Analysis
-
max time kernel
26s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23/11/2024, 04:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e.exe
-
Size
92KB
-
MD5
40e43188ac6d1c10a0196648f916c18b
-
SHA1
ef86a845ca396535f41a3b1e8bc4db055889b5c9
-
SHA256
d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e
-
SHA512
ed7d61da36545e34bb246b5b0bd7d44cd86283928d15645be128144f6f93feef9ba96c03af11f62b2d668ca49df15bbfc97fd7af8d8c7bbd66f047180d4a949d
-
SSDEEP
1536:hMymAfCFhmNkRa+SHVh5iPNLNAnuzzFwjXq+66DFUABABOVLefE/:KRAfYMNHVyVnFwj6+JB8M/
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdfph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdakej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhpadpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Impblnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeeadi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beignlig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfbfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnbdlla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfeegfkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhkkjnmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjefmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnhlgoia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbgci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnbdlla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecdffe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpihafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcafbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fecool32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbihmcqp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Memonbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micnbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgbfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icnngeof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbijgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naeigf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfnfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idjjih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdnjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qegnii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmdehgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnkggjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coejfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhial32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fngjmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goicaell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icidlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gffmqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndeifbfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Choejien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dohnfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecabfpff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgodgnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijdcdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfeodoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aendjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aipickfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnbhcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlokegib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdbloobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpgpjdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnbjfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifngiqlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbijgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbmdig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppelfbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppelfbol.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 940 Jbmdig32.exe 1624 Jgjman32.exe 2864 Jabajc32.exe 2828 Jiiikq32.exe 2724 Jepjpajn.exe 2608 Jkjbml32.exe 2248 Kebgea32.exe 2000 Kjopnh32.exe 2456 Kplhfo32.exe 880 Kjalch32.exe 2656 Kidlodkj.exe 2912 Kcjqlm32.exe 2072 Kmbeecaq.exe 1620 Kbonmjph.exe 1240 Kmdbkbpn.exe 2244 Klgbfo32.exe 936 Kbajci32.exe 1840 Lhnckp32.exe 2272 Lbdghi32.exe 2376 Lafgdfbm.exe 1464 Lhqpqp32.exe 1268 Lbfdnijp.exe 916 Laidie32.exe 2364 Lmpdoffo.exe 1848 Lghigl32.exe 2680 Lkcehkeh.exe 1580 Lpqnpacp.exe 2740 Lkfbmj32.exe 2788 Lmdnjf32.exe 2784 Mcafbm32.exe 2664 Mkhocj32.exe 1124 Mpegka32.exe 2436 Mmigdend.exe 2556 Mojdlm32.exe 1112 Mgalnk32.exe 2916 Mlndfa32.exe 2924 Mibeofaf.exe 2100 Mlqakaqi.exe 1136 Meiedg32.exe 2432 Nlcnaaog.exe 2568 Nkfnln32.exe 1244 Napfihmn.exe 2484 Ndnbeclb.exe 2996 Nnfgnibb.exe 1536 Ndqokc32.exe 1996 Nkjggmal.exe 900 Njmhcj32.exe 1456 Npgppdpc.exe 2260 Ncellpog.exe 2744 Nkmdmm32.exe 2720 Njpdiifd.exe 2212 Nlnqeeeh.exe 2016 Ndeifbfj.exe 3064 Ngcebnen.exe 2096 Njbanida.exe 2876 Nnnmoh32.exe 2296 Nlpmjdce.exe 2932 Nqlikc32.exe 2360 Ocjfgo32.exe 1216 Ofibcj32.exe 2232 Ohgnoeii.exe 2548 Ooaflp32.exe 1616 Obpbhk32.exe 2672 Ohikeegf.exe -
