Analysis
-
max time kernel
53s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 03:59
Behavioral task
behavioral1
Sample
b2e8b611193e13228fb7960844237057b860d86fb52346f7aacd798610ae503eN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b2e8b611193e13228fb7960844237057b860d86fb52346f7aacd798610ae503eN.exe
Resource
win10v2004-20241007-en
General
-
Target
b2e8b611193e13228fb7960844237057b860d86fb52346f7aacd798610ae503eN.exe
-
Size
160KB
-
MD5
a7fbb6901ee98cc98c6960a28d9f36d0
-
SHA1
37dbbe1eef067aaee4008e677aa6c8345da214d3
-
SHA256
b2e8b611193e13228fb7960844237057b860d86fb52346f7aacd798610ae503e
-
SHA512
fc1bcc886555f1af6305af565a10a585c9f090962efb8560ab18dd7ff3afd3ebbddae1a140100047088af1d97656e6248aa51176328fa50227e7ac409aa6f3b0
-
SSDEEP
3072:HgQskqCYTTjTTkTTjTTjTTXTTXTTXTTPdTTTTTTTTTTgNTTnTTTTTTYa92j6+JBz:HBsiYTTjTTkTTjTTjTTXTTXTTXTTPdTN
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neohbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiffbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jboanfmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmmihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmndbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foqadnpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lphnlcnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbabodk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcdpjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iijdfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnonjqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dppiddie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiffbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibcgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moahdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjnikpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igeggkoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apheke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeicenni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gidgdcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkldli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fndfmljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabegpbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqijmkfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankckagj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nffenj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eamdlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmijgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdpjgjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meafpibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iopeagip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocphembl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnegldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbkaoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpgoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imccab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeffpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnegldo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfojhhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhiglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebkpma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomhkgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbgqbdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqdioaqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbmnfajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqmmhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plfjme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdaal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qibhao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdedoegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbldbgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jemkai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpqaanqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meaiia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklgjbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laqadknn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibklddof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dalffg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcbie32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2524 Cgmndokg.exe 2408 Ceanmc32.exe 2912 Cjngej32.exe 2956 Dedkbb32.exe 2224 Dfegjknm.exe 2920 Dfgdpj32.exe 2764 Dihmae32.exe 3016 Dflnkjhe.exe 1264 Dimfmeef.exe 1472 Ehbcnajn.exe 1208 Ehdpcahk.exe 1072 Eamdlf32.exe 2568 Ekeiel32.exe 2204 Ehiiop32.exe 1748 Eijffhjd.exe 2788 Fkjbpkag.exe 676 Fiopah32.exe 1100 Fefpfi32.exe 