Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-10-2024 02:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
152aa5e7e5d464bf55a2460b2e1eb6493bb6bb28e507720e8348986277431c96N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
152aa5e7e5d464bf55a2460b2e1eb6493bb6bb28e507720e8348986277431c96N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
152aa5e7e5d464bf55a2460b2e1eb6493bb6bb28e507720e8348986277431c96N.exe
-
Size
67KB
-
MD5
a5f88b47631d0dfb4417da8afb1eb900
-
SHA1
13fd8d565a04feb8401d7cf0222ee990d3fdee10
-
SHA256
152aa5e7e5d464bf55a2460b2e1eb6493bb6bb28e507720e8348986277431c96
-
SHA512
3debecf997fada5d9775ee7b089af79bf7d5d2b30c287f637d39c3c050096740944e42d6743bdc3e0d7fcf0dbb4c3d4aa508e5f922e2ac6f965accbdf3142474
-
SSDEEP
1536:UWHJv8CgpqAtzzaNVS5iziho64Bf0sJifTduD4oTxw:JOCUNzaNVS5lKl0sJibdMTxw
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illgimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhqbkhch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhgdkjol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpefdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbfbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heihnoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikaio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laegiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfmfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkaiqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpqdkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gakcimgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiknhbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjhkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhloponc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmldme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdonb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipllekdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkmcfhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kicmdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Febfomdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giieco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcmpijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjpeifj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcmjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpleef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghelfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjhgdck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljffag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egllae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlaeonld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecejkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcagpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednpej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlekia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illgimph.exe -
Executes dropped EXE 64 IoCs
pid Process 2708 Bdbhke32.exe 2844 Bmkmdk32.exe 1708 Bbhela32.exe 2628 Biamilfj.exe 1996 Bpleef32.exe 1064 Bbjbaa32.exe 2352 Bmpfojmp.exe 2900 Bekkcljk.exe 2864 Bldcpf32.exe 1724 Baakhm32.exe 2936 Biicik32.exe 1744 Cadhnmnm.exe 2984 Cdbdjhmp.exe 2296 Cohigamf.exe 1952 Cnkicn32.exe 2096 Cnmehnan.exe 2420 Cpkbdiqb.exe 1272 Cjdfmo32.exe 892 Cnobnmpl.exe 1500 Cghggc32.exe 328 Cjfccn32.exe 2144 Dfmdho32.exe 2776 Dndlim32.exe 2700 Dlgldibq.exe 2780 Dglpbbbg.exe 2256 Dliijipn.exe 2576 Dpeekh32.exe 600 Djmicm32.exe 536 Dlkepi32.exe 2452 Dbhnhp32.exe 868 Ddgjdk32.exe 2644 Dolnad32.exe 2932 Dnoomqbg.exe 2468 Dhdcji32.exe 1004 Dkcofe32.exe 1872 Eqpgol32.exe 1576 Ehgppi32.exe 2980 Egjpkffe.exe 2196 Ejhlgaeh.exe 688 Ebodiofk.exe 108 Ednpej32.exe 2288 Ednpej32.exe 1192 Ecqqpgli.exe 1300 Egllae32.exe 1492 Ekhhadmk.exe 1000 Enfenplo.exe 1448 Eqdajkkb.exe 1540 Eccmffjf.exe 2808 Efaibbij.exe 2832 Ejmebq32.exe 2940 Enhacojl.exe 3036 Eqgnokip.exe 2464 Ecejkf32.exe 2596 Efcfga32.exe 2616 Eibbcm32.exe 2796 Eibbcm32.exe 1932 Eqijej32.exe 2916 Echfaf32.exe 1696 Effcma32.exe 1860 Fidoim32.exe 2232 Fmpkjkma.exe 1788 Fpngfgle.exe 408 Fcjcfe32.exe 2068 Ffhpbacb.exe -
Loads dropped DLL 64 IoCs
