Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 20:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1859bf65d69f2cb2c3ace02e45088894a85371530080f77e1d3ea1993a283774.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
1859bf65d69f2cb2c3ace02e45088894a85371530080f77e1d3ea1993a283774.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
1859bf65d69f2cb2c3ace02e45088894a85371530080f77e1d3ea1993a283774.exe
-
Size
76KB
-
MD5
c2fbf92385f58fae4145918c6edaa4d3
-
SHA1
bd1bcfe57ed478765d0acfe8528a1570010d2065
-
SHA256
1859bf65d69f2cb2c3ace02e45088894a85371530080f77e1d3ea1993a283774
-
SHA512
56c5d2c6ac1a5e7741d9eaab4798ed37eb4d341a934badb39c0f10de06f42d90d9f9a5f94abcbc96d57fb60125e6f357d06808ac5e65ef609b816471bef4179f
-
SSDEEP
1536:Q/YjeVtjXBc4YnkAuBnIbBtAxr3H+Lf+PHioQV+/eCeyvCQy:jjefjRcmnIbBGOaHrk+M
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cepipm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghajacmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnckjddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdiia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlmpfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkhjncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmmfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfqmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbfnngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkeokjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mggabaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogknoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfoin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknajh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpicle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfeepelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdojgmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emagacdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdkklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffodjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaqbln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicalakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfphcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfebnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkglnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Necogkbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agdmdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befmfpbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhjopbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkjne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnnaoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogknoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqjdgmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbiiog32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2360 Kpcqnf32.exe 2916 Kcamjb32.exe 2300 Kbdmeoob.exe 2900 Khoebi32.exe 2772 Kohnoc32.exe 2272 Kdefgj32.exe 2596 Kllnhg32.exe 3040 Kbigpn32.exe 688 Kdhcli32.exe 1696 Kgfoie32.exe 1800 Lnpgeopa.exe 1424 Lqncaj32.exe 1384 Lhelbh32.exe 2652 Ljghjpfe.exe 1792 Lbnpkmfg.exe 344 Ldllgiek.exe 2996 Lgkhdddo.exe 960 Lmgalkcf.exe 2276 Ldoimh32.exe 1664 Ljkaeo32.exe 1796 Lmjnak32.exe 2408 Lgoboc32.exe 3060 Ljnnko32.exe 2168 Lqhfhigj.exe 2308 Lcfbdd32.exe 2336 Mmogmjmn.exe 2676 Mpmcielb.exe 2844 Miehak32.exe 2912 Mkddnf32.exe 2792 Mpopnejo.exe 2632 Mfihkoal.exe 1844 Mlfacfpc.exe 2400 Mbpipp32.exe 768 Mlhnifmq.exe 1480 Mjkndb32.exe 1056 Mngjeamd.exe 2572 Maefamlh.exe 2164 Mlkjne32.exe 2220 Nmlgfnal.exe 2496 Necogkbo.exe 2468 Nfdkoc32.exe 1344 Nnkcpq32.exe 1192 Npmphinm.exe 1672 Njbdea32.exe 796 Nmqpam32.exe 1656 Nallalep.exe 584 Ndkhngdd.exe 1096 Nbniid32.exe 2880 Njdqka32.exe 2084 Nigafnck.exe 2716 Nmcmgm32.exe 2616 Npaich32.exe 2656 Nbpeoc32.exe 2008 Nfkapb32.exe 1776 Nenakoho.exe 1488 Nmejllia.exe 1148 Npdfhhhe.exe 2936 Noffdd32.exe 2828 Nfnneb32.exe 828 Neqnqofm.exe 1628 Oiljam32.exe 1988 Ohojmjep.exe 872 Ooicid32.exe 3068 Obdojcef.exe -
Loads dropped DLL 64 IoCs
