Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 09:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
78c8a237567264134f2d77c2fa5e928db7874ee2aca855248f98f2821efe73b4.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
78c8a237567264134f2d77c2fa5e928db7874ee2aca855248f98f2821efe73b4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
78c8a237567264134f2d77c2fa5e928db7874ee2aca855248f98f2821efe73b4.exe
-
Size
80KB
-
MD5
94deb3b9f0ae951ff173d81ce92c4cce
-
SHA1
39749c705ff3c50339a4d1d791ad2b403ca62976
-
SHA256
78c8a237567264134f2d77c2fa5e928db7874ee2aca855248f98f2821efe73b4
-
SHA512
1f35d3b99bb6f35b688454cdd4fccea4f862bc6834adb9ebedf4b000627fcb4300be2b6db27f165abe46658dea5897bb1c41a3f9d06e1b20aa9d31038ed5cb9a
-
SSDEEP
1536:iDTrOiuzem1YO91yF2Okk8RJJpXCFc+mBSy/i2L2CYrum8SPGi:1iUemmq1yF2Okk8ReczBSyX2VT8SJ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgipcogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmhdkknd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmqnobn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjoadei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahmfpap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqjglii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blielbfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmofj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giinpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdigadjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgiiiidd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpfjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmeigg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgccb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhecmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jphkkpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmechmip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgninn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokgdkeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbflg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffqhcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjmoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knqepc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfggkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmfdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Digehphc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfodeohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddjpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdnbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmmeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmapodj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjdmbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpiplm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qachgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmennnni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgclpkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohkokgj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2572 Fbhpch32.exe 4056 Fibhpbea.exe 3276 Fplpll32.exe 1960 Fjadje32.exe 4280 Fmpqfq32.exe 5004 Gdjibj32.exe 4012 Gigaka32.exe 3264 Gpqjglii.exe 4060 Gfkbde32.exe 2372 Giinpa32.exe 1108 Gbfldf32.exe 1916 Gipdap32.exe 4520 Hdehni32.exe 3676 Hkpqkcpd.exe 1216 Hlambk32.exe 2968 Hgfapd32.exe 944 Hmpjmn32.exe 4284 Hginecde.exe 3924 Hmbfbn32.exe 3056 Hdmoohbo.exe 4648 Hkfglb32.exe 916 Hmechmip.exe 2924 Hdokdg32.exe 1444 Hcblpdgg.exe 4016 Hildmn32.exe 2196 Idahjg32.exe 4324 Igpdfb32.exe 2308 Ikkpgafg.exe 3168 Igbalblk.exe 4860 Ipjedh32.exe 3036 Igdnabjh.exe 4488 Ilafiihp.exe 4920 Iggjga32.exe 4364 Ilccoh32.exe 4972 Idkkpf32.exe 4492 Jncoikmp.exe 388 Jcphab32.exe 1092 Jjjpnlbd.exe 4068 Jpdhkf32.exe 3672 Jjlmclqa.exe 2400 Jpfepf32.exe 1568 Jgpmmp32.exe 400 Jqhafffk.exe 428 Jknfcofa.exe 2212 Jlobkg32.exe 5060 Kjccdkki.exe 3916 Kdigadjo.exe 4440 Kggcnoic.exe 4668 Kmdlffhj.exe 2352 Kgipcogp.exe 1168 Kqbdldnq.exe 3196 Kcpahpmd.exe 2992 Kkgiimng.exe 1976 Kmieae32.exe 4608 Kgninn32.exe 3804 Kjmfjj32.exe 4164 Kdbjhbbd.exe 4080 Lgqfdnah.exe 2136 Lgccinoe.exe 1596 Ldgccb32.exe 840 Lkalplel.exe 1036 Lmbhgd32.exe 4732 Lnadagbm.exe 4420 Lekmnajj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fefedmil.exe Fnlmhc32.exe File created C:\Windows\SysWOW64\Jmeede32.exe Jgkmgk32.exe File created C:\Windows\SysWOW64\Mmacdg32.dll Knnhjcog.exe File opened for modification C:\Windows\SysWOW64\Bkgeainn.exe Bdmmeo32.exe File created C:\Windows\SysWOW64\Gipdap32.exe Gbfldf32.exe File created C:\Windows\SysWOW64\Najmjokc.exe Njpdnedf.exe File opened for modification C:\Windows\SysWOW64\Aknifq32.exe Ahpmjejp.exe File created C:\Windows\SysWOW64\Dnjfibml.dll Bemqih32.exe File created C:\Windows\SysWOW64\Hemqgjog.dll Kcpahpmd.exe File