Analysis
-
max time kernel
34s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-01-2025 23:38
Behavioral task
behavioral1
Sample
a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4N.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4N.exe
-
Size
163KB
-
MD5
d4abfdf914875cd959bd97df56c41320
-
SHA1
711826e0d76beb34444cb5e1828d8066a88b5d0c
-
SHA256
a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4
-
SHA512
d4ad43691bb20d0d4ba09f09171ef37bc61331f44742fb3362cda43eddaa12fdd235122b1ffbf1c92f767285b1211974d6e29f210eee3bef03907e894610bb2a
-
SSDEEP
1536:PatMAxt9h1xCuL8yvuKNv0EjaP98vAlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVR:itMIt9pL83KND+9kAltOrWKDBr+yJbg
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilhnjfmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecohl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpomnilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cafbmdbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdloab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgdmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfjdfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oedclm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppcmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iecohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnpbgbdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkbkfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qamleagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnecjgch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdpaqej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgigpgkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdbefnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaaghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagqed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnemlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjoki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgpcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpigk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcaiggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofklpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpojlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neemgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojilqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phklcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplinckj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbaafocg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmhcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agilkijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obdjjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gilhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eganqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnlmmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkghjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emailhfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccmng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlmacfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlmacfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpemob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaliaphd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phklcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkkepio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnogmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkdnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkgegad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbllph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emailhfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofklpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbehgabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgkanomj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnjbfhqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqmmhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldgnmhhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdljghj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacgli32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2216 Qefihg32.exe 2996 Qcjjakip.exe 2844 Agloko32.exe 2920 Acemeo32.exe 2804 Acjfpokk.exe 2708 Bkghjq32.exe 2236 Bebiifka.exe 2348 Baiingae.exe 2240 Cnogmk32.exe 2192 Cghkepdm.exe 1012 Cpemob32.exe 632 Cfaaalep.exe 2044 Dlcceboa.exe 2676 Ddnhidmm.exe 2108 Eganqo32.exe 516 Elqcnfdp.exe 1560 Eabeal32.exe 2432 Fofekp32.exe 992 Fplknh32.exe 820 Fleihi32.exe 1772 Fgjmfa32.exe 1744 Gqcaoghl.exe 1736 Gohnpcmd.exe 1628 Ghqchi32.exe 2696 Gdgcnj32.exe 2868 Gdjpcj32.exe 2992 Hgjieedg.exe 2876 Hfdpaqej.exe 2752 Hiehbl32.exe 1380 Ifkfap32.exe 2896 Ilhnjfmi.exe 540 Iecohl32.exe 2380 Iokdaa32.exe 884 Jpomnilc.exe 3060 Janihlcf.exe 1340 Jmejmm32.exe 2300 Jpfcohfk.exe 2344 Jlmddi32.exe 2320 Khcdijac.exe 2368 Kaliaphd.exe 2184 Kkdnke32.exe 2120 Kanfgofa.exe 1536 Kgmkef32.exe 1796 Kcdljghj.exe 2516 Lphlck32.exe 2932 Lnlmmo32.exe 592 Lgdafeln.exe 1656 Lkffohon.exe 804 Lhjghlng.exe 432 Mbbkabdh.exe 872 Mgodjico.exe 3008 Mbehgabe.exe 1604 Mjpmkdpp.exe 2980 Mgdmeh32.exe 2436 Mmafmo32.exe 2092 Mnpbgbdd.exe 1760 Mgigpgkd.exe 1240 Ncpgeh32.exe 3040 Njipabhe.exe 3032 Nbddfe32.exe 844 Nmjicn32.exe 2064 Neemgp32.exe 2524 Nnnbqeib.exe 916 Njdbefnf.exe -
