows\SysWOW64\Effdef32.exeC:\Windows\system32\Effdef32.exe119⤵
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Fcjenkhm.exeC:\Windows\system32\Fcjenkhm.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Flejbmfh.exeC:\Windows\system32\Flejbmfh.exe121⤵
- Modifies registry class
PID:2152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-