pid Process 2972 1859bf65d69f2cb2c3ace02e45088894a85371530080f77e1d3ea1993a283774.exe 2972 1859bf65d69f2cb2c3ace02e45088894a85371530080f77e1d3ea1993a283774.exe 2360 Kpcqnf32.exe 2360 Kpcqnf32.exe 2916 Kcamjb32.exe 2916 Kcamjb32.exe 2300 Kbdmeoob.exe 2300 Kbdmeoob.exe 2900 Khoebi32.exe 2900 Khoebi32.exe 2772 Kohnoc32.exe 2772 Kohnoc32.exe 2272 Kdefgj32.exe 2272 Kdefgj32.exe 2596 Kllnhg32.exe 2596 Kllnhg32.exe 3040 Kbigpn32.exe 3040 Kbigpn32.exe 688 Kdhcli32.exe 688 Kdhcli32.exe 1696 Kgfoie32.exe 1696 Kgfoie32.exe 1800 Lnpgeopa.exe 1800 Lnpgeopa.exe 1424 Lqncaj32.exe 1424 Lqncaj32.exe 1384 Lhelbh32.exe 1384 Lhelbh32.exe 2652 Ljghjpfe.exe 2652 Ljghjpfe.exe 1792 Lbnpkmfg.exe 1792 Lbnpkmfg.exe 344 Ldllgiek.exe 344 Ldllgiek.exe 2996 Lgkhdddo.exe 2996 Lgkhdddo.exe 960 Lmgalkcf.exe 960 Lmgalkcf.exe 2276 Ldoimh32.exe 2276 Ldoimh32.exe 1664 Ljkaeo32.exe 1664 Ljkaeo32.exe 1796 Lmjnak32.exe 1796 Lmjnak32.exe 2408 Lgoboc32.exe 2408 Lgoboc32.exe 3060 Ljnnko32.exe 3060 Ljnnko32.exe 2168 Lqhfhigj.exe 2168 Lqhfhigj.exe 2308 Lcfbdd32.exe 2308 Lcfbdd32.exe 2336 Mmogmjmn.exe 2336 Mmogmjmn.exe 2676 Mpmcielb.exe 2676 Mpmcielb.exe 2844 Miehak32.exe 2844 Miehak32.exe 2912 Mkddnf32.exe 2912 Mkddnf32.exe 2792 Mpopnejo.exe 2792 Mpopnejo.exe 2632 Mfihkoal.exe 2632 Mfihkoal.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mjkgjl32.exe Mbcoio32.exe File opened for modification C:\Windows\SysWOW64\Bdcifi32.exe Bqgmfkhg.exe File opened for modification C:\Windows\SysWOW64\Nnkcpq32.exe Nfdkoc32.exe File created C:\Windows\SysWOW64\Nfkapb32.exe Nbpeoc32.exe File opened for modification C:\Windows\SysWOW64\Odjdmjgo.exe Oalhqohl.exe File created C:\Windows\SysWOW64\Dhiomn32.exe Difnaqih.exe File created C:\Windows\SysWOW64\Goplilpf.exe Gkephn32.exe File created C:\Windows\SysWOW64\Lbcbjlmb.exe Loefnpnn.exe File opened for modification C:\Windows\SysWOW64\Iafnjg32.exe Ibcnojnp.exe File created C:\Windows\SysWOW64\Jlnklcej.exe Jhbold32.exe File created C:\Windows\SysWOW64\Ojefmknj.dll Pepcelel.exe File created C:\Windows\SysWOW64\Gpihdl32.dll Locjhqpa.exe File created C:\Windows\SysWOW64\Oiljam32.exe Neqnqofm.exe File created C:\Windows\SysWOW64\Becpap32.exe Bbeded32.exe File created C:\Windows\SysWOW64\Oggfcl32.dll Hldlga32.exe File created C:\Windows\SysWOW64\Hcenjk32.dll Jgabdlfb.exe File opened for modification C:\Windows\SysWOW64\Ljfapjbi.exe Lfkeokjp.exe File opened for modification C:\Windows\SysWOW64\Lldmleam.exe Ljfapjbi.exe File opened for modification C:\Windows\SysWOW64\Adcdbl32.exe Aqhhanig.exe File opened for modification C:\Windows\SysWOW64\Eogmcjef.exe Elipgofb.exe File opened for modification C:\Windows\SysWOW64\Hmdhad32.exe Hemqpf32.exe File created C:\Windows\SysWOW64\Jedcpi32.exe Jgabdlfb.exe File opened for modification C:\Windows\SysWOW64\Mnmpdlac.exe Mjaddn32.exe File created C:\Windows\SysWOW64\Mdghaf32.exe Mqklqhpg.exe File opened for modification C:\Windows\SysWOW64\Lgoboc32.exe Lmjnak32.exe File created C:\Windows\SysWOW64\Locjhqpa.exe Lkgngb32.exe File opened for modification C:\Windows\SysWOW64\Odedge32.exe Oaghki32.exe File opened for modification C:\Windows\SysWOW64\Agdmdg32.exe Aciqcifh.exe File opened for modification C:\Windows\SysWOW64\Bfncpcoc.exe Bbbgod32.exe File created C:\Windows\SysWOW64\Eldglp32.exe Emagacdm.exe File created C:\Windows\SysWOW64\Iahkpg32.exe Injndk32.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Klpdaf32.exe File opened for modification C:\Windows\SysWOW64\Oippjl32.exe Ofadnq32.exe File opened for modification C:\Windows\SysWOW64\Fkecij32.exe Fgigil32.exe File opened for modification C:\Windows\SysWOW64\Mmogmjmn.exe Lcfbdd32.exe File created C:\Windows\SysWOW64\Ieabog32.dll Nallalep.exe File created C:\Windows\SysWOW64\Hqpagjge.dll Fjegog32.exe File created C:\Windows\SysWOW64\Mmbmeifk.exe Mkqqnq32.exe File created C:\Windows\SysWOW64\Nfnneb32.exe Noffdd32.exe File opened for modification C:\Windows\SysWOW64\Pdonhj32.exe Ppcbgkka.exe File opened for modification C:\Windows\SysWOW64\Cicalakk.exe Cehfkb32.exe File created C:\Windows\SysWOW64\Hnjbeh32.exe Hjofdi32.exe File opened for modification C:\Windows\SysWOW64\Injndk32.exe Ijnbcmkk.exe File created C:\Windows\SysWOW64\Ampjoj32.dll Mmogmjmn.exe File opened for modification C:\Windows\SysWOW64\Pgnjde32.exe Pdonhj32.exe File created C:\Windows\SysWOW64\Ohceeg32.dll Eaeipfei.exe File created C:\Windows\SysWOW64\Kqcjjk32.dll Paknelgk.exe File created C:\Windows\SysWOW64\Bgmaomdn.dll Pilfpqaa.exe File opened for modification C:\Windows\SysWOW64\Ppkhhjei.exe Phcpgm32.exe File created C:\Windows\SysWOW64\Ajnpecbj.exe Agpcihcf.exe File created C:\Windows\SysWOW64\Ggkqmoma.exe Giipab32.exe File created C:\Windows\SysWOW64\Hgccgk32.dll Hpnkbpdd.exe File created C:\Windows\SysWOW64\Jgabdlfb.exe Jojkco32.exe File created C:\Windows\SysWOW64\Miehak32.exe Mpmcielb.exe File created C:\Windows\SysWOW64\Iikepamg.dll Ajcipc32.exe File created C:\Windows\SysWOW64\Inlkik32.exe Ijqoilii.exe File created C:\Windows\SysWOW64\Hdbnfqia.dll Pdakniag.exe File created C:\Windows\SysWOW64\Lcmfeo32.dll Befmfpbi.exe File created C:\Windows\SysWOW64\Golbnm32.exe Gmmfaa32.exe File opened for modification C:\Windows\SysWOW64\Npaich32.exe Nmcmgm32.exe File opened for modification C:\Windows\SysWOW64\Bflbigdb.exe Bgibnj32.exe File