Loads dropped DLL 64 IoCs
pid Process 2128 d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e.exe 2128 d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e.exe 940 Jbmdig32.exe 940 Jbmdig32.exe 1624 Jgjman32.exe 1624 Jgjman32.exe 2864 Jabajc32.exe 2864 Jabajc32.exe 2828 Jiiikq32.exe 2828 Jiiikq32.exe 2724 Jepjpajn.exe 2724 Jepjpajn.exe 2608 Jkjbml32.exe 2608 Jkjbml32.exe 2248 Kebgea32.exe 2248 Kebgea32.exe 2000 Kjopnh32.exe 2000 Kjopnh32.exe 2456 Kplhfo32.exe 2456 Kplhfo32.exe 880 Kjalch32.exe 880 Kjalch32.exe 2656 Kidlodkj.exe 2656 Kidlodkj.exe 2912 Kcjqlm32.exe 2912 Kcjqlm32.exe 2072 Kmbeecaq.exe 2072 Kmbeecaq.exe 1620 Kbonmjph.exe 1620 Kbonmjph.exe 1240 Kmdbkbpn.exe 1240 Kmdbkbpn.exe 2244 Klgbfo32.exe 2244 Klgbfo32.exe 936 Kbajci32.exe 936 Kbajci32.exe 1840 Lhnckp32.exe 1840 Lhnckp32.exe 2272 Lbdghi32.exe 2272 Lbdghi32.exe 2376 Lafgdfbm.exe 2376 Lafgdfbm.exe 1464 Lhqpqp32.exe 1464 Lhqpqp32.exe 1268 Lbfdnijp.exe 1268 Lbfdnijp.exe 916 Laidie32.exe 916 Laidie32.exe 2364 Lmpdoffo.exe 2364 Lmpdoffo.exe 1848 Lghigl32.exe 1848 Lghigl32.exe 2680 Lkcehkeh.exe 2680 Lkcehkeh.exe 1580 Lpqnpacp.exe 1580 Lpqnpacp.exe 2740 Lkfbmj32.exe 2740 Lkfbmj32.exe 2788 Lmdnjf32.exe 2788 Lmdnjf32.exe 2784 Mcafbm32.exe 2784 Mcafbm32.exe 2664 Mkhocj32.exe 2664 Mkhocj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mpegka32.exe Mkhocj32.exe File opened for modification C:\Windows\SysWOW64\Bkheal32.exe Bhiiepcl.exe File opened for modification C:\Windows\SysWOW64\Ddbbod32.exe Cadfbi32.exe File created C:\Windows\SysWOW64\Agdnkj32.dll Dnoqbi32.exe File created C:\Windows\SysWOW64\Hbmnfajm.exe Hpnbjfjj.exe File opened for modification C:\Windows\SysWOW64\Hmefcp32.exe Hkgjge32.exe File created C:\Windows\SysWOW64\Idoaigpm.dll Ifljcanj.exe File opened for modification C:\Windows\SysWOW64\Cpigeblb.exe Cmkkhfmn.exe File created C:\Windows\SysWOW64\Dnmdmj32.exe Dkohanoc.exe File opened for modification C:\Windows\SysWOW64\Fmicnhob.exe Fjkgampo.exe File created C:\Windows\SysWOW64\Hikkjocf.dll Gkbplepn.exe File created C:\Windows\SysWOW64\Dbdippia.dll Ojhdmgkl.exe File created C:\Windows\SysWOW64\Algida32.exe Aihmhe32.exe File created C:\Windows\SysWOW64\Dklkkoqf.exe Dgqokp32.exe File created C:\Windows\SysWOW64\Mgbeqjpd.exe Mddidnqa.exe File opened for modification C:\Windows\SysWOW64\Pikmob32.exe Peoanckj.exe File opened for modification C:\Windows\SysWOW64\Bimbbhgh.exe Bfoffmhd.exe File created C:\Windows\SysWOW64\Hiffbl32.exe Hjdfgojp.exe File opened for modification C:\Windows\SysWOW64\Cnnohmog.exe Coknmp32.exe File created C:\Windows\SysWOW64\Gcbjlm32.dll Cgklma32.exe File created C:\Windows\SysWOW64\Eifgeike.dll Caajmilh.exe File opened for modification C:\Windows\SysWOW64\Ooaflp32.exe Ohgnoeii.exe File created C:\Windows\SysWOW64\Deafji32.dll Jgdmkhnp.exe File created C:\Windows\SysWOW64\Fmpdcp32.dll Mgbeqjpd.exe File created C:\Windows\SysWOW64\Iceohloo.dll Fidmniqa.exe File opened for modification C:\Windows\SysWOW64\Qpmbgaid.exe Qhejed32.exe File created C:\Windows\SysWOW64\Dfbfcn32.exe Dohnfc32.exe File created C:\Windows\SysWOW64\Onloqmmk.dll Ekiaac32.exe File created C:\Windows\SysWOW64\Mogqlgbi.exe Mkldli32.exe File created C:\Windows\SysWOW64\Bakgmgpe.exe Anlkakqa.exe File opened for modification C:\Windows\SysWOW64\Ncplfj32.exe Npbpjn32.exe File opened for modification C:\Windows\SysWOW64\Aliejq32.exe Amfeodoh.exe File opened for modification C:\Windows\SysWOW64\Bakgmgpe.exe Anlkakqa.exe File created C:\Windows\SysWOW64\Cffebb32.dll Qbiamm32.exe File opened for modification C:\Windows\SysWOW64\Clheeh32.exe Cnedilio.exe File created C:\Windows\SysWOW64\Cdnonb32.dll Gfpkbbmo.exe File created C:\Windows\SysWOW64\Igdqmeke.exe Icidlf32.exe File created C:\Windows\SysWOW64\Lmmaoq32.exe Ljnebe32.exe File created C:\Windows\SysWOW64\Adcakdhn.exe Aaeeoihj.exe File created C:\Windows\SysWOW64\Ehmglh32.dll Cpogjh32.exe File created C:\Windows\SysWOW64\Bnoidn32.dll Olhmnb32.exe File created C:\Windows\SysWOW64\Fjkgampo.exe Ffokan32.exe File created C:\Windows\SysWOW64\Ghagjj32.exe Giogonlb.exe File created