Analysis
-
max time kernel
37s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 15:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5N.exe
-
Size
314KB
-
MD5
3455e39ecd920df4db538b47feb0d6b0
-
SHA1
2b9b982438965b8a6f85e5155e2ac2c97d5fe25b
-
SHA256
38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5
-
SHA512
d183aff6111e527f665f7015380d98f711d6d8ce514964ea25a76a2d1351430df35673ffa14ce9ede8ad65a56dfc45cf4c228d929647069630830c26566e156c
-
SSDEEP
6144:Qf1gvoj6MB8MhjwszeXmr8SeNpgdyuH1lFDjC:QCi6Najb87gP3C
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjhgdck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcnda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkglameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqbkhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illgimph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpemf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leimip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhofjoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anccmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfobbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojgfemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onpjghhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blaopqpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdildlie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lccdel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpjakhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdmcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhladfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nibebfpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okanklik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biamilfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnielm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iompkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kicmdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qijdocfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepehphc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckiigmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplkpgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figlolbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbnoliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apoooa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnbablo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gedbdlbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbiqfied.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcmlcja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofdklgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blobjaba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkaol32.exe -
Executes dropped EXE 64 IoCs
pid Process 2692 Pqkmjh32.exe 2964 Pkpagq32.exe 2624 Pjcabmga.exe 2636 Pcnbablo.exe 2664 Qbcpbo32.exe 1956 Qlkdkd32.exe 2280 Alnqqd32.exe 576 Abhimnma.exe 2000 Abjebn32.exe 1868 Ajejgp32.exe 1268 Ahikqd32.exe 2892 Anccmo32.exe 1320 Afohaa32.exe 2412 Amhpnkch.exe 1508 Bmkmdk32.exe 836 Biamilfj.exe 980 Bmpfojmp.exe 1540 Bpnbkeld.exe 1616 Bblogakg.exe 876 Bldcpf32.exe 2132 Biicik32.exe 1736 Blgpef32.exe 2136 Ccahbp32.exe 2996 Clilkfnb.exe 2812 Cgcmlcja.exe 2712 Chbjffad.exe 2088 Ckafbbph.exe 2840 Cclkfdnc.exe 1948 Cghggc32.exe 3052 Cppkph32.exe 3068 Dgjclbdi.exe 2432 Djhphncm.exe 1672 Doehqead.exe 1904 Dfoqmo32.exe 824 Dpeekh32.exe 1684 Dcenlceh.exe 1360 Dfdjhndl.exe 1448 Dnoomqbg.exe 1048 Ddigjkid.exe 2516 Eqpgol32.exe 1144 Ehgppi32.exe 1888 Ejhlgaeh.exe 1784 Endhhp32.exe 2016 Ecqqpgli.exe 1012 Egllae32.exe 1748 Ejkima32.exe 1752 Eqdajkkb.exe 2732 Edpmjj32.exe 2852 Egoife32.exe 2640 Ejmebq32.exe 1876 Emkaol32.exe 3020 Ecejkf32.exe 2336 Efcfga32.exe 2340 Eibbcm32.exe 1740 Eplkpgnh.exe 2156 Ebjglbml.exe 2916 Fjaonpnn.exe 2492 Fmpkjkma.exe 1704 Fpngfgle.exe 680 Fbmcbbki.exe 856 Figlolbf.exe 844 Flehkhai.exe 1372 Fncdgcqm.exe 2020 Ffklhqao.exe -
Loads dropped DLL 64 IoCs
pid Process 2680 38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5N.exe 2680 38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5N.exe 2692 Pqkmjh32.exe 2692 Pqkmjh32.exe 2964 Pkpagq32.exe 2964 Pkpagq32.exe 2624 Pjcabmga.exe 2624 Pjcabmga.exe 2636 Pcnbablo.exe 2636 Pcnbablo.exe 2664 Qbcpbo32.exe 2664 Qbcpbo32.exe 1956 Qlkdkd32.exe 1956 Qlkdkd32.exe 2280 Alnqqd32.exe 2280 Alnqqd32.exe 576 Abhimnma.exe 576 Abhimnma.exe 2000 Abjebn32.exe 2000 Abjebn32.exe 1868 Ajejgp32.exe 1868 Ajejgp32.exe 1268 Ahikqd32.exe 1268 Ahikqd32.exe 2892 Anccmo32.exe 2892 Anccmo32.exe 1320 Afohaa32.exe 1320 Afohaa32.exe 2412 Amhpnkch.exe 2412 Amhpnkch.exe 1508 Bmkmdk32.exe 1508 Bmkmdk32.exe 836 Biamilfj.exe 836 Biamilfj.exe 980 Bmpfojmp.exe 980 Bmpfojmp.exe 1540 Bpnbkeld.exe 