Loads dropped DLL 64 IoCs
pid Process 2056 a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4N.exe 2056 a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4N.exe 2216 Qefihg32.exe 2216 Qefihg32.exe 2996 Qcjjakip.exe 2996 Qcjjakip.exe 2844 Agloko32.exe 2844 Agloko32.exe 2920 Acemeo32.exe 2920 Acemeo32.exe 2804 Acjfpokk.exe 2804 Acjfpokk.exe 2708 Bkghjq32.exe 2708 Bkghjq32.exe 2236 Bebiifka.exe 2236 Bebiifka.exe 2348 Baiingae.exe 2348 Baiingae.exe 2240 Cnogmk32.exe 2240 Cnogmk32.exe 2192 Cghkepdm.exe 2192 Cghkepdm.exe 1012 Cpemob32.exe 1012 Cpemob32.exe 632 Cfaaalep.exe 632 Cfaaalep.exe 2044 Dlcceboa.exe 2044 Dlcceboa.exe 2676 Ddnhidmm.exe 2676 Ddnhidmm.exe 2108 Eganqo32.exe 2108 Eganqo32.exe 516 Elqcnfdp.exe 516 Elqcnfdp.exe 1560 Eabeal32.exe 1560 Eabeal32.exe 2432 Fofekp32.exe 2432 Fofekp32.exe 992 Fplknh32.exe 992 Fplknh32.exe 820 Fleihi32.exe 820 Fleihi32.exe 1772 Fgjmfa32.exe 1772 Fgjmfa32.exe 1744 Gqcaoghl.exe 1744 Gqcaoghl.exe 1736 Gohnpcmd.exe 1736 Gohnpcmd.exe 1628 Ghqchi32.exe 1628 Ghqchi32.exe 2696 Gdgcnj32.exe 2696 Gdgcnj32.exe 2868 Gdjpcj32.exe 2868 Gdjpcj32.exe 2992 Hgjieedg.exe 2992 Hgjieedg.exe 2876 Hfdpaqej.exe 2876 Hfdpaqej.exe 2752 Hiehbl32.exe 2752 Hiehbl32.exe 1380 Ifkfap32.exe 1380 Ifkfap32.exe 2896 Ilhnjfmi.exe 2896 Ilhnjfmi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Apgcbmha.exe Ahlnmjkf.exe File created C:\Windows\SysWOW64\Kgeahmik.dll Gilhpe32.exe File opened for modification C:\Windows\SysWOW64\Lkffohon.exe Lgdafeln.exe File opened for modification C:\Windows\SysWOW64\Mhpigk32.exe Mpeebhhf.exe File created C:\Windows\SysWOW64\Oclblaid.dll Opcaiggo.exe File created C:\Windows\SysWOW64\Dhkjod32.dll Ibhieo32.exe File created C:\Windows\SysWOW64\Nbaafocg.exe Ndnplk32.exe File created C:\Windows\SysWOW64\Dndoof32.exe Cfmjoe32.exe File opened for modification C:\Windows\SysWOW64\Mgodjico.exe Mbbkabdh.exe File created C:\Windows\SysWOW64\Alahklnm.dll Pkkeeikj.exe File opened for modification C:\Windows\SysWOW64\Fcbjon32.exe Eaangfjf.exe File created C:\Windows\SysWOW64\Ggeiooea.exe Gknhjn32.exe File created C:\Windows\SysWOW64\Hmdnme32.exe Gqmmhdka.exe File created C:\Windows\SysWOW64\Pkicij32.dll Phelnhnb.exe File opened for modification C:\Windows\SysWOW64\Bdpnlo32.exe Bjgmka32.exe File created C:\Windows\SysWOW64\Lafaaq32.dll Mbbkabdh.exe File created C:\Windows\SysWOW64\Bqhbcqmj.exe Biakbc32.exe File created C:\Windows\SysWOW64\Cmapna32.exe Cbllph32.exe File created C:\Windows\SysWOW64\Edmnnakm.exe Ekeiel32.exe File created C:\Windows\SysWOW64\Jpnfdbig.exe Jidngh32.exe File created C:\Windows\SysWOW64\Kkopmmim.dll Lcqdidim.exe File created C:\Windows\SysWOW64\Ddnhidmm.exe Dlcceboa.exe File created C:\Windows\SysWOW64\Jpomnilc.exe Iokdaa32.exe File created C:\Windows\SysWOW64\Pgbejj32.exe Pkkeeikj.exe File opened for modification C:\Windows\SysWOW64\Oejgbonl.exe Njdbefnf.exe File opened for modification C:\Windows\SysWOW64\Phklcn32.exe Pelpgb32.exe File opened for modification C:\Windows\SysWOW64\Ehpgha32.exe Dlifcqfl.exe File created C:\Windows\SysWOW64\Hlcdlj32.dll Ggeiooea.exe File created C:\Windows\SysWOW64\Nmjkbjpm.dll Ndnplk32.exe File created C:\Windows\SysWOW64\Miijkkno.dll Ghqchi32.exe File opened for modification C:\Windows\SysWOW64\Kkdnke32.exe Kaliaphd.exe File created C:\Windows\SysWOW64\Moonqphf.dll Nbddfe32.exe File created C:\Windows\SysWOW64\Didlinpd.dll Ahlnmjkf.exe File opened for modification C:\Windows\SysWOW64\Fokaoh32.exe Fagqed32.exe File opened for modification C:\Windows\SysWOW64\Ghqchi32.exe Gohnpcmd.exe File opened for modification C:\Windows\SysWOW64\Poinkg32.exe Pgbejj32.exe File opened for modification C:\Windows\SysWOW64\Gqmmhdka.exe Ggeiooea.exe File created C:\Windows\SysWOW64\Ggncop32.exe Gnenfjdh.exe File opened for modification C:\Windows\SysWOW64\Baiingae.exe Bebiifka.exe File created C:\Windows\SysWOW64\Chfkjibh.dll Jpomnilc.exe File created C:\Windows\SysWOW64\Ibbjgneh.dll Pieobaiq.exe File created C:\Windows\SysWOW64\Kaliaphd.exe Khcdijac.exe File created C:\Windows\SysWOW64\Cgkanomj.exe Cfjdfg32.exe File opened for modification C:\Windows\SysWOW64\Incgfl32.exe Iapfmg32.exe File opened for modification C:\Windows\SysWOW64\Lcqdidim.exe Llgllj32.exe File created C:\Windows\SysWOW64\Iokdaa32.exe Iecohl32.exe File created C:\Windows\SysWOW64\Ahlghold.dll Bnhjae32.exe File created C:\Windows\SysWOW64\Hcdoefdh.dll Eaangfjf.exe File opened for modification C:\Windows\SysWOW64\Qpjchicb.exe Pbfcoedi.exe File