C:\Windows\SysWOW64\Hdjchlqo.dll Lmhhcaik.exe File opened for modification C:\Windows\SysWOW64\Pmpcoabe.exe Pidgnc32.exe File created C:\Windows\SysWOW64\Fngjmb32.exe Flhnqf32.exe File created C:\Windows\SysWOW64\Eiiahf32.dll Pcgnfl32.exe File opened for modification C:\Windows\SysWOW64\Bodhlane.exe Bigpdjpm.exe File created C:\Windows\SysWOW64\Jkklpk32.exe Jimodo32.exe File opened for modification C:\Windows\SysWOW64\Abodlk32.exe Apphpp32.exe File opened for modification C:\Windows\SysWOW64\Anlkakqa.exe Ajqoqm32.exe File opened for modification C:\Windows\SysWOW64\Cnedilio.exe Cfnmhnhm.exe File opened for modification C:\Windows\SysWOW64\Gbihmcqp.exe Gkbplepn.exe File created C:\Windows\SysWOW64\Ajelmiag.exe Abodlk32.exe File created C:\Windows\SysWOW64\Fbjeao32.exe Flqmddah.exe File created C:\Windows\SysWOW64\Ddjpjj32.exe Dblcnngi.exe File opened for modification C:\Windows\SysWOW64\Ikfokb32.exe Ihgcof32.exe File created C:\Windows\SysWOW64\Kjalch32.exe Kplhfo32.exe File created C:\Windows\SysWOW64\Opkfgdkf.dll Nnnmoh32.exe File opened for modification C:\Windows\SysWOW64\Idagdm32.exe Ifngiqlg.exe File created C:\Windows\SysWOW64\Jgiffg32.exe Jcmjfiab.exe File opened for modification C:\Windows\SysWOW64\Dfhial32.exe Dcjleq32.exe File created C:\Windows\SysWOW64\Qfbahldf.exe Pphilb32.exe File created C:\Windows\SysWOW64\Ibdhlmil.dll Jbgdcapi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6372 6328 WerFault.exe 699 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpicceon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnoqbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfpglkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbmdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhqpqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfgnibb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcfjkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannfim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhlmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igomfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlleni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocnanmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmffhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babdhlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagcnmie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geehcoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcdpjqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhooaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkncmhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echpaecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efihcpqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdibpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpledf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlkakqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhocj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aibfik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efbbba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmcbio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allbpqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndahokk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbohmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fngjmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkhpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifpcfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clphjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnbjfjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhnqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbgkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikmob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjeao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdmkhnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihgndip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpbhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmlief32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aelgdhei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdkagga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icidlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldndf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffokan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbonk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbdif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakjlpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glefpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpdoffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpadpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiaiooja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjacai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onipbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpenkgfq.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiblci32.dll" Fpgpjdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgfcabeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idagdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqfeda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcjleq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nehipedn.dll" Fbjeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hinlck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpiaec32.dll" Panboflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhhphmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgaopcqk.dll" Nkpjfkhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncplfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaghcjhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbienj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhaeg32.dll" Dopdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okeonf32.dll" Fjnkac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohikeegf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkdanef.dll" Dlgjie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goiihmom.dll" Kjopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egglnnil.dll" Gjhfkqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gffmqq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alcclb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdkgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklkkoqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moecghdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eojpqpih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Majfcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbcahgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eogckqkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koidficq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdippia.dll" Ojhdmgkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooiepnen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apgnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlnqeeeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aendjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhkqk32.dll" Hacoio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpnmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogcklqli.dll" Aipickfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knckbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkfbo32.dll" Clphjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbfalpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjdjbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcikkcdp.dll" Lfeegfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gapbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekiaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idagdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jijbnppi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfadeaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbmgapgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbmdig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmpdoffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkfnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhniing.dll" Cgnbepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbjeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppepdplg.dll" Gepgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjfghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekcdegqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peoanckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcamh32.dll" Jcmjfiab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjacai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npgppdpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedgbn32.dll" Ebhlmlhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqpfchka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmmihk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 940 2128 d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e.exe 29 PID 2128 wrote to memory of 940 2128 d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e.exe 29 PID 2128 wrote to memory of 940 2128 