1540 Bpnbkeld.exe 1616 Bblogakg.exe 1616 Bblogakg.exe 876 Bldcpf32.exe 876 Bldcpf32.exe 2132 Biicik32.exe 2132 Biicik32.exe 1736 Blgpef32.exe 1736 Blgpef32.exe 2136 Ccahbp32.exe 2136 Ccahbp32.exe 1576 Cddaphkn.exe 1576 Cddaphkn.exe 2812 Cgcmlcja.exe 2812 Cgcmlcja.exe 2712 Chbjffad.exe 2712 Chbjffad.exe 2088 Ckafbbph.exe 2088 Ckafbbph.exe 2840 Cclkfdnc.exe 2840 Cclkfdnc.exe 1948 Cghggc32.exe 1948 Cghggc32.exe 3052 Cppkph32.exe 3052 Cppkph32.exe 3068 Dgjclbdi.exe 3068 Dgjclbdi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pqkmjh32.exe 38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5N.exe File created C:\Windows\SysWOW64\Dpeekh32.exe Dfoqmo32.exe File created C:\Windows\SysWOW64\Kofopj32.exe Kmgbdo32.exe File created C:\Windows\SysWOW64\Nlcnda32.exe Nkbalifo.exe File opened for modification C:\Windows\SysWOW64\Jdehon32.exe Jbgkcb32.exe File opened for modification C:\Windows\SysWOW64\Fllnlg32.exe Fhqbkhch.exe File opened for modification C:\Windows\SysWOW64\Hipkdnmf.exe Hedocp32.exe File created C:\Windows\SysWOW64\Lfbpag32.exe Lccdel32.exe File created C:\Windows\SysWOW64\Npagjpcd.exe Nigome32.exe File created C:\Windows\SysWOW64\Bfbdiclb.dll Pmjqcc32.exe File created C:\Windows\SysWOW64\Egllae32.exe Ecqqpgli.exe File opened for modification C:\Windows\SysWOW64\Hpbiommg.exe Hmdmcanc.exe File created C:\Windows\SysWOW64\Mecjiaic.dll Idnaoohk.exe File created C:\Windows\SysWOW64\Eeejnlhc.dll Ngfflj32.exe File created C:\Windows\SysWOW64\Bllbijej.dll Qlkdkd32.exe File opened for modification C:\Windows\SysWOW64\Clilkfnb.exe Ccahbp32.exe File created C:\Windows\SysWOW64\Eplkpgnh.exe Eibbcm32.exe File created C:\Windows\SysWOW64\Lbiqfied.exe Llohjo32.exe File created C:\Windows\SysWOW64\Bmkmdk32.exe Amhpnkch.exe File opened for modification C:\Windows\SysWOW64\Dgjclbdi.exe Cppkph32.exe File created C:\Windows\SysWOW64\Qmbbdq32.dll Fepiimfg.exe File opened for modification C:\Windows\SysWOW64\Ljffag32.exe Lclnemgd.exe File created C:\Windows\SysWOW64\Pqfjpj32.dll Abbeflpf.exe File created C:\Windows\SysWOW64\Fdbnmk32.dll Laegiq32.exe File created C:\Windows\SysWOW64\Pmjqcc32.exe Pjldghjm.exe File created C:\Windows\SysWOW64\Ljffag32.exe Lclnemgd.exe File created C:\Windows\SysWOW64\Mencccop.exe Modkfi32.exe File created C:\Windows\SysWOW64\Gdniqh32.exe Gfjhgdck.exe File opened for modification C:\Windows\SysWOW64\Gbaileio.exe Gdniqh32.exe File opened for modification C:\Windows\SysWOW64\Mholen32.exe Maedhd32.exe File created C:\Windows\SysWOW64\Pjcabmga.exe Pkpagq32.exe File created C:\Windows\SysWOW64\Abjebn32.exe Abhimnma.exe File created C:\Windows\SysWOW64\Hkaglf32.exe Hipkdnmf.exe File opened for modification C:\Windows\SysWOW64\Mpmapm32.exe Mlaeonld.exe File created C:\Windows\SysWOW64\Fadminnn.exe Fnfamcoj.exe File created C:\Windows\SysWOW64\Modkfi32.exe Mkhofjoj.exe File opened for modification C:\Windows\SysWOW64\Mofglh32.exe Mkklljmg.exe File opened for modification C:\Windows\SysWOW64\Bfkpqn32.exe Baohhgnf.exe File created C:\Windows\SysWOW64\Ndjfeo32.exe Nlcnda32.exe File opened for modification C:\Windows\SysWOW64\Pbkbgjcc.exe Pomfkndo.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Pjcabmga.exe File opened for modification C:\Windows\SysWOW64\Jqnejn32.exe Jnpinc32.exe File opened for modification C:\Windows\SysWOW64\Lcagpl32.exe Lmgocb32.exe File opened for modification C:\Windows\SysWOW64\Mlaeonld.exe Legmbd32.exe File opened for modification C:\Windows\SysWOW64\Qbbhgi32.exe Qodlkm32.exe File created C:\Windows\SysWOW64\Ilncom32.exe Inkccpgk.exe File created C:\Windows\SysWOW64\Dgalgjnb.dll Jqgoiokm.exe File opened for modification C:\Windows\SysWOW64\Amelne32.exe Afkdakjb.exe File created C:\Windows\SysWOW64\Bpnbkeld.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Gheabp32.dll Ginnnooi.exe File created C:\Windows\SysWOW64\Nljddpfe.exe Nilhhdga.exe File created C:\Windows\SysWOW64\Qcjfoqkg.dll Abhimnma.exe File created C:\Windows\SysWOW64\Jhpjaq32.dll Onecbg32.exe File created C:\Windows\SysWOW64\Hbcicn32.dll Aecaidjl.exe File created C:\Windows\SysWOW64\Pghhkllb.dll Leimip32.exe File created C:\Windows\SysWOW64\Lmgocb32.exe Lndohedg.exe File opened for modification C:\Windows\SysWOW64\Pmojocel.exe Pjpnbg32.exe File opened for modification C:\Windows\SysWOW64\Baadng32.exe Bkglameg.exe File created C:\Windows\SysWOW64\Ncmdic32.dll Qeohnd32.exe File created C:\Windows\SysWOW64\Ajbggjfq.exe Agdjkogm.exe File created C:\Windows\SysWOW64\Kgfkcnlb.dll Cpceidcn.exe File created C:\Windows\SysWOW64\Fjaonpnn.exe Ebjglbml.exe File opened for modification C:\Windows\SysWOW64\Iamimc32.exe Ioolqh32.exe File opened for modification C:\Windows\SysWOW64\Nofdklgl.exe Nhllob32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3808 3692 