pid Process 2756 152aa5e7e5d464bf55a2460b2e1eb6493bb6bb28e507720e8348986277431c96N.exe 2756 152aa5e7e5d464bf55a2460b2e1eb6493bb6bb28e507720e8348986277431c96N.exe 2708 Bdbhke32.exe 2708 Bdbhke32.exe 2844 Bmkmdk32.exe 2844 Bmkmdk32.exe 1708 Bbhela32.exe 1708 Bbhela32.exe 2628 Biamilfj.exe 2628 Biamilfj.exe 1996 Bpleef32.exe 1996 Bpleef32.exe 1064 Bbjbaa32.exe 1064 Bbjbaa32.exe 2352 Bmpfojmp.exe 2352 Bmpfojmp.exe 2900 Bekkcljk.exe 2900 Bekkcljk.exe 2864 Bldcpf32.exe 2864 Bldcpf32.exe 1724 Baakhm32.exe 1724 Baakhm32.exe 2936 Biicik32.exe 2936 Biicik32.exe 1744 Cadhnmnm.exe 1744 Cadhnmnm.exe 2984 Cdbdjhmp.exe 2984 Cdbdjhmp.exe 2296 Cohigamf.exe 2296 Cohigamf.exe 1952 Cnkicn32.exe 1952 Cnkicn32.exe 2096 Cnmehnan.exe 2096 Cnmehnan.exe 2420 Cpkbdiqb.exe 2420 Cpkbdiqb.exe 1272 Cjdfmo32.exe 1272 Cjdfmo32.exe 892 Cnobnmpl.exe 892 Cnobnmpl.exe 1500 Cghggc32.exe 1500 Cghggc32.exe 328 Cjfccn32.exe 328 Cjfccn32.exe 2144 Dfmdho32.exe 2144 Dfmdho32.exe 2776 Dndlim32.exe 2776 Dndlim32.exe 2700 Dlgldibq.exe 2700 Dlgldibq.exe 2780 Dglpbbbg.exe 2780 Dglpbbbg.exe 2256 Dliijipn.exe 2256 Dliijipn.exe 2576 Dpeekh32.exe 2576 Dpeekh32.exe 600 Djmicm32.exe 600 Djmicm32.exe 536 Dlkepi32.exe 536 Dlkepi32.exe 2452 Dbhnhp32.exe 2452 Dbhnhp32.exe 868 Ddgjdk32.exe 868 Ddgjdk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Malllmgi.dll Knpemf32.exe File created C:\Windows\SysWOW64\Apbfblll.dll Lgjfkk32.exe File created C:\Windows\SysWOW64\Djmicm32.exe Dpeekh32.exe File created C:\Windows\SysWOW64\Lhghcb32.dll Febfomdd.exe File opened for modification C:\Windows\SysWOW64\Gdgcpi32.exe Faigdn32.exe File opened for modification C:\Windows\SysWOW64\Gifhnpea.exe Ghelfg32.exe File created C:\Windows\SysWOW64\Lnhplkhl.dll Ipllekdl.exe File created C:\Windows\SysWOW64\Dddaaf32.dll Idcokkak.exe File opened for modification C:\Windows\SysWOW64\Jdbkjn32.exe Jbdonb32.exe File created C:\Windows\SysWOW64\Pelggd32.dll Kpjhkjde.exe File created C:\Windows\SysWOW64\Qffmipmp.dll Enfenplo.exe File created C:\Windows\SysWOW64\Pjehnpjo.dll Gdllkhdg.exe File opened for modification C:\Windows\SysWOW64\Giieco32.exe Gfjhgdck.exe File created C:\Windows\SysWOW64\Kkjcplpa.exe Kilfcpqm.exe File created C:\Windows\SysWOW64\Cpdcnhnl.dll Jnmlhchd.exe File created C:\Windows\SysWOW64\Kfbcbd32.exe Knklagmb.exe File opened for modification C:\Windows\SysWOW64\Efaibbij.exe Eccmffjf.exe File created C:\Windows\SysWOW64\Fglipi32.exe Fiihdlpc.exe File created C:\Windows\SysWOW64\Gpcmpijk.exe Gmdadnkh.exe File created C:\Windows\SysWOW64\Iheddndj.exe Iefhhbef.exe File created C:\Windows\SysWOW64\Jbgkcb32.exe Jjpcbe32.exe File opened for modification C:\Windows\SysWOW64\Fjmaaddo.exe Fljafg32.exe File created C:\Windows\SysWOW64\Jnbfqn32.dll Ikfmfi32.exe File opened for modification C:\Windows\SysWOW64\Jghmfhmb.exe Joaeeklp.exe File opened for modification C:\Windows\SysWOW64\Mieeibkn.exe Mffimglk.exe File created C:\Windows\SysWOW64\Mehjml32.dll Ncpcfkbg.exe File created C:\Windows\SysWOW64\Cbcodmih.dll Dhdcji32.exe File created C:\Windows\SysWOW64\Dempblao.dll Inifnq32.exe File opened for modification C:\Windows\SysWOW64\Knklagmb.exe Kohkfj32.exe File opened for modification C:\Windows\SysWOW64\Kkaiqk32.exe Kicmdo32.exe File created C:\Windows\SysWOW64\Oakomajq.dll Dbhnhp32.exe File opened for modification C:\Windows\SysWOW64\Ghcoqh32.exe Gdgcpi32.exe File created C:\Windows\SysWOW64\Gmgninie.exe Gikaio32.exe File created C:\Windows\SysWOW64\Hbfbgd32.exe Hpgfki32.exe File created C:\Windows\SysWOW64\Homclekn.exe Hlngpjlj.exe File opened for modification C:\Windows\SysWOW64\Modkfi32.exe Mhjbjopf.exe File created C:\Windows\SysWOW64\Nenobfak.exe Ncpcfkbg.exe File created C:\Windows\SysWOW64\Fpngfgle.exe Fmpkjkma.exe File opened for modification C:\Windows\SysWOW64\Jgfqaiod.exe Jcjdpj32.exe File created C:\Windows\SysWOW64\Kgdjgo32.dll Ndjfeo32.exe File created C:\Windows\SysWOW64\Ipjoplgo.exe Ilncom32.exe File opened for modification C:\Windows\SysWOW64\Llohjo32.exe Liplnc32.exe File created C:\Windows\SysWOW64\Najgne32.dll Eqijej32.exe File created C:\Windows\SysWOW64\Jndkpj32.dll Fljafg32.exe File created C:\Windows\SysWOW64\Jmianb32.dll Gfjhgdck.exe File opened for modification C:\Windows\SysWOW64\Gepehphc.exe Gbaileio.exe File opened for modification C:\Windows\SysWOW64\Gpejeihi.exe Gmgninie.exe File created C:\Windows\SysWOW64\Kilfcpqm.exe Kfmjgeaj.exe File opened for modification C:\Windows\SysWOW64\Linphc32.exe Lfpclh32.exe File created C:\Windows\SysWOW64\Llohjo32.exe Liplnc32.exe File opened for modification C:\Windows\SysWOW64\Cnmehnan.exe Cnkicn32.exe File created C:\Windows\SysWOW64\Epjomppp.dll Dglpbbbg.exe File created C:\Windows\SysWOW64\Fmmnjfia.dll Ffhpbacb.exe File created C:\Windows\SysWOW64\Gheabp32.dll Ghqnjk32.exe File created C:\Windows\SysWOW64\Jmbiipml.exe Jjdmmdnh.exe File created C:\Windows\SysWOW64\Modkfi32.exe Mhjbjopf.exe File opened for modification C:\Windows\SysWOW64\Mmihhelk.exe Mkklljmg.exe File created C:\Windows\SysWOW64\Jnicmdli.exe Jkjfah32.exe File created C:\Windows\SysWOW64\Imbiaa32.dll Migbnb32.exe File created C:\Windows\SysWOW64\Nblihc32.dll Hmfjha32.exe File opened for modification C:\Windows\SysWOW64\Ichllgfb.exe Ipjoplgo.exe File opened for modification C:\Windows\SysWOW64\Ieidmbcc.exe Icjhagdp.exe File created C:\Windows\SysWOW64\Cjdfmo32.exe Cpkbdiqb.exe File created