d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e.exe 29 PID 2128 wrote to memory of 940 2128 d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e.exe 29 PID 940 wrote to memory of 1624 940 Jbmdig32.exe 30 PID 940 wrote to memory of 1624 940 Jbmdig32.exe 30 PID 940 wrote to memory of 1624 940 Jbmdig32.exe 30 PID 940 wrote to memory of 1624 940 Jbmdig32.exe 30 PID 1624 wrote to memory of 2864 1624 Jgjman32.exe 31 PID 1624 wrote to memory of 2864 1624 Jgjman32.exe 31 PID 1624 wrote to memory of 2864 1624 Jgjman32.exe 31 PID 1624 wrote to memory of 2864 1624 Jgjman32.exe 31 PID 2864 wrote to memory of 2828 2864 Jabajc32.exe 32 PID 2864 wrote to memory of 2828 2864 Jabajc32.exe 32 PID 2864 wrote to memory of 2828 2864 Jabajc32.exe 32 PID 2864 wrote to memory of 2828 2864 Jabajc32.exe 32 PID 2828 wrote to memory of 2724 2828 Jiiikq32.exe 33 PID 2828 wrote to memory of 2724 2828 Jiiikq32.exe 33 PID 2828 wrote to memory of 2724 2828 Jiiikq32.exe 33 PID 2828 wrote to memory of 2724 2828 Jiiikq32.exe 33 PID 2724 wrote to memory of 2608 2724 Jepjpajn.exe 34 PID 2724 wrote to memory of 2608 2724 Jepjpajn.exe 34 PID 2724 wrote to memory of 2608 2724 Jepjpajn.exe 34 PID 2724 wrote to memory of 2608 2724 Jepjpajn.exe 34 PID 2608 wrote to memory of 2248 2608 Jkjbml32.exe 35 PID 2608 wrote to memory of 2248 2608 Jkjbml32.exe 35 PID 2608 wrote to memory of 2248 2608 Jkjbml32.exe 35 PID 2608 wrote to memory of 2248 2608 Jkjbml32.exe 35 PID 2248 wrote to memory of 2000 2248 Kebgea32.exe 36 PID 2248 wrote to memory of 2000 2248 Kebgea32.exe 36 PID 2248 wrote to memory of 2000 2248 Kebgea32.exe 36 PID 2248 wrote to memory of 2000 2248 Kebgea32.exe 36 PID 2000 wrote to memory of 2456 2000 Kjopnh32.exe 37 PID 2000 wrote to memory of 2456 2000 Kjopnh32.exe 37 PID 2000 wrote to memory of 2456 2000 Kjopnh32.exe 37 PID 2000 wrote to memory of 2456 2000 Kjopnh32.exe 37 PID 2456 wrote to memory of 880 2456 Kplhfo32.exe 38 PID 2456 wrote to memory of 880 2456 Kplhfo32.exe 38 PID 2456 wrote to memory of 880 2456 Kplhfo32.exe 38 PID 2456 wrote to memory of 880 2456 Kplhfo32.exe 38 PID 880 wrote to memory of 2656 880 Kjalch32.exe 39 PID 880 wrote to memory of 2656 880 Kjalch32.exe 39 PID 880 wrote to memory of 2656 880 Kjalch32.exe 39 PID 880 wrote to memory of 2656 880 Kjalch32.exe 39 PID 2656 wrote to memory of 2912 2656 Kidlodkj.exe 40 PID 2656 wrote to memory of 2912 2656 Kidlodkj.exe 40 PID 2656 wrote to memory of 2912 2656 Kidlodkj.exe 40 PID 2656 wrote to memory of 2912 2656 Kidlodkj.exe 40 PID 2912 wrote to memory of 2072 2912 Kcjqlm32.exe 41 PID 2912 wrote to memory of 2072 2912 Kcjqlm32.exe 41 PID 2912 wrote to memory of 2072 2912 Kcjqlm32.exe 41 PID 2912 wrote to memory of 2072 2912 Kcjqlm32.exe 41 PID 2072 wrote to memory of 1620 2072 Kmbeecaq.exe 42 PID 2072 wrote to memory of 1620 2072 Kmbeecaq.exe 42 PID 2072 wrote to memory of 1620 2072 Kmbeecaq.exe 42 PID 2072 wrote to memory of 1620 2072 Kmbeecaq.exe 42 PID 1620 wrote to memory of 1240 1620 Kbonmjph.exe 43 PID 1620 wrote to memory of 1240 1620 Kbonmjph.exe 43 PID 1620 wrote to memory of 1240 1620 Kbonmjph.exe 43 PID 1620 wrote to memory of 1240 1620 Kbonmjph.exe 43 PID 1240 wrote to memory of 2244 1240 Kmdbkbpn.exe 44 PID 1240 wrote to memory of 2244 1240 Kmdbkbpn.exe 44 PID 1240 wrote to memory of 2244 1240 Kmdbkbpn.exe 44 PID 1240 wrote to memory of 2244 1240 Kmdbkbpn.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e.exe"C:\Users\Admin\AppData\Local\Temp\d6a22cbea22b50d64997100b63ceddf040ac898ea6a3b66dec04f0fa16390b5e.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Jgjman32.exeC:\Windows\system32\Jgjman32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Jabajc32.exeC:\Windows\system32\Jabajc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Jiiikq32.exeC:\Windows\system32\Jiiikq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Jepjpajn.exeC:\Windows\system32\Jepjpajn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jkjbml32.exeC:\Windows\system32\Jkjbml32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Kebgea32.exeC:\Windows\system32\Kebgea32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Kjopnh32.exeC:\Windows\system32\Kjopnh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Kplhfo32.exeC:\Windows\system32\Kplhfo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Kjalch32.exeC:\Windows\system32\Kjalch32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Kidlodkj.exeC:\Windows\system32\Kidlodkj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Kcjqlm32.exeC:\Windows\system32\Kcjqlm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Kmbeecaq.exeC:\Windows\system32\Kmbeecaq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Kbonmjph.exeC:\Windows\system32\Kbonmjph.