WerFault.exe 330 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gedbdlbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gakcimgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginnnooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjhkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlaeonld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlhnagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmhaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbalifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomfkndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhpnkch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjapjmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjfkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llohjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baadng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdildlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfjha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knpemf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npagjpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajejgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebjglbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbaileio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbcbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meijhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgpef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglipi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbbhgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aganeoip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anccmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghelfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ganpomec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfmfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdgdempa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadpgggp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alhmjbhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedkbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odeiibdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leimip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocfigjlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onpjghhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpceidcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllnlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faigdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdllkhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdniqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhllob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkglameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbmcbbki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiknhbcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilncom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laegiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odlojanh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldcpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecejkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkaglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiihdlpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhnbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mencccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddigjkid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackkppma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baohhgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nofdklgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjfeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhkjp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcggqfg.dll" Hmdmcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnjb32.dll" Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcmafj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll" Pbnoliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milokblc.dll" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjaonpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjiem32.dll" Ljffag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qodlkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Eqdajkkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kohkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll" Mapjmehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baohhgnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjifhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikfmfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nigome32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhllob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdihmjpf.dll" Ahikqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdepma32.dll" Ohcaoajg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecenlqh.dll" Bmkmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmgbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocfigjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalpaf32.dll" Pfdabino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpelbgel.dll" Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbdklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbnoliap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apoooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biojif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdgdempa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icmegf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbdklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfpclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokjlf32.dll" Hiknhbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll" Pkdgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll" Beejng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higeofeq.dll" Gedbdlbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poceplpj.dll" Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maedhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niikceid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Homclekn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2692 2680 38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5N.exe 30 PID 2680 wrote to memory of 2692 2680 38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5N.exe 30 PID 2680 wrote to memory of 2692 2680 38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5N.exe 30 PID 2680 wrote to memory of 2692 2680 38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5N.exe 30 PID 2692 wrote to memory of 2964 2692 Pqkmjh32.exe 31 PID 2692 wrote to memory of 2964 2692 Pqkmjh32.exe 31 PID 2692 wrote to memory of 2964 2692 Pqkmjh32.exe 31 PID 2692 wrote to memory of 2964 2692 Pqkmjh32.exe 31 PID 2964 wrote to memory of 2624 2964 Pkpagq32.exe 32 PID 2964 wrote to memory of 2624 2964 Pkpagq32.exe 32 PID 2964 wrote to memory of 2624 2964 Pkpagq32.exe 32 PID 2964 wrote to memory of 2624 2964 Pkpagq32.exe 32 PID 2624 wrote to memory of 2636 2624 Pjcabmga.exe 33 PID 2624 wrote to memory of 2636 2624 Pjcabmga.exe 33 PID 2624 wrote to memory of 2636 2624 Pjcabmga.exe 33 PID 2624 wrote to memory of 2636 2624 Pjcabmga.exe 33 PID 2636 wrote to memory of 2664 2636 Pcnbablo.exe 34 PID 2636 wrote to memory of 2664 2636 Pcnbablo.exe 34 PID 2636 wrote to memory of 2664 2636 Pcnbablo.exe 34 PID 2636 wrote to memory of 2664 2636 Pcnbablo.exe 34 PID 2664 wrote to memory of 1956 2664 Qbcpbo32.exe 35 PID 2664 wrote to memory of 1956 2664 Qbcpbo32.exe 35 PID 2664 wrote to memory of 1956 2664 Qbcpbo32.exe 35 PID 2664 wrote to memory of 1956 2664 Qbcpbo32.exe 35 PID 1956 wrote to memory of 2280 1956 Qlkdkd32.exe 36 PID 1956 wrote to memory of 2280 1956 Qlkdkd32.exe 36 PID 1956 wrote to memory of 2280 1956 Qlkdkd32.exe 36 PID 1956 wrote to memory of 2280 1956 Qlkdkd32.exe 36 PID 2280 wrote to memory of 576 2280 Alnqqd32.exe 37 PID 2280 wrote to memory of 576 2280 Alnqqd32.exe 37 PID 2280 wrote to memory of 576 2280 Alnqqd32.exe 37 PID 2280 wrote to memory of 576 2280 Alnqqd32.exe 37 PID 576 wrote to memory of 2000 576 Abhimnma.exe 38 PID 576 wrote to memory of 2000 576 Abhimnma.exe 38 PID 576 wrote to memory of 2000 576 Abhimnma.exe 38 PID 576 wrote to memory of 2000 576 Abhimnma.exe 38 PID 2000 wrote to memory of 1868 2000 Abjebn32.exe 39 PID 2000 wrote to memory of 1868 2000 Abjebn32.exe 39 PID 2000 wrote to memory of 1868 2000 Abjebn32.exe 39 PID 2000 wrote to memory of 1868 2000 Abjebn32.exe 39 PID 1868 wrote to memory of 1268 1868 Ajejgp32.exe 40 PID 1868 wrote to memory of 1268 1868 Ajejgp32.exe 40 PID 1868 wrote to memory of 1268 1868 Ajejgp32.exe 40 PID 1868 wrote to memory of 1268 1868 Ajejgp32.exe 40 PID 1268 wrote to memory of 2892 1268 Ahikqd32.exe 41 PID 1268 wrote to memory of 2892 1268 Ahikqd32.exe 41 PID 1268 wrote to memory of 2892 1268 Ahikqd32.exe 41 PID 1268 wrote to memory of 2892 1268 Ahikqd32.exe 41 PID 2892 wrote to memory of 1320 2892 Anccmo32.exe 42 PID 2892 wrote to memory of 1320 2892 Anccmo32.exe 42 PID 2892 wrote to memory of 1320 2892 Anccmo32.exe 42 PID 2892 wrote to memory of 1320 2892 Anccmo32.exe 42 PID 1320 wrote to memory of 2412 1320 Afohaa32.exe 43 PID 1320 wrote to memory of 2412 1320 Afohaa32.exe 43 PID 1320 wrote to memory of 2412 1320 Afohaa32.exe 43 PID 1320 wrote to memory of 2412 1320 Afohaa32.exe 43 PID 2412 wrote to memory of 1508 2412 Amhpnkch.exe 44 PID 2412 wrote to memory of 1508 2412 Amhpnkch.exe 44 PID 2412 wrote to memory of 1508 2412 Amhpnkch.exe 44 PID 2412 wrote to memory of 1508 2412 Amhpnkch.exe 44 PID 1508 wrote to memory of 836 1508 Bmkmdk32.exe 45 PID 1508 wrote to memory of 836 1508 Bmkmdk32.exe 45 PID 1508 wrote to memory of 836 1508 Bmkmdk32.exe 45 PID 1508 wrote to memory of 836 1508 Bmkmdk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5N.exe"C:\Users\Admin\AppData\Local\Temp\38819aac3d2891815678a6f3587535056e7f1ead35662eb521243b904a5856a5N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:980 -