created C:\Windows\SysWOW64\Fdnnlj32.dll Cbdjeg32.exe File opened for modification C:\Windows\SysWOW64\Knqepc32.exe Kpmdfonj.exe File created C:\Windows\SysWOW64\Mfhbga32.exe Mqkiok32.exe File opened for modification C:\Windows\SysWOW64\Ilnbicff.exe Iedjmioj.exe File opened for modification C:\Windows\SysWOW64\Hdmoohbo.exe Hmbfbn32.exe File opened for modification C:\Windows\SysWOW64\Qklmpalf.exe Qdbdcg32.exe File created C:\Windows\SysWOW64\Angdnk32.dll Dokgdkeh.exe File opened for modification C:\Windows\SysWOW64\Iepaaico.exe Ifmqfm32.exe File created C:\Windows\SysWOW64\Jjofoqdn.dll Hfjdqmng.exe File created C:\Windows\SysWOW64\Hockka32.dll Qjiipk32.exe File created C:\Windows\SysWOW64\Cogddd32.exe Cpfcfmlp.exe File created C:\Windows\SysWOW64\Kmdpiacg.dll Bllbaa32.exe File created C:\Windows\SysWOW64\Ckhecmcf.exe Cleegp32.exe File created C:\Windows\SysWOW64\Bjjhhfnd.dll Bkaobnio.exe File opened for modification C:\Windows\SysWOW64\Cfpffeaj.exe Cbdjeg32.exe File opened for modification C:\Windows\SysWOW64\Npepkf32.exe Nmfcok32.exe File created C:\Windows\SysWOW64\Lpghll32.dll Oakbehfe.exe File created C:\Windows\SysWOW64\Ljhpog32.dll Naecop32.exe File created C:\Windows\SysWOW64\Offnhpfo.exe Ogcnmc32.exe File opened for modification C:\Windows\SysWOW64\Akkffkhk.exe Qacameaj.exe File created C:\Windows\SysWOW64\Klhhpnaf.dll Gpqjglii.exe File created C:\Windows\SysWOW64\Njpdnedf.exe Nagpeo32.exe File created C:\Windows\SysWOW64\Oddfcg32.dll Aojefobm.exe File created C:\Windows\SysWOW64\Qfgllk32.dll Ifmqfm32.exe File created C:\Windows\SysWOW64\Egacbb32.dll Iggjga32.exe File created C:\Windows\SysWOW64\Klbbcjfp.dll Olicnfco.exe File opened for modification C:\Windows\SysWOW64\Alelqb32.exe Adndoe32.exe File opened for modification C:\Windows\SysWOW64\Domdjj32.exe Dokgdkeh.exe File created C:\Windows\SysWOW64\Ijilflah.dll Cglbhhga.exe File created C:\Windows\SysWOW64\Gbnoiqdq.exe Gpnfge32.exe File created C:\Windows\SysWOW64\Ifaohg32.dll Akdilipp.exe File created C:\Windows\SysWOW64\Bacjdbch.exe Boenhgdd.exe File created C:\Windows\SysWOW64\Nmpgal32.dll Hlambk32.exe File opened for modification C:\Windows\SysWOW64\Ilafiihp.exe Igdnabjh.exe File created C:\Windows\SysWOW64\Jdobpkmb.dll Qhkdof32.exe File created C:\Windows\SysWOW64\Fenghpla.dll Ebnfbcbc.exe File created C:\Windows\SysWOW64\Fjadje32.exe Fplpll32.exe File created C:\Windows\SysWOW64\Aolblopj.exe Ahbjoe32.exe File created C:\Windows\SysWOW64\Mmpdhboj.exe Mgclpkac.exe File created C:\Windows\SysWOW64\Gmhgag32.dll Hemdlj32.exe File created C:\Windows\SysWOW64\Oabhfg32.exe Omgmeigd.exe File opened for modification C:\Windows\SysWOW64\Hgfapd32.exe Hlambk32.exe File created C:\Windows\SysWOW64\Cnfaohbj.exe Ckhecmcf.exe File created C:\Windows\SysWOW64\Cbdjeg32.exe Cofnik32.exe File opened for modification C:\Windows\SysWOW64\Lpfgmnfp.exe Kngkqbgl.exe File created C:\Windows\SysWOW64\Efjbcakl.exe Ebnfbcbc.exe File created C:\Windows\SysWOW64\Ppjbmc32.exe Pmlfqh32.exe File created C:\Windows\SysWOW64\Hmechmip.exe Hkfglb32.exe File created C:\Windows\SysWOW64\Meiioonj.exe Mnpabe32.exe File created C:\Windows\SysWOW64\Pkegpb32.exe Pdkoch32.exe File created C:\Windows\SysWOW64\Poigcbng.dll Domdjj32.exe File created C:\Windows\SysWOW64\Bphgeo32.exe Bogkmgba.exe File created C:\Windows\SysWOW64\Kolfbd32.dll Cpmapodj.exe File created C:\Windows\SysWOW64\Jbecoe32.dll Qkipkani.exe File created C:\Windows\SysWOW64\Lobpkihi.dll Hlnjbedi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9236 10060 WerFault.exe 469 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akepfpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enigke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoobdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpenfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmfjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdnngdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmdgikhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkgcobj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcgcqab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglbhhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onpjichj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geohklaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnlmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpcoefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnlecmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcimdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpiplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgclpkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncccnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqfdnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhnbhok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblimcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjccdkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkpcfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilfifme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkfkmmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemqih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmoijje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmeede32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjmoag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibccgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggpfkjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbhoeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgiiiidd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmqhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnjbedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmfmhll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedjmioj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjkcadp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idahjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafppp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkgje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplkpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbhgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phaahggp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamknj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olicnfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaalblgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdecba32.dll" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhboolf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aokkahlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojajin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpfcfmlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjfee32.dll" Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemqgjog.dll" Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjmhg32.dll" Cdlqqcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edhjghdk.dll" Chglab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimkic32.dll" Njfkmphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijikdfig.dll" Adfgdpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpmapodj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilafiihp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabmaqlh.dll" Olfghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeokal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgiiiidd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojfcdnjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnkbkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofkjd32.dll" Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnkfj32.dll" Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjccdkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqecq32.dll" Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpnaf.dll" Gpqjglii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjccdkki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkgcea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnomg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjem32.dll" Kngkqbgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcimdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoioli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdmdpjg.dll" Jcdjbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpiplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogigdpmb.dll" Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilpobpd.dll" Mqkiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpggodfg.dll" Gdjibj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bemqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegaehem.dll" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omjpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbnoiqdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iedjmioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebnfbcbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjbcakl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3260 wrote to memory of 2572 3260 78c8a237567264134f2d77c2fa5e928db7874ee2aca855248f98f2821efe73b4.exe 85 PID 3260 wrote to memory of 2572 3260 78c8a237567264134f2d77c2fa5e928db7874ee2aca855248f98f2821efe73b4.exe 85 PID 3260 wrote to memory of 2572 3260 78c8a237567264134f2d77c2fa5e928db7874ee2aca855248f98f2821efe73b4.exe 85 PID 2572 wrote to memory of 4056 2572 Fbhpch32.exe 86 PID 2572 wrote to memory of 4056 2572 Fbhpch32.exe 86 PID 2572 wrote to memory of 4056 2572 Fbhpch32.exe 86 PID 4056 wrote to memory of 3276 4056 Fibhpbea.exe 87 PID 4056 wrote to memory of 3276 