opened for modification C:\Windows\SysWOW64\Fleihi32.exe Fplknh32.exe File opened for modification C:\Windows\SysWOW64\Akbgdkgm.exe Agilkijf.exe File created C:\Windows\SysWOW64\Emailhfb.exe Eajhgg32.exe File created C:\Windows\SysWOW64\Gfpphd32.dll Kcdljghj.exe File created C:\Windows\SysWOW64\Pdamhocm.exe Phklcn32.exe File opened for modification C:\Windows\SysWOW64\Qkbkfh32.exe Qpmgho32.exe File created C:\Windows\SysWOW64\Ekjqfj32.dll Jlegic32.exe File opened for modification C:\Windows\SysWOW64\Lddagi32.exe Keodflee.exe File created C:\Windows\SysWOW64\Opcaiggo.exe Ofklpa32.exe File opened for modification C:\Windows\SysWOW64\Bnkpjd32.exe Bfpkfb32.exe File created C:\Windows\SysWOW64\Khcdijac.exe Jlmddi32.exe File opened for modification C:\Windows\SysWOW64\Ncpgeh32.exe Mgigpgkd.exe File created C:\Windows\SysWOW64\Deoipl32.dll Fpkdca32.exe File created C:\Windows\SysWOW64\Dqnkig32.dll Iapfmg32.exe File created C:\Windows\SysWOW64\Kanfgofa.exe Kkdnke32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3200 3164 WerFault.exe 259 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnenfjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggncop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknhjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpigk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gilhpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgdmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbllph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbenpqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekeiel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapfmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjblboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agloko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnecjgch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phelnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnlmmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhcehngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njipabhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaeacppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbgdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhieo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkanomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfcohfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqhbcqmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggeiooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mookod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkffohon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofefqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdamhocm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajhgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiehbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecohl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgigpgkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpnjkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlogo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbejj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdnme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpkfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhqdgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falakjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaghp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feccqime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdjjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjmfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkpnph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Effidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcgdjmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janihlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbddfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiodliep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppejmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elqcnfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cneiki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcdijac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgodjico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkpjd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabmhccg.dll" Iamjghnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpkihl32.dll" Bebiifka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnlmmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkbkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkbkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akbgdkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahlghold.dll" Bnhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfimpl32.dll" Fpihnbmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgpobfea.dll" Lhegcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndnplk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opcaiggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpjchicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hceebpid.dll" Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahgqohh.dll" Kgmkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgmkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogcobo32.dll" Ekeiel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deoipl32.dll" Fpkdca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njhhcj32.dll" Ppejmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahlnmjkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjgmka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qefihg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilhnjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpmgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijocpfhd.dll" Akbgdkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokofini.dll" Gknhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biiqmd32.dll" Hfmbfkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keniknoh.dll" Nbmcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcchheoq.dll" Jmejmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmafmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alahklnm.dll" Pkkeeikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpaoape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhbihid.dll" Pegpamoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkpaoape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngnoa32.dll" Mbkkepio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gilhpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fejjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbfhmqhk.dll" Hkpaoape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llgllj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahlnmjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnecjgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcdihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pinnfonh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlcceboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncance32.dll" Ifkfap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpomnilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncpgeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiodliep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keodflee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbkkepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlmacfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafaaq32.dll" Mbbkabdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofbikf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbllph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcbjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjqfj32.dll" Jlegic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fljhmmci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cghkepdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbbkabdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcadn32.dll" Bqhbcqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqnknp32.dll" Gacgli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbndfacf.dll" Jplinckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nccmng32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2216 2056 a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4N.exe 29 PID 2056 wrote to memory of 2216 2056 a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4N.exe 29 PID 2056 wrote to memory of 2216 2056 a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4N.exe 29 PID 2056 wrote to memory of 2216 2056 a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4N.exe 29 PID 2216 wrote to memory of 2996 2216 Qefihg32.exe 30 PID 2216 wrote to memory of 2996 2216 Qefihg32.exe 30 PID 2216 wrote to memory of 2996 2216 Qefihg32.exe 30 PID 2216 wrote to memory of 2996 2216 Qefihg32.exe 30 PID 2996 wrote to memory of 2844 2996 Qcjjakip.exe 31 PID 2996 wrote to memory of 2844 2996 Qcjjakip.exe 31 PID 2996 wrote to memory of 2844 2996 Qcjjakip.exe 31 PID 2996 wrote to memory of 2844 2996 Qcjjakip.exe 31 PID 2844 wrote to memory of 2920 2844 Agloko32.exe 32 PID 2844 wrote to memory of 2920 2844 Agloko32.exe 32 PID 2844 wrote to memory of 2920 2844 Agloko32.exe 32 PID 2844 wrote to memory of 2920 2844 Agloko32.exe 32 PID 2920 wrote to memory of 2804 2920 Acemeo32.exe 33 PID 2920 wrote to memory of 2804 2920 Acemeo32.exe 33 PID 2920 wrote to memory of 2804 2920 Acemeo32.exe 33 PID 2920 wrote to memory of 2804 2920 Acemeo32.exe 33 PID 2804 wrote to memory of 2708 2804 Acjfpokk.exe 34 PID 2804 wrote to memory of 2708 2804 Acjfpokk.exe 34 PID 2804 wrote to memory of 2708 2804 Acjfpokk.exe 34 PID 2804 wrote to memory of 2708 2804 Acjfpokk.exe 34 PID 2708 wrote to memory of 2236 2708 Bkghjq32.exe 35 