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe25⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe26⤵
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe34⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe35⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Dcenlceh.exeC:\Windows\system32\Dcenlceh.exe38⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe39⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe40⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe42⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe43⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe44⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe45⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe47⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe48⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe50⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe52⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Ecejkf32.exeC:\Windows\system32\Ecejkf32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe55⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Eibbcm32.exeC:\Windows\system32\Eibbcm32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ebjglbml.exeC:\Windows\system32\Ebjglbml.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe60⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe61⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Fbmcbbki.exeC:\Windows\system32\Fbmcbbki.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe64⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe65⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe66⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe67⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe68⤵
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe69⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe70⤵PID:2724
-
C:\Windows\SysWOW64\Fepiimfg.exeC:\Windows\system32\Fepiimfg.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe72⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe73⤵
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe74⤵PID:2884
-
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe77⤵PID:2556
-
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe80⤵PID:1368
-
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe81⤵
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe84⤵
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe85⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe86⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe89⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe91⤵PID:2980
-
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe92⤵PID:2552
-
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe95⤵PID:692
-
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1336 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe97⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe98⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe100⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe101⤵PID:1664
-
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe102⤵PID:2648
-
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:712 -
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe104⤵PID:804
-
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe105⤵PID:1856
-
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe106⤵PID:600
-
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe107⤵PID:1600
-
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe109⤵PID:2956
-
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe110⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe113⤵PID:1864
-
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe114⤵PID:2572
-
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe115⤵
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe116⤵PID:2188
-
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:604 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe118⤵PID:1340
-
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe119⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe120⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe121⤵
- System Location Discovery: System Language Discovery
PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-