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Kmdbkbpn.exeC:\Windows\system32\Kmdbkbpn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Klgbfo32.exeC:\Windows\system32\Klgbfo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Kbajci32.exeC:\Windows\system32\Kbajci32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Lhnckp32.exeC:\Windows\system32\Lhnckp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Lbdghi32.exeC:\Windows\system32\Lbdghi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Lafgdfbm.exeC:\Windows\system32\Lafgdfbm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Lhqpqp32.exeC:\Windows\system32\Lhqpqp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Lbfdnijp.exeC:\Windows\system32\Lbfdnijp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Laidie32.exeC:\Windows\system32\Laidie32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Lmpdoffo.exeC:\Windows\system32\Lmpdoffo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Lghigl32.exeC:\Windows\system32\Lghigl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Lkcehkeh.exeC:\Windows\system32\Lkcehkeh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Lpqnpacp.exeC:\Windows\system32\Lpqnpacp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Lkfbmj32.exeC:\Windows\system32\Lkfbmj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Lmdnjf32.exeC:\Windows\system32\Lmdnjf32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Mcafbm32.exeC:\Windows\system32\Mcafbm32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Mkhocj32.exeC:\Windows\system32\Mkhocj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Mpegka32.exeC:\Windows\system32\Mpegka32.exe33⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Mmigdend.exeC:\Windows\system32\Mmigdend.exe34⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Mojdlm32.exeC:\Windows\system32\Mojdlm32.exe35⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Mgalnk32.exeC:\Windows\system32\Mgalnk32.exe36⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Mlndfa32.exeC:\Windows\system32\Mlndfa32.exe37⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Mibeofaf.exeC:\Windows\system32\Mibeofaf.exe38⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe39⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Meiedg32.exeC:\Windows\system32\Meiedg32.exe40⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Nlcnaaog.exeC:\Windows\system32\Nlcnaaog.exe41⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Nkfnln32.exeC:\Windows\system32\Nkfnln32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Napfihmn.exeC:\Windows\system32\Napfihmn.exe43⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Ndnbeclb.exeC:\Windows\system32\Ndnbeclb.exe44⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Nnfgnibb.exeC:\Windows\system32\Nnfgnibb.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Ndqokc32.exeC:\Windows\system32\Ndqokc32.exe46⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Nkjggmal.exeC:\Windows\system32\Nkjggmal.exe47⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Njmhcj32.exeC:\Windows\system32\Njmhcj32.exe48⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Npgppdpc.exeC:\Windows\system32\Npgppdpc.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Ncellpog.exeC:\Windows\system32\Ncellpog.exe50⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Nkmdmm32.exeC:\Windows\system32\Nkmdmm32.exe51⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Njpdiifd.exeC:\Windows\system32\Njpdiifd.exe52⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Nlnqeeeh.exeC:\Windows\system32\Nlnqeeeh.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Ndeifbfj.exeC:\Windows\system32\Ndeifbfj.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Ngcebnen.exeC:\Windows\system32\Ngcebnen.exe55⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Njbanida.exeC:\Windows\system32\Njbanida.exe56⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Nnnmoh32.exeC:\Windows\system32\Nnnmoh32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe58⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Nqlikc32.exeC:\Windows\system32\Nqlikc32.exe59⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe60⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe61⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Ohgnoeii.exeC:\Windows\system32\Ohgnoeii.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe63⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Ohikeegf.exeC:\Windows\system32\Ohikeegf.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Okhgaqfj.exeC:\Windows\system32\Okhgaqfj.exe66⤵PID:3000