created C:\Windows\SysWOW64\Eppcmncq.exe Eldglp32.exe File opened for modification C:\Windows\SysWOW64\Jpigma32.exe Jlnklcej.exe File created C:\Windows\SysWOW64\Pcljmdmj.exe Pdjjag32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6612 6648 WerFault.exe 702 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhmcinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfkfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbhdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnbcmkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihiphln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcnqama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikeeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loqmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcnbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhjopbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhdkdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffhkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okpcoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doecog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikifegp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdghaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmejllia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogiaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbfagca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcbabpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iflmjihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakgefqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbnbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imahkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allefimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljkaeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpcckck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmjhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhhjklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olebgfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchfhfeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgllgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcamjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepcelel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcbgkka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomhcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amohfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejfao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bniajoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkgkcpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hboddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojkco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqncaj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmagfog.dll" Qaqnkafa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcjjk32.dll" Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibkmp32.dll" Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqbhp32.dll" Ohcdhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehmdgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giipab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddnjc32.dll" Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll" Bigkel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeohkeoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnflke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghdgfbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfnnoge.dll" Phqmgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgoboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjkan32.dll" Dgeaoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofhhgce.dll" Lnjcomcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bccmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oijjka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmhnp32.dll" Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgqde32.dll" Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbklf32.dll" Nfdddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qppkfhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giacpp32.dll" Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfkdo32.dll" Ofadnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpcqnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emclhigi.dll" Qkffng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kklkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfhhjklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fijbkbjk.dll" Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akiobk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll" Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olmcchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecploipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgigil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnkbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jolghndm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejebfdmb.dll" Imahkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmjnak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooicid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iliebpfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbnpkmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdcic32.dll" Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlcmaba.dll" Lqncaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgqocoin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2360 2972 1859bf65d69f2cb2c3ace02e45088894a85371530080f77e1d3ea1993a283774.exe 30 PID 2972 wrote to memory of 2360 2972 1859bf65d69f2cb2c3ace02e45088894a85371530080f77e1d3ea1993a283774.exe 30 PID 2972 wrote to memory of 2360 2972 1859bf65d69f2cb2c3ace02e45088894a85371530080f77e1d3ea1993a283774.exe 30 PID 2972 wrote to memory of 2360 2972 1859bf65d69f2cb2c3ace02e45088894a85371530080f77e1d3ea1993a283774.exe 30 PID 2360 wrote to memory of 2916 2360 Kpcqnf32.exe 31 PID 2360 wrote to memory of 2916 2360 Kpcqnf32.exe 31 PID 2360 wrote to memory of 2916 2360 Kpcqnf32.exe 31 PID 2360 wrote to memory of 2916 2360 Kpcqnf32.exe 31 PID 2916 wrote to memory of 2300 2916 Kcamjb32.exe 32 PID 2916 wrote to memory of 2300 2916 Kcamjb32.exe 32 PID 2916 wrote to memory of 2300 2916 Kcamjb32.exe 32 PID 2916 wrote to memory of 2300 2916 Kcamjb32.exe 32 PID 2300 wrote to memory of 2900 2300 Kbdmeoob.exe 33 PID 2300 wrote to memory of 2900 2300 Kbdmeoob.exe 33 PID 2300 wrote to memory of 2900 2300 Kbdmeoob.exe 33 PID 2300 wrote to memory of 2900 2300 Kbdmeoob.exe 33 PID 2900 wrote to memory of 2772 2900 Khoebi32.exe 34 PID 2900 wrote to memory of 2772 2900 Khoebi32.exe 34 PID 2900 wrote to memory of 2772 2900 Khoebi32.exe 34 PID 2900 wrote to memory of 2772 2900 Khoebi32.exe 34 PID 2772 wrote to memory of 2272 2772 Kohnoc32.exe 35 PID 2772 wrote to memory of 2272 2772 Kohnoc32.exe 35 PID 2772 wrote to memory of 2272 2772 Kohnoc32.exe 35 PID 2772 wrote to memory of 2272 2772 Kohnoc32.exe 35 PID 2272 wrote to memory of 2596 2272 Kdefgj32.exe 36 PID 2272 wrote to memory of 2596 2272 Kdefgj32.exe 36 PID 2272 wrote to memory of 2596 2272 Kdefgj32.exe 36 PID 2272 wrote to memory of 2596 2272 Kdefgj32.exe 36 PID 2596 wrote to memory of 3040 2596 Kllnhg32.exe 37 PID 2596 wrote to memory of 3040 2596 Kllnhg32.exe 37 PID 2596 wrote to memory of 3040 2596 Kllnhg32.exe 37 PID 2596 wrote to memory of 3040 2596 Kllnhg32.exe 37 PID 3040 wrote to memory of 688 3040 Kbigpn32.exe 38 PID 3040 wrote to memory of 688 3040 Kbigpn32.exe 38 PID 3040 wrote to memory of 688 3040 Kbigpn32.exe 38 PID 3040 wrote to memory of 688 3040 Kbigpn32.exe 38 PID 688 wrote to memory of 1696 688 Kdhcli32.exe 39 PID 688 wrote to memory of 1696 688 Kdhcli32.exe 39 PID 688 wrote to memory of 1696 688 Kdhcli32.exe 39 PID 688 wrote to memory of 1696 688 Kdhcli32.exe 39 PID 1696 wrote to memory of 1800 1696 Kgfoie32.exe 40 PID 1696 wrote to memory of 1800 1696 Kgfoie32.exe 40 PID 1696 wrote to memory of 1800 1696 Kgfoie32.exe 40 PID 1696 wrote to memory of 1800 1696 Kgfoie32.exe 40 PID 1800 wrote to memory of 1424 1800 Lnpgeopa.exe 41 PID 1800 wrote to memory of 1424 1800 Lnpgeopa.exe 41 PID 1800 wrote to memory of 1424 1800 Lnpgeopa.exe 41 PID 1800 wrote to memory of 1424 1800 Lnpgeopa.exe 41 PID 1424 wrote to memory of 1384 1424 Lqncaj32.exe 42 PID 1424 wrote to memory of 1384 1424 Lqncaj32.exe 42 PID 1424 wrote to memory of 1384 1424 Lqncaj32.exe 42 PID 1424 wrote to memory of 1384 1424 Lqncaj32.exe 42 PID 1384 wrote to memory of 2652 1384 Lhelbh32.exe 43 PID 1384 wrote to memory of 2652 1384 Lhelbh32.exe 43 PID 1384 wrote to memory of 2652 1384 Lhelbh32.exe 43 PID 1384 wrote to memory of 2652 1384 Lhelbh32.exe 43 PID 2652 wrote to memory of 1792 2652 Ljghjpfe.exe 44 PID 2652 wrote to memory of 1792 2652 Ljghjpfe.exe 44 PID 2652 wrote to memory of 1792 2652 Ljghjpfe.exe 44 PID 2652 wrote to memory of 1792 2652 Ljghjpfe.exe 44 PID 1792 wrote to memory of 344 1792 Lbnpkmfg.exe 45 PID 1792 wrote to memory of 344 1792 Lbnpkmfg.exe 45 PID 1792 wrote to memory of 344 1792 Lbnpkmfg.exe 45 PID 1792 wrote to memory of 344 1792 Lbnpkmfg.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1859bf65d69f2cb2c3ace02e45088894a85371530080f77e1d3ea1993a283774.exe"C:\Users\Admin\AppData\Local\Temp\1859bf65d69f2cb2c3ace02e45088894a85371530080f77e1d3ea1993a283774.