1728 Fondonbc.exe 1460 Fhfihd32.exe 2564 Foqadnpq.exe 928 Fdmjmenh.exe 2636 Gocnjn32.exe 472 Gdpfbd32.exe 2356 Gacgli32.exe 2424 Gnjhaj32.exe 1600 Glpdbfek.exe 2968 Gqmmhdka.exe 3064 Hfjfpkji.exe 2948 Hfmbfkhf.exe 2752 Hcqcoo32.exe 2684 Hnjdpm32.exe 3032 Hnlqemal.exe 948 Hjcajn32.exe 236 Iclfccmq.exe 1628 Ifloeo32.exe 3004 Iabcbg32.exe 2740 Icbldbgi.exe 1932 Imkqmh32.exe 1984 Jmmmbg32.exe 1056 Jffakm32.exe 1968 Jhgnbehe.exe 1624 Jlegic32.exe 1128 Jemkai32.exe 708 Jmhpfl32.exe 2608 Jdbhcfjd.exe 672 Johlpoij.exe 2156 Kdeehe32.exe 1528 Kplfmfmf.exe 2696 Lddagi32.exe 2484 Lahaqm32.exe 2856 Lgejidgn.exe 2824 Laknfmgd.exe 2040 Lhegcg32.exe 552 Lamkllea.exe 2024 Lcnhcdkp.exe 1632 Lndlamke.exe 2404 Lcqdidim.exe 1976 Mpeebhhf.exe 2392 Mfamko32.exe 2124 Mlkegimk.exe 1784 Mcendc32.exe 828 Mhbflj32.exe 592 Moloidjl.exe -
Loads dropped DLL 64 IoCs
pid Process 432 b2e8b611193e13228fb7960844237057b860d86fb52346f7aacd798610ae503eN.exe 432 b2e8b611193e13228fb7960844237057b860d86fb52346f7aacd798610ae503eN.exe 2524 Cgmndokg.exe 2524 Cgmndokg.exe 2408 Ceanmc32.exe 2408 Ceanmc32.exe 2912 Cjngej32.exe 2912 Cjngej32.exe 2956 Dedkbb32.exe 2956 Dedkbb32.exe 2224 Dfegjknm.exe 2224 Dfegjknm.exe 2920 Dfgdpj32.exe 2920 Dfgdpj32.exe 2764 Dihmae32.exe 2764 Dihmae32.exe 3016 Dflnkjhe.exe 3016 Dflnkjhe.exe 1264 Dimfmeef.exe 1264 Dimfmeef.exe 1472 Ehbcnajn.exe 1472 Ehbcnajn.exe 1208 Ehdpcahk.exe 1208 Ehdpcahk.exe 1072 Eamdlf32.exe 1072 Eamdlf32.exe 2568 Ekeiel32.exe 2568 Ekeiel32.exe 2204 Ehiiop32.exe 2204 Ehiiop32.exe 1748 Eijffhjd.exe 1748 Eijffhjd.exe 2788 Fkjbpkag.exe 2788 Fkjbpkag.exe 676 Fiopah32.exe 676 Fiopah32.exe 1100 Fefpfi32.exe 1100 Fefpfi32.exe 1728 Fondonbc.exe 1728 Fondonbc.exe 1460 Fhfihd32.exe 1460 Fhfihd32.exe 2564 Foqadnpq.exe 2564 Foqadnpq.exe 928 Fdmjmenh.exe 928 Fdmjmenh.exe 2636 Gocnjn32.exe 2636 Gocnjn32.exe 472 Gdpfbd32.exe 472 Gdpfbd32.exe 2356 Gacgli32.exe 2356 Gacgli32.exe 2424 Gnjhaj32.exe 2424 Gnjhaj32.exe 1600 Glpdbfek.exe 1600 Glpdbfek.exe 2968 Gqmmhdka.exe 2968 Gqmmhdka.exe 3064 Hfjfpkji.exe 3064 Hfjfpkji.exe 2948 Hfmbfkhf.exe 2948 Hfmbfkhf.exe 2752 Hcqcoo32.exe 2752 Hcqcoo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cbihpbpl.exe Bdehgnqc.exe File opened for modification C:\Windows\SysWOW64\Cnbfkccn.exe Cdjabn32.exe File created C:\Windows\SysWOW64\Fbgdlq32.dll Gpagbp32.exe File opened for modification C:\Windows\SysWOW64\Hancef32.exe Galfpgpg.exe File opened for modification C:\Windows\SysWOW64\Egaoldnf.exe Enijcn32.exe File created C:\Windows\SysWOW64\Ggppeg32.dll Knckbe32.exe File opened for modification C:\Windows\SysWOW64\Jemkai32.exe Jlegic32.exe File opened for modification C:\Windows\SysWOW64\Amledj32.exe Apheke32.exe File created C:\Windows\SysWOW64\Bfjmkn32.exe Bmahbhei.exe File created C:\Windows\SysWOW64\Bmndbb32.exe Bgaljk32.exe File created C:\Windows\SysWOW64\Jmmnpc32.dll Ejpipf32.exe File created C:\Windows\SysWOW64\Nhhdiknb.exe Mhegckpd.exe File created C:\Windows\SysWOW64\Gfadeaho.exe Gepgni32.exe File created C:\Windows\SysWOW64\Cfhjjp32.exe Cpkaai32.exe File created C:\Windows\SysWOW64\Faamni32.dll Cfpinnfj.exe File opened for modification C:\Windows\SysWOW64\Dopdgb32.exe Dfgpnm32.exe File created C:\Windows\SysWOW64\Mlogojjp.exe Mbfbfe32.exe File created C:\Windows\SysWOW64\Gcfmolmc.dll Babbpc32.exe File created C:\Windows\SysWOW64\Ckgogfmg.exe Cclkcdpl.exe File created C:\Windows\SysWOW64\Dcjllicj.dll Enijcn32.exe File opened for modification C:\Windows\SysWOW64\Aihmhe32.exe Acldpojj.exe File created C:\Windows\SysWOW64\Dcgiejje.exe Dindme32.exe File created C:\Windows\SysWOW64\Lkfibnjf.dll Pmoqfi32.exe File opened for modification C:\Windows\SysWOW64\Bhgaan32.exe Alqplmlb.exe File created C:\Windows\SysWOW64\Liaenblm.exe Liohhbno.exe File created C:\Windows\SysWOW64\Ffifbijg.dll Aliejq32.exe File created C:\Windows\SysWOW64\Gqmmhdka.exe Glpdbfek.exe File created C:\Windows\SysWOW64\Aoppkj32.dll Linanl32.exe File created C:\Windows\SysWOW64\Jfdgnf32.exe Iqgofo32.exe File created C:\Windows\SysWOW64\Hmafge32.dll Eaclgf32.exe File created C:\Windows\SysWOW64\Pgfpoimj.exe Paihgboc.exe File created C:\Windows\SysWOW64\Enqgpadi.dll Fhfbmn32.exe File opened for modification C:\Windows\SysWOW64\Imccab32.exe Ickoimie.exe File opened for modification C:\Windows\SysWOW64\Kphbmp32.exe Jfpndkel.exe File created C:\Windows\SysWOW64\Phddjlme.dll Lebcdd32.exe File created C:\Windows\SysWOW64\Fgepob32.dll Paclje32.exe File created C:\Windows\SysWOW64\Infpbgeb.dll Nimaic32.exe File created C:\Windows\SysWOW64\Ljcbii32.dll Hiffbl32.exe File created C:\Windows\SysWOW64\Ghifhnnl.dll Qdlialfb.exe File opened for modification C:\Windows\SysWOW64\Pmeemp32.exe Pcmadj32.exe File created