C:\Windows\SysWOW64\Kmjolo32.dll Fiihdlpc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3096 4060 WerFault.exe 293 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpqdkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiihdlpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilfcpqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjhgdck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmihhelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moidahcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efaibbij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homclekn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mholen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncdgcqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlngpjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfknbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjcplpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdifkpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbaileio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Effcma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoamgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbmjah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhllob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjfccn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnoomqbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liplnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mponel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmldme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhipoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libicbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enfenplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echfaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmpkjkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpefdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipllekdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjfkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mieeibkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohigamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkepi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedkbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icjhagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpcbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbpgggol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecqqpgli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illgimph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knklagmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolnad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgppi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejmebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifhnpea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meppiblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglpbbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllnlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcakaipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenobfak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecejkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcqaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbamma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpejeihi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmlhchd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpopmpp.dll" Fmmkcoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmkcoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgjaf32.dll" Giieco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpcfqoam.dll" Jgojpjem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cehkbgdf.dll" Gbcfadgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpekon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkbalifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcopbn32.dll" Lapnnafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblihc32.dll" Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfgbaoo.dll" Fglipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ginnnooi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ileiplhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffdil32.dll" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifnekbi.dll" Kcakaipc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll" Echfaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nigome32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmiamoh.dll" Kfbcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfpclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfmdho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eibbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfjhgdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkmcfhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjiem32.dll" Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefmgahq.dll" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlgldibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffklhqao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpcqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgegdo32.dll" Hkfagfop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbdonb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmplcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mffimglk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbdjhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Echfaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gffoldhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmhnm32.dll" Hoopae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mapjmehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Modkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmihhelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefhhbef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfknbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kohkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenobfak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnepch32.dll" Jbdonb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqalfl32.dll" Kincipnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbhela32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehgppi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2708 2756 152aa5e7e5d464bf55a2460b2e1eb6493bb6bb28e507720e8348986277431c96N.exe 30 PID 2756 wrote to memory of 2708 2756 152aa5e7e5d464bf55a2460b2e1eb6493bb6bb28e507720e8348986277431c96N.exe 30 PID 2756 wrote to memory of 2708 2756 152aa5e7e5d464bf55a2460b2e1eb6493bb6bb28e507720e8348986277431c96N.exe 30 PID 2756 wrote to memory of 2708 2756 152aa5e7e5d464bf55a2460b2e1eb6493bb6bb28e507720e8348986277431c96N.exe 30 PID 2708 wrote to memory of 2844 2708 Bdbhke32.exe 31 PID 2708 wrote to memory of 2844 2708 Bdbhke32.exe 31 PID 2708 wrote to memory of 2844 2708 Bdbhke32.exe 31 PID 2708 wrote to memory of 2844 2708 Bdbhke32.exe 31 PID 2844 wrote to memory of 1708 2844 Bmkmdk32.exe 32 PID 2844 wrote to memory of 1708 2844 Bmkmdk32.exe 32 PID 2844 wrote to memory of 1708 2844 Bmkmdk32.exe 32 PID 2844 wrote to memory of 1708 2844 Bmkmdk32.exe 32 PID 1708 wrote to memory of 2628 1708 Bbhela32.exe 33 PID 1708 wrote to memory of 2628 1708 Bbhela32.exe 33 PID 1708 wrote to memory of 2628 1708 Bbhela32.exe 33 PID 1708 wrote to memory of 2628 1708 Bbhela32.exe 33 PID 2628 wrote to memory of 1996 2628 Biamilfj.exe 34 PID 2628 wrote to memory of 1996 2628 Biamilfj.exe 34 PID 2628 wrote to memory of 1996 2628 Biamilfj.exe 34 PID 2628 wrote to memory of 1996 2628 Biamilfj.exe 34 PID 1996 wrote to memory of 1064 1996 Bpleef32.exe 35 PID 1996 wrote to memory of 1064 1996 Bpleef32.exe 35 PID 1996 wrote to memory of 1064 1996 Bpleef32.exe 35 PID 1996 wrote to memory of 1064 1996 Bpleef32.exe 35 PID 1064 wrote to memory of 2352 1064 Bbjbaa32.exe 36 PID 1064 wrote to memory of 2352 1064 Bbjbaa32.exe 36 PID 1064 wrote to memory of 2352 1064 Bbjbaa32.exe 36 PID 1064 wrote to memory of 2352 1064 Bbjbaa32.exe 36 PID 2352 wrote to memory of 2900 2352 Bmpfojmp.exe 37 PID 2352 wrote to memory of 2900 2352 Bmpfojmp.exe 37 PID 2352 wrote to memory of 2900 2352 Bmpfojmp.exe 37 PID 2352 wrote to memory of 2900 2352 Bmpfojmp.exe 37 PID 2900 wrote to memory of 2864 2900 Bekkcljk.exe 38 PID 2900 wrote to memory of 2864 2900 Bekkcljk.exe 38 PID 2900 wrote to memory of 2864 2900 Bekkcljk.exe 38 PID 2900 wrote to memory of 2864 2900 Bekkcljk.exe 38 PID 2864 wrote to memory of 1724 2864 Bldcpf32.exe 39 PID 2864 wrote to memory of 1724 2864 Bldcpf32.exe 39 PID 2864 wrote to memory of 1724 2864 Bldcpf32.exe 39 PID 2864 wrote to memory of 1724 2864 Bldcpf32.exe 39 PID 1724 wrote to memory of 2936 1724 Baakhm32.exe 40 PID 1724 wrote to memory of 2936 1724 Baakhm32.exe 40 PID 1724 wrote to memory of 2936 1724 Baakhm32.exe 40 PID 1724 wrote to memory of 2936 1724 Baakhm32.exe 40 PID 2936 wrote to memory of 1744 2936 Biicik32.exe 41 PID 2936 wrote to memory of 1744 2936 Biicik32.exe 41 PID 2936 wrote to memory of 1744 2936 Biicik32.exe 41 PID 2936 wrote to memory of 1744 2936 Biicik32.exe 41 PID 1744 wrote to memory of 2984 1744 Cadhnmnm.exe 42 PID 1744 wrote to memory of 2984 1744 Cadhnmnm.exe 42 PID 1744 wrote to memory of 2984 1744 Cadhnmnm.exe 42 PID 1744 wrote to memory of 2984 1744 Cadhnmnm.exe 42 PID 2984 wrote to memory of 2296 2984 Cdbdjhmp.exe 43 PID 2984 wrote to memory of 2296 2984 Cdbdjhmp.exe 43 PID 2984 wrote to memory of 2296 2984 Cdbdjhmp.exe 