PID 2708 wrote to memory of 2236 2708 Bkghjq32.exe 35 PID 2708 wrote to memory of 2236 2708 Bkghjq32.exe 35 PID 2708 wrote to memory of 2236 2708 Bkghjq32.exe 35 PID 2236 wrote to memory of 2348 2236 Bebiifka.exe 36 PID 2236 wrote to memory of 2348 2236 Bebiifka.exe 36 PID 2236 wrote to memory of 2348 2236 Bebiifka.exe 36 PID 2236 wrote to memory of 2348 2236 Bebiifka.exe 36 PID 2348 wrote to memory of 2240 2348 Baiingae.exe 37 PID 2348 wrote to memory of 2240 2348 Baiingae.exe 37 PID 2348 wrote to memory of 2240 2348 Baiingae.exe 37 PID 2348 wrote to memory of 2240 2348 Baiingae.exe 37 PID 2240 wrote to memory of 2192 2240 Cnogmk32.exe 38 PID 2240 wrote to memory of 2192 2240 Cnogmk32.exe 38 PID 2240 wrote to memory of 2192 2240 Cnogmk32.exe 38 PID 2240 wrote to memory of 2192 2240 Cnogmk32.exe 38 PID 2192 wrote to memory of 1012 2192 Cghkepdm.exe 39 PID 2192 wrote to memory of 1012 2192 Cghkepdm.exe 39 PID 2192 wrote to memory of 1012 2192 Cghkepdm.exe 39 PID 2192 wrote to memory of 1012 2192 Cghkepdm.exe 39 PID 1012 wrote to memory of 632 1012 Cpemob32.exe 40 PID 1012 wrote to memory of 632 1012 Cpemob32.exe 40 PID 1012 wrote to memory of 632 1012 Cpemob32.exe 40 PID 1012 wrote to memory of 632 1012 Cpemob32.exe 40 PID 632 wrote to memory of 2044 632 Cfaaalep.exe 41 PID 632 wrote to memory of 2044 632 Cfaaalep.exe 41 PID 632 wrote to memory of 2044 632 Cfaaalep.exe 41 PID 632 wrote to memory of 2044 632 Cfaaalep.exe 41 PID 2044 wrote to memory of 2676 2044 Dlcceboa.exe 42 PID 2044 wrote to memory of 2676 2044 Dlcceboa.exe 42 PID 2044 wrote to memory of 2676 2044 Dlcceboa.exe 42 PID 2044 wrote to memory of 2676 2044 Dlcceboa.exe 42 PID 2676 wrote to memory of 2108 2676 Ddnhidmm.exe 43 PID 2676 wrote to memory of 2108 2676 Ddnhidmm.exe 43 PID 2676 wrote to memory of 2108 2676 Ddnhidmm.exe 43 PID 2676 wrote to memory of 2108 2676 Ddnhidmm.exe 43 PID 2108 wrote to memory of 516 2108 Eganqo32.exe 44 PID 2108 wrote to memory of 516 2108 Eganqo32.exe 44 PID 2108 wrote to memory of 516 2108 Eganqo32.exe 44 PID 2108 wrote to memory of 516 2108 Eganqo32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4N.exe"C:\Users\Admin\AppData\Local\Temp\a6982015cb88583429fec3b88049dbb514ff637e33c32b66b397c55cd07771b4N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Qefihg32.exeC:\Windows\system32\Qefihg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Qcjjakip.exeC:\Windows\system32\Qcjjakip.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Agloko32.exeC:\Windows\system32\Agloko32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Baiingae.exeC:\Windows\system32\Baiingae.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Cnogmk32.exeC:\Windows\system32\Cnogmk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Cfaaalep.exeC:\Windows\system32\Cfaaalep.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Dlcceboa.exeC:\Windows\system32\Dlcceboa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Ddnhidmm.exeC:\Windows\system32\Ddnhidmm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Eganqo32.exeC:\Windows\system32\Eganqo32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:516 -
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Fplknh32.exeC:\Windows\system32\Fplknh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Fleihi32.exeC:\Windows\system32\Fleihi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Fgjmfa32.exeC:\Windows\system32\Fgjmfa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\Gqcaoghl.exeC:\Windows\system32\Gqcaoghl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Gohnpcmd.exeC:\Windows\system32\Gohnpcmd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Ghqchi32.exeC:\Windows\system32\Ghqchi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Hgjieedg.exeC:\Windows\system32\Hgjieedg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Hfdpaqej.exeC:\Windows\system32\Hfdpaqej.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Hiehbl32.exeC:\Windows\system32\Hiehbl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Ifkfap32.exeC:\Windows\system32\Ifkfap32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Ilhnjfmi.exeC:\Windows\system32\Ilhnjfmi.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Iokdaa32.exeC:\Windows\system32\Iokdaa32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Jmejmm32.exeC:\Windows\system32\Jmejmm32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Jlmddi32.exeC:\Windows\system32\Jlmddi32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Kaliaphd.exeC:\Windows\system32\Kaliaphd.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Kanfgofa.exeC:\Windows\system32\Kanfgofa.exe43⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Kgmkef32.exeC:\Windows\system32\Kgmkef32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Kcdljghj.exeC:\Windows\system32\Kcdljghj.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Lphlck32.exeC:\Windows