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe33⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe34⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe35⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe36⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe37⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe38⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe40⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe43⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe44⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe45⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe46⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe48⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe49⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe50⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe51⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe53⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe56⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe58⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe60⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe62⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe63⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe65⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe66⤵PID:2208
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe67⤵PID:2876
-
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe68⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe70⤵PID:2628
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe71⤵PID:1732
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe72⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe73⤵PID:1808
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe74⤵PID:1756
-
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe75⤵PID:916
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe76⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe77⤵PID:1928
-
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe79⤵
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe80⤵PID:976
-
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe81⤵PID:1536
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe82⤵PID:780
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe83⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe85⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2744 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe88⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1388 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe90⤵
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe91⤵PID:2788
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe92⤵PID:1688
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe93⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe94⤵PID:2820
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe95⤵PID:2980
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe96⤵PID:2152
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe97⤵PID:2524
-
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe98⤵PID:2756
-
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe99⤵PID:672
-
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe100⤵PID:1304
-
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe101⤵
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe102⤵PID:2088
-
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe104⤵PID:2016
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe105⤵PID:1624
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe106⤵PID:2124
-
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe107⤵PID:2140
-
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe108⤵PID:2456
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe109⤵PID:2784
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe110⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe111⤵PID:1524
-
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe112⤵
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:380 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe114⤵PID:2024
-
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe115⤵PID:1500
-
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe116⤵PID:1668
-
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe117⤵PID:2132
-
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe118⤵PID:552
-
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe119⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe120⤵PID:800
-
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe121⤵PID:1280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-