-
C:\Windows\SysWOW64\Obbonk32.exeC:\Windows\system32\Obbonk32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Odpljf32.exeC:\Windows\system32\Odpljf32.exe68⤵PID:2412
-
C:\Windows\SysWOW64\Omgckcmm.exeC:\Windows\system32\Omgckcmm.exe69⤵PID:2736
-
C:\Windows\SysWOW64\Okjdfq32.exeC:\Windows\system32\Okjdfq32.exe70⤵PID:2780
-
C:\Windows\SysWOW64\Onipbl32.exeC:\Windows\system32\Onipbl32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe72⤵PID:3052
-
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe73⤵PID:2856
-
C:\Windows\SysWOW64\Okmqlp32.exeC:\Windows\system32\Okmqlp32.exe74⤵PID:1648
-
C:\Windows\SysWOW64\Oqiidg32.exeC:\Windows\system32\Oqiidg32.exe75⤵PID:2132
-
C:\Windows\SysWOW64\Oiqaed32.exeC:\Windows\system32\Oiqaed32.exe76⤵PID:3028
-
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe77⤵PID:1824
-
C:\Windows\SysWOW64\Pbienj32.exeC:\Windows\system32\Pbienj32.exe78⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Pegaje32.exeC:\Windows\system32\Pegaje32.exe79⤵PID:2988
-
C:\Windows\SysWOW64\Pjdjbl32.exeC:\Windows\system32\Pjdjbl32.exe80⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Pmbfoh32.exeC:\Windows\system32\Pmbfoh32.exe81⤵PID:1880
-
C:\Windows\SysWOW64\Panboflg.exeC:\Windows\system32\Panboflg.exe82⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Pghklq32.exeC:\Windows\system32\Pghklq32.exe83⤵PID:904
-
C:\Windows\SysWOW64\Pjfghl32.exeC:\Windows\system32\Pjfghl32.exe84⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe85⤵PID:2824
-
C:\Windows\SysWOW64\Pcokaa32.exeC:\Windows\system32\Pcokaa32.exe86⤵PID:2612
-
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe87⤵PID:620
-
C:\Windows\SysWOW64\Pmgpjgph.exeC:\Windows\system32\Pmgpjgph.exe88⤵PID:1040
-
C:\Windows\SysWOW64\Ppelfbol.exeC:\Windows\system32\Ppelfbol.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:776 -
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe90⤵PID:1764
-
C:\Windows\SysWOW64\Pfpdcm32.exeC:\Windows\system32\Pfpdcm32.exe91⤵PID:868
-
C:\Windows\SysWOW64\Pinqoh32.exeC:\Windows\system32\Pinqoh32.exe92⤵PID:1416
-
C:\Windows\SysWOW64\Pllmkcdp.exeC:\Windows\system32\Pllmkcdp.exe93⤵PID:2552
-
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Qfbahldf.exeC:\Windows\system32\Qfbahldf.exe95⤵PID:2004
-
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:276 -
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Qpjeaa32.exeC:\Windows\system32\Qpjeaa32.exe98⤵PID:1564
-
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe99⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Qhejed32.exeC:\Windows\system32\Qhejed32.exe101⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe102⤵PID:1072
-
C:\Windows\SysWOW64\Abkncmhh.exeC:\Windows\system32\Abkncmhh.exe103⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Aeikohgk.exeC:\Windows\system32\Aeikohgk.exe104⤵PID:2220
-
C:\Windows\SysWOW64\Ahhgkdfo.exeC:\Windows\system32\Ahhgkdfo.exe105⤵PID:1776
-
C:\Windows\SysWOW64\Alcclb32.exeC:\Windows\system32\Alcclb32.exe106⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Aapkdi32.exeC:\Windows\system32\Aapkdi32.exe107⤵PID:824
-
C:\Windows\SysWOW64\Aelgdhei.exeC:\Windows\system32\Aelgdhei.exe108⤵
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Alfpab32.exeC:\Windows\system32\Alfpab32.exe109⤵PID:2188
-
C:\Windows\SysWOW64\Andlmnki.exeC:\Windows\system32\Andlmnki.exe110⤵PID:1588
-
C:\Windows\SysWOW64\Aendjh32.exeC:\Windows\system32\Aendjh32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Ahmpfc32.exeC:\Windows\system32\Ahmpfc32.exe112⤵PID:2460
-
C:\Windows\SysWOW64\Aofhcmig.exeC:\Windows\system32\Aofhcmig.exe113⤵PID:2352
-
C:\Windows\SysWOW64\Aaeeoihj.exeC:\Windows\system32\Aaeeoihj.exe114⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Adcakdhn.exeC:\Windows\system32\Adcakdhn.exe115⤵PID:2152
-
C:\Windows\SysWOW64\Afamgpga.exeC:\Windows\system32\Afamgpga.exe116⤵PID:2200
-
C:\Windows\SysWOW64\Aipickfe.exeC:\Windows\system32\Aipickfe.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Amledj32.exeC:\Windows\system32\Amledj32.exe118⤵PID:3012
-
C:\Windows\SysWOW64\Apjbpemb.exeC:\Windows\system32\Apjbpemb.exe119⤵PID:1708
-
C:\Windows\SysWOW64\Adenqd32.exeC:\Windows\system32\Adenqd32.exe120⤵PID:2276
-
C:\Windows\SysWOW64\Afdjmo32.exeC:\Windows\system32\Afdjmo32.exe121⤵PID:1068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-