C:\Windows\SysWOW64\Ofbgbaio.exe Oljbil32.exe File created C:\Windows\SysWOW64\Oclndk32.dll Qbkljd32.exe File opened for modification C:\Windows\SysWOW64\Lpodmb32.exe Lpmhgc32.exe File opened for modification C:\Windows\SysWOW64\Feklja32.exe Fblpnepn.exe File opened for modification C:\Windows\SysWOW64\Ngolgn32.exe Nnfgnibb.exe File created C:\Windows\SysWOW64\Pfmgmm32.exe Pmecdgbk.exe File created C:\Windows\SysWOW64\Aimfcedl.exe Aliejq32.exe File created C:\Windows\SysWOW64\Knlekjqk.dll Dfgdpj32.exe File created C:\Windows\SysWOW64\Heedbbdb.exe Hphljkfk.exe File opened for modification C:\Windows\SysWOW64\Lpmhgc32.exe Licpki32.exe File created C:\Windows\SysWOW64\Oggkklnk.exe Nolffjap.exe File opened for modification C:\Windows\SysWOW64\Onhnjclg.exe Oikeal32.exe File opened for modification C:\Windows\SysWOW64\Kmphpc32.exe Kmnljc32.exe File created C:\Windows\SysWOW64\Kbmahjbk.exe Kmphpc32.exe File opened for modification C:\Windows\SysWOW64\Clheeh32.exe Cjglcmbi.exe File created C:\Windows\SysWOW64\Jmqfffcn.dll Iopeagip.exe File opened for modification C:\Windows\SysWOW64\Djddbkck.exe Dlpdifda.exe File opened for modification C:\Windows\SysWOW64\Ghjjoeei.exe Gnaffpoi.exe File created C:\Windows\SysWOW64\Dnjeoa32.exe Cgpmbgai.exe File created C:\Windows\SysWOW64\Dgocfggf.dll Mibeofaf.exe File created C:\Windows\SysWOW64\Mdbdlp32.dll Idagdm32.exe File created C:\Windows\SysWOW64\Eehnfc32.dll Lfgbmf32.exe File opened for modification C:\Windows\SysWOW64\Dhiacg32.exe Doqmjaac.exe File opened for modification C:\Windows\SysWOW64\Lgekdh32.exe Ljakkd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3592 3320 WerFault.exe 636 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcjqkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmhmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkakonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igeggkoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpegdik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laacmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfpoimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdflhppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmgekh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeameodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbonk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgnbehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkkbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meaiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cclkcdpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfgnibb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfojhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmcmomjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baoahf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbhpddbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickoimie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpmonea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egchocif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghjjoeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlegic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphokhco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omddmkhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpqaanqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egaoldnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeeadi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emcqpjhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fondonbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombhgljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqdcgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkklflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbjmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milagp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfgoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcqcoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcajn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieaekdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpagbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdpcnfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alicahno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlhbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndlamke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimkeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhgaan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oncpmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpliec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jciaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocphembl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmedck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danblfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejeglg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfegjknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehdpcahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpokkdim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqomkimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomhkgkb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlhbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ediihkon.dll" Pnebgcqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmbla32.dll" Dfegjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqdenj32.dll" Pppihdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odjoeplp.dll" Feklja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekqqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmllgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdlgpke.dll" Obamebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lendnaic.dll" Lpodmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmlfbao.dll" Gmcmomjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcdlj32.dll" Glpdbfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcedbefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjogpk32.dll" Koogdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjkcedgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfjkg32.dll" Ndnbeclb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqlikc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqjfgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdehgnqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbajci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmndbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljkakol.dll" Jffakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emogdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igffogeb.dll" Ngcbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgoief32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfffhk32.dll" Fkbadifn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndnplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbihpbpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmcpqfba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flefnl32.dll" Mgalnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcendc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaamobdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobfgcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljagk32.dll" Johlpoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hembji32.dll" Qeeadi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgopfi32.dll" Dhhhphmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njjieace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfamko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghifhnnl.dll" Qdlialfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljbaeaa.dll" Aelgdhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkmhej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhcanahm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqmbca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhegcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphqlc32.dll" Apeflmjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hancef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plongokk.dll" Mgdpnqfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmmppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffllbi32.dll" Kfklgape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnebgcqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhibenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehdpcahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjfhile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cghpgbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnaimag.dll" Ecklgdag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkdaqcl.dll" Injlmcib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qabhbm32.dll" Ghcmedmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajnlqgfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phelnhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfeegfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmnbjill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdoaackf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgbmipo.dll" Ghlell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdhmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klilah32.dll" Mlkegimk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 432 wrote to memory of 2524 