4056 Fibhpbea.exe 87 PID 4056 wrote to memory of 3276 4056 Fibhpbea.exe 87 PID 3276 wrote to memory of 1960 3276 Fplpll32.exe 88 PID 3276 wrote to memory of 1960 3276 Fplpll32.exe 88 PID 3276 wrote to memory of 1960 3276 Fplpll32.exe 88 PID 1960 wrote to memory of 4280 1960 Fjadje32.exe 89 PID 1960 wrote to memory of 4280 1960 Fjadje32.exe 89 PID 1960 wrote to memory of 4280 1960 Fjadje32.exe 89 PID 4280 wrote to memory of 5004 4280 Fmpqfq32.exe 90 PID 4280 wrote to memory of 5004 4280 Fmpqfq32.exe 90 PID 4280 wrote to memory of 5004 4280 Fmpqfq32.exe 90 PID 5004 wrote to memory of 4012 5004 Gdjibj32.exe 91 PID 5004 wrote to memory of 4012 5004 Gdjibj32.exe 91 PID 5004 wrote to memory of 4012 5004 Gdjibj32.exe 91 PID 4012 wrote to memory of 3264 4012 Gigaka32.exe 92 PID 4012 wrote to memory of 3264 4012 Gigaka32.exe 92 PID 4012 wrote to memory of 3264 4012 Gigaka32.exe 92 PID 3264 wrote to memory of 4060 3264 Gpqjglii.exe 93 PID 3264 wrote to memory of 4060 3264 Gpqjglii.exe 93 PID 3264 wrote to memory of 4060 3264 Gpqjglii.exe 93 PID 4060 wrote to memory of 2372 4060 Gfkbde32.exe 94 PID 4060 wrote to memory of 2372 4060 Gfkbde32.exe 94 PID 4060 wrote to memory of 2372 4060 Gfkbde32.exe 94 PID 2372 wrote to memory of 1108 2372 Giinpa32.exe 95 PID 2372 wrote to memory of 1108 2372 Giinpa32.exe 95 PID 2372 wrote to memory of 1108 2372 Giinpa32.exe 95 PID 1108 wrote to memory of 1916 1108 Gbfldf32.exe 96 PID 1108 wrote to memory of 1916 1108 Gbfldf32.exe 96 PID 1108 wrote to memory of 1916 1108 Gbfldf32.exe 96 PID 1916 wrote to memory of 4520 1916 Gipdap32.exe 97 PID 1916 wrote to memory of 4520 1916 Gipdap32.exe 97 PID 1916 wrote to memory of 4520 1916 Gipdap32.exe 97 PID 4520 wrote to memory of 3676 4520 Hdehni32.exe 98 PID 4520 wrote to memory of 3676 4520 Hdehni32.exe 98 PID 4520 wrote to memory of 3676 4520 Hdehni32.exe 98 PID 3676 wrote to memory of 1216 3676 Hkpqkcpd.exe 99 PID 3676 wrote to memory of 1216 3676 Hkpqkcpd.exe 99 PID 3676 wrote to memory of 1216 3676 Hkpqkcpd.exe 99 PID 1216 wrote to memory of 2968 1216 Hlambk32.exe 100 PID 1216 wrote to memory of 2968 1216 Hlambk32.exe 100 PID 1216 wrote to memory of 2968 1216 Hlambk32.exe 100 PID 2968 wrote to memory of 944 2968 Hgfapd32.exe 101 PID 2968 wrote to memory of 944 2968 Hgfapd32.exe 101 PID 2968 wrote to memory of 944 2968 Hgfapd32.exe 101 PID 944 wrote to memory of 4284 944 Hmpjmn32.exe 102 PID 944 wrote to memory of 4284 944 Hmpjmn32.exe 102 PID 944 wrote to memory of 4284 944 Hmpjmn32.exe 102 PID 4284 wrote to memory of 3924 4284 Hginecde.exe 103 PID 4284 wrote to memory of 3924 4284 Hginecde.exe 103 PID 4284 wrote to memory of 3924 4284 Hginecde.exe 103 PID 3924 wrote to memory of 3056 3924 Hmbfbn32.exe 104 PID 3924 wrote to memory of 3056 3924 Hmbfbn32.exe 104 PID 3924 wrote to memory of 3056 3924 Hmbfbn32.exe 104 PID 3056 wrote to memory of 4648 3056 Hdmoohbo.exe 105 PID 3056 wrote to memory of 4648 3056 Hdmoohbo.exe 105 PID 3056 wrote to memory of 4648 3056 Hdmoohbo.exe 105 PID 4648 wrote to memory of 916 4648 Hkfglb32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\78c8a237567264134f2d77c2fa5e928db7874ee2aca855248f98f2821efe73b4.exe"C:\Users\Admin\AppData\Local\Temp\78c8a237567264134f2d77c2fa5e928db7874ee2aca855248f98f2821efe73b4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Fplpll32.exeC:\Windows\system32\Fplpll32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Hdmoohbo.exeC:\Windows\system32\Hdmoohbo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe24⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe25⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe26⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe28⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe30⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4920 -
C:\Windows\SysWOW64\Ilccoh32.exeC:\Windows\system32\Ilccoh32.exe35⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Idkkpf32.exeC:\Windows\system32\Idkkpf32.exe36⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe37⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe38⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe39⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe40⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Jjlmclqa.exeC:\Windows\system32\Jjlmclqa.exe41⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe43⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe44⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe45⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Jlobkg32.exeC:\Windows\system32\Jlobkg32.exe46⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5060 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe49⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe52⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3196 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Kmieae32.exeC:\Windows\system32\Kmieae32.exe55⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Kgninn32.exeC:\Windows\system32\Kgninn32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3804 -