43 PID 2984 wrote to memory of 2296 2984 Cdbdjhmp.exe 43 PID 2296 wrote to memory of 1952 2296 Cohigamf.exe 44 PID 2296 wrote to memory of 1952 2296 Cohigamf.exe 44 PID 2296 wrote to memory of 1952 2296 Cohigamf.exe 44 PID 2296 wrote to memory of 1952 2296 Cohigamf.exe 44 PID 1952 wrote to memory of 2096 1952 Cnkicn32.exe 45 PID 1952 wrote to memory of 2096 1952 Cnkicn32.exe 45 PID 1952 wrote to memory of 2096 1952 Cnkicn32.exe 45 PID 1952 wrote to memory of 2096 1952 Cnkicn32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\152aa5e7e5d464bf55a2460b2e1eb6493bb6bb28e507720e8348986277431c96N.exe"C:\Users\Admin\AppData\Local\Temp\152aa5e7e5d464bf55a2460b2e1eb6493bb6bb28e507720e8348986277431c96N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:328 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Djmicm32.exeC:\Windows\system32\Djmicm32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe37⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe39⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe40⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe41⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe43⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe46⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe48⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Eccmffjf.exeC:\Windows\system32\Eccmffjf.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe52⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Eqgnokip.exeC:\Windows\system32\Eqgnokip.exe53⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ecejkf32.exeC:\Windows\system32\Ecejkf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe55⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Eibbcm32.exeC:\Windows\system32\Eibbcm32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Eibbcm32.exeC:\Windows\system32\Eibbcm32.exe57⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Echfaf32.exeC:\Windows\system32\Echfaf32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe61⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe63⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe64⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe66⤵PID:2996
-
C:\Windows\SysWOW64\Fmbhok32.exeC:\Windows\system32\Fmbhok32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe69⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe70⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe72⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Fbamma32.exeC:\Windows\system32\Fbamma32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe75⤵PID:2376
-
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe77⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe78⤵PID:2536
-
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe79⤵PID:2400
-
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe80⤵PID:852
-
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1032 -
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe83⤵
- System Location Discovery: System Language Discovery
PID:268 -
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe84⤵
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe85⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe86⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe87⤵PID:2728
-
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe88⤵
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe89⤵PID:332
-
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe93⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe94⤵PID:2132
-
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe95⤵
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe96⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe99⤵
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe102⤵PID:2608
-
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe104⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe105⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe106⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe107⤵PID:2220
-
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe108⤵
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe109⤵
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe110⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe113⤵PID:2800
-
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe115⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe116⤵PID:2892
-
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe117⤵PID:2988
-
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe118⤵PID:2432
-
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe119⤵PID:2460
-
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe120⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe121⤵PID:2216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-