432 b2e8b611193e13228fb7960844237057b860d86fb52346f7aacd798610ae503eN.exe 29 PID 432 wrote to memory of 2524 432 b2e8b611193e13228fb7960844237057b860d86fb52346f7aacd798610ae503eN.exe 29 PID 432 wrote to memory of 2524 432 b2e8b611193e13228fb7960844237057b860d86fb52346f7aacd798610ae503eN.exe 29 PID 432 wrote to memory of 2524 432 b2e8b611193e13228fb7960844237057b860d86fb52346f7aacd798610ae503eN.exe 29 PID 2524 wrote to memory of 2408 2524 Cgmndokg.exe 30 PID 2524 wrote to memory of 2408 2524 Cgmndokg.exe 30 PID 2524 wrote to memory of 2408 2524 Cgmndokg.exe 30 PID 2524 wrote to memory of 2408 2524 Cgmndokg.exe 30 PID 2408 wrote to memory of 2912 2408 Ceanmc32.exe 31 PID 2408 wrote to memory of 2912 2408 Ceanmc32.exe 31 PID 2408 wrote to memory of 2912 2408 Ceanmc32.exe 31 PID 2408 wrote to memory of 2912 2408 Ceanmc32.exe 31 PID 2912 wrote to memory of 2956 2912 Cjngej32.exe 32 PID 2912 wrote to memory of 2956 2912 Cjngej32.exe 32 PID 2912 wrote to memory of 2956 2912 Cjngej32.exe 32 PID 2912 wrote to memory of 2956 2912 Cjngej32.exe 32 PID 2956 wrote to memory of 2224 2956 Dedkbb32.exe 33 PID 2956 wrote to memory of 2224 2956 Dedkbb32.exe 33 PID 2956 wrote to memory of 2224 2956 Dedkbb32.exe 33 PID 2956 wrote to memory of 2224 2956 Dedkbb32.exe 33 PID 2224 wrote to memory of 2920 2224 Dfegjknm.exe 34 PID 2224 wrote to memory of 2920 2224 Dfegjknm.exe 34 PID 2224 wrote to memory of 2920 2224 Dfegjknm.exe 34 PID 2224 wrote to memory of 2920 2224 Dfegjknm.exe 34 PID 2920 wrote to memory of 2764 2920 Dfgdpj32.exe 35 PID 2920 wrote to memory of 2764 2920 Dfgdpj32.exe 35 PID 2920 wrote to memory of 2764 2920 Dfgdpj32.exe 35 PID 2920 wrote to memory of 2764 2920 Dfgdpj32.exe 35 PID 2764 wrote to memory of 3016 2764 Dihmae32.exe 36 PID 2764 wrote to memory of 3016 2764 Dihmae32.exe 36 PID 2764 wrote to memory of 3016 2764 Dihmae32.exe 36 PID 2764 wrote to memory of 3016 2764 Dihmae32.exe 36 PID 3016 wrote to memory of 1264 3016 Dflnkjhe.exe 37 PID 3016 wrote to memory of 1264 3016 Dflnkjhe.exe 37 PID 3016 wrote to memory of 1264 3016 Dflnkjhe.exe 37 PID 3016 wrote to memory of 1264 3016 Dflnkjhe.exe 37 PID 1264 wrote to memory of 1472 1264 Dimfmeef.exe 38 PID 1264 wrote to memory of 1472 1264 Dimfmeef.exe 38 PID 1264 wrote to memory of 1472 1264 Dimfmeef.exe 38 PID 1264 wrote to memory of 1472 1264 Dimfmeef.exe 38 PID 1472 wrote to memory of 1208 1472 Ehbcnajn.exe 39 PID 1472 wrote to memory of 1208 1472 Ehbcnajn.exe 39 PID 1472 wrote to memory of 1208 1472 Ehbcnajn.exe 39 PID 1472 wrote to memory of 1208 1472 Ehbcnajn.exe 39 PID 1208 wrote to memory of 1072 1208 Ehdpcahk.exe 40 PID 1208 wrote to memory of 1072 1208 Ehdpcahk.exe 40 PID 1208 wrote to memory of 1072 1208 Ehdpcahk.exe 40 PID 1208 wrote to memory of 1072 1208 Ehdpcahk.exe 40 PID 1072 wrote to memory of 2568 1072 Eamdlf32.exe 41 PID 1072 wrote to memory of 2568 1072 Eamdlf32.exe 41 PID 1072 wrote to memory of 2568 1072 Eamdlf32.exe 41 PID 1072 wrote to memory of 2568 1072 Eamdlf32.exe 41 PID 2568 wrote to memory of 2204 2568 Ekeiel32.exe 42 PID 2568 wrote to memory of 2204 2568 Ekeiel32.exe 42 PID 2568 wrote to memory of 2204 2568 Ekeiel32.exe 42 PID 2568 wrote to memory of 2204 2568 Ekeiel32.exe 42 PID 2204 wrote to memory of 1748 2204 Ehiiop32.exe 43 PID 2204 wrote to memory of 1748 2204 Ehiiop32.exe 43 PID 2204 wrote to memory of 1748 2204 Ehiiop32.exe 43 PID 2204 wrote to memory of 1748 2204 Ehiiop32.exe 43 PID 1748 wrote to memory of 2788 1748 Eijffhjd.exe 44 PID 1748 wrote to memory of 2788 1748 Eijffhjd.exe 44 PID 1748 wrote to memory of 2788 1748 Eijffhjd.exe 44 PID 1748 wrote to memory of 2788 1748 Eijffhjd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2e8b611193e13228fb7960844237057b860d86fb52346f7aacd798610ae503eN.exe"C:\Users\Admin\AppData\Local\Temp\b2e8b611193e13228fb7960844237057b860d86fb52346f7aacd798610ae503eN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Cgmndokg.exeC:\Windows\system32\Cgmndokg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ceanmc32.exeC:\Windows\system32\Ceanmc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Cjngej32.exeC:\Windows\system32\Cjngej32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Dedkbb32.exeC:\Windows\system32\Dedkbb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Dfegjknm.exeC:\Windows\system32\Dfegjknm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Dfgdpj32.exeC:\Windows\system32\Dfgdpj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Dihmae32.exeC:\Windows\system32\Dihmae32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Dflnkjhe.exeC:\Windows\system32\Dflnkjhe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Dimfmeef.exeC:\Windows\system32\Dimfmeef.