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe58⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4080 -
C:\Windows\SysWOW64\Lgccinoe.exeC:\Windows\system32\Lgccinoe.exe60⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Ldgccb32.exeC:\Windows\system32\Ldgccb32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe62⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Lnadagbm.exeC:\Windows\system32\Lnadagbm.exe64⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Lekmnajj.exeC:\Windows\system32\Lekmnajj.exe65⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe66⤵
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe67⤵
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\Mjmoag32.exeC:\Windows\system32\Mjmoag32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe69⤵PID:836
-
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe70⤵PID:4848
-
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe72⤵PID:4748
-
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe73⤵PID:3872
-
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe74⤵
- Drops file in System32 directory
PID:3952 -
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe75⤵PID:3548
-
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe76⤵
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe77⤵PID:1572
-
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe78⤵PID:3460
-
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4736 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe81⤵
- Drops file in System32 directory
PID:4448 -
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe82⤵PID:4264
-
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe83⤵
- Drops file in System32 directory
PID:4388 -
C:\Windows\SysWOW64\Njpdnedf.exeC:\Windows\system32\Njpdnedf.exe84⤵
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe85⤵PID:2276
-
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe86⤵PID:1684
-
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe87⤵PID:3188
-
C:\Windows\SysWOW64\Onpjichj.exeC:\Windows\system32\Onpjichj.exe88⤵
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe89⤵PID:2236
-
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe90⤵
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe91⤵PID:1500
-
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe92⤵PID:3780
-
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe93⤵
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe94⤵PID:1748
-
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe95⤵
- Modifies registry class
PID:3564 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:3728 -
C:\Windows\SysWOW64\Oogpjbbb.exeC:\Windows\system32\Oogpjbbb.exe97⤵PID:2880
-
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe98⤵
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe99⤵
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe100⤵PID:4392
-
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe101⤵
- System Location Discovery: System Language Discovery
PID:4076 -
C:\Windows\SysWOW64\Pmoiqneg.exeC:\Windows\system32\Pmoiqneg.exe102⤵PID:1152
-
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe103⤵PID:4288
-
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe104⤵
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe105⤵PID:4504
-
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe106⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Pkegpb32.exeC:\Windows\system32\Pkegpb32.exe107⤵PID:4968
-
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe108⤵PID:4516
-
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe109⤵PID:3376
-
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe110⤵
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe111⤵
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Qhkdof32.exeC:\Windows\system32\Qhkdof32.exe112⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe113⤵
- Drops file in System32 directory
PID:5220 -
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe115⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe116⤵PID:5352
-
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe117⤵PID:5412
-
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe118⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe119⤵PID:5500
-
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe120⤵
- Drops file in System32 directory
PID:5544 -
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe121⤵
- Drops file in System32 directory
PID:5588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-