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Ehbcnajn.exeC:\Windows\system32\Ehbcnajn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Ehdpcahk.exeC:\Windows\system32\Ehdpcahk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Eamdlf32.exeC:\Windows\system32\Eamdlf32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ehiiop32.exeC:\Windows\system32\Ehiiop32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Eijffhjd.exeC:\Windows\system32\Eijffhjd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Fkjbpkag.exeC:\Windows\system32\Fkjbpkag.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Fiopah32.exeC:\Windows\system32\Fiopah32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Fefpfi32.exeC:\Windows\system32\Fefpfi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Fondonbc.exeC:\Windows\system32\Fondonbc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Fhfihd32.exeC:\Windows\system32\Fhfihd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Foqadnpq.exeC:\Windows\system32\Foqadnpq.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Fdmjmenh.exeC:\Windows\system32\Fdmjmenh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\Gacgli32.exeC:\Windows\system32\Gacgli32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Gnjhaj32.exeC:\Windows\system32\Gnjhaj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Gqmmhdka.exeC:\Windows\system32\Gqmmhdka.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Hfmbfkhf.exeC:\Windows\system32\Hfmbfkhf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Hcqcoo32.exeC:\Windows\system32\Hcqcoo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Hnjdpm32.exeC:\Windows\system32\Hnjdpm32.exe33⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Hnlqemal.exeC:\Windows\system32\Hnlqemal.exe34⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Hjcajn32.exeC:\Windows\system32\Hjcajn32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Iclfccmq.exeC:\Windows\system32\Iclfccmq.exe36⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Ifloeo32.exeC:\Windows\system32\Ifloeo32.exe37⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Iabcbg32.exeC:\Windows\system32\Iabcbg32.exe38⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Icbldbgi.exeC:\Windows\system32\Icbldbgi.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe40⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Jmmmbg32.exeC:\Windows\system32\Jmmmbg32.exe41⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Jffakm32.exeC:\Windows\system32\Jffakm32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Jhgnbehe.exeC:\Windows\system32\Jhgnbehe.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Jlegic32.exeC:\Windows\system32\Jlegic32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Jemkai32.exeC:\Windows\system32\Jemkai32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Jmhpfl32.exeC:\Windows\system32\Jmhpfl32.exe46⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Jdbhcfjd.exeC:\Windows\system32\Jdbhcfjd.exe47⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Johlpoij.exeC:\Windows\system32\Johlpoij.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Kdeehe32.exeC:\Windows\system32\Kdeehe32.exe49⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Kplfmfmf.exeC:\Windows\system32\Kplfmfmf.exe50⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Lddagi32.exeC:\Windows\system32\Lddagi32.exe51⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Lahaqm32.exeC:\Windows\system32\Lahaqm32.exe52⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Lgejidgn.exeC:\Windows\system32\Lgejidgn.exe53⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Laknfmgd.exeC:\Windows\system32\Laknfmgd.exe54⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Lhegcg32.exeC:\Windows\system32\Lhegcg32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Lamkllea.exeC:\Windows\system32\Lamkllea.exe56⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Lcnhcdkp.exeC:\Windows\system32\Lcnhcdkp.exe57⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Lndlamke.exeC:\Windows\system32\Lndlamke.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Lcqdidim.exeC:\Windows\system32\Lcqdidim.exe59⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Mpeebhhf.exeC:\Windows\system32\Mpeebhhf.exe60⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Mfamko32.exeC:\Windows\system32\Mfamko32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Mlkegimk.exeC:\Windows\system32\Mlkegimk.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Mcendc32.exeC:\Windows\system32\Mcendc32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Mhbflj32.exeC:\Windows\system32\Mhbflj32.exe64⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Moloidjl.exeC:\Windows\system32\Moloidjl.exe65⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Mdigakic.exeC:\Windows\system32\Mdigakic.exe66⤵PID:2720
-
C:\Windows\SysWOW64\Mookod32.exeC:\Windows\system32\Mookod32.exe67⤵PID:1768
-
C:\Windows\SysWOW64\Mhgpgjoj.exeC:\Windows\system32\Mhgpgjoj.exe68⤵PID:1180
-
C:\Windows\SysWOW64\Moahdd32.exeC:\Windows\system32\Moahdd32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Ndnplk32.exeC:\Windows\system32\Ndnplk32.exe70⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe71⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Nqdaal32.exeC:\Windows\system32\Nqdaal32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692 -
C:\Windows\SysWOW64\Njmejaqb.exeC:\Windows\system32\Njmejaqb.exe73⤵PID:872
-
C:\Windows\SysWOW64\Nmkbfmpf.exeC:\Windows\system32\Nmkbfmpf.exe74⤵PID:2504
-
C:\Windows\SysWOW64\Nfcfob32.exeC:\Windows\system32\Nfcfob32.exe75⤵PID:2844
-
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Ngcbie32.exeC:\Windows\system32\Ngcbie32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe78⤵PID:2240
-
C:\Windows\SysWOW64\Npngng32.exeC:\Windows\system32\Npngng32.exe79⤵PID:2992
-
C:\Windows\SysWOW64\Ombhgljn.exeC:\Windows\system32\Ombhgljn.exe80⤵
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Opqdcgib.exeC:\Windows\system32\Opqdcgib.exe81⤵
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe82⤵PID:1988
-
C:\Windows\SysWOW64\Omddmkhl.exeC:\Windows\system32\Omddmkhl.exe83⤵
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe84⤵
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Oikeal32.exeC:\Windows\system32\Oikeal32.exe85⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Onhnjclg.exeC:\Windows\system32\Onhnjclg.exe86⤵PID:2896
-
C:\Windows\SysWOW64\Oafjfokk.exeC:\Windows\system32\Oafjfokk.exe87⤵PID:2708
-
C:\Windows\SysWOW64\Onkjocjd.exeC:\Windows\system32\Onkjocjd.exe88⤵PID:908
-
C:\Windows\SysWOW64\Oedclm32.exeC:\Windows\system32\Oedclm32.exe89⤵PID:2808
-
C:\Windows\SysWOW64\Ojakdd32.exeC:\Windows\system32\Ojakdd32.exe90⤵PID:816
-
C:\Windows\SysWOW64\Ompgqonl.exeC:\Windows\system32\Ompgqonl.exe91⤵PID:1252
-
C:\Windows\SysWOW64\Phelnhnb.exeC:\Windows\system32\Phelnhnb.exe92⤵
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Panpgn32.exeC:\Windows\system32\Panpgn32.exe93⤵PID:1468
-
C:\Windows\SysWOW64\Pfjiod32.exeC:\Windows\system32\Pfjiod32.exe94⤵PID:1888
-
C:\Windows\SysWOW64\Papmlmbp.exeC:\Windows\system32\Papmlmbp.exe95⤵PID:2044
-
C:\Windows\SysWOW64\Pbaide32.exeC:\Windows\system32\Pbaide32.exe96⤵PID:932
-
C:\Windows\SysWOW64\Pikaqppk.exeC:\Windows\system32\Pikaqppk.exe97⤵PID:2612
-
C:\Windows\SysWOW64\Pebbeq32.exeC:\Windows\system32\Pebbeq32.exe98⤵PID:2848
-
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1280 -
C:\Windows\SysWOW64\Pbfcoedi.exeC:\Windows\system32\Pbfcoedi.exe100⤵PID:1420
-
C:\Windows\SysWOW64\Pipklo32.exeC:\Windows\system32\Pipklo32.exe101⤵PID:2972
-
C:\Windows\SysWOW64\Qbhpddbf.exeC:\Windows\system32\Qbhpddbf.exe102⤵
- System Location Discovery: System Language Discovery
PID:516 -
C:\Windows\SysWOW64\Qibhao32.exeC:\Windows\system32\Qibhao32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Qbkljd32.exeC:\Windows\system32\Qbkljd32.exe104⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Qdlialfb.exeC:\Windows\system32\Qdlialfb.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe106⤵PID:652
-
C:\Windows\SysWOW64\Adnegldo.exeC:\Windows\system32\Adnegldo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1084 -
C:\Windows\SysWOW64\Akhndf32.exeC:\Windows\system32\Akhndf32.exe108⤵PID:2276
-
C:\Windows\SysWOW64\Apeflmjc.exeC:\Windows\system32\Apeflmjc.exe109⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Aimkeb32.exeC:\Windows\system32\Aimkeb32.exe110⤵
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Aadbfp32.exeC:\Windows\system32\Aadbfp32.exe111⤵PID:2544
-
C:\Windows\SysWOW64\Agakog32.exeC:\Windows\system32\Agakog32.exe112⤵PID:2900
-
C:\Windows\SysWOW64\Ankckagj.exeC:\Windows\system32\Ankckagj.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe114⤵PID:3048
-
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe115⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe116⤵
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Boainhic.exeC:\Windows\system32\Boainhic.exe117⤵PID:2784
-
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe118⤵PID:2632
-
C:\Windows\SysWOW64\Babbpc32.exeC:\Windows\system32\Babbpc32.exe119⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe120⤵
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe122⤵
- Drops file in System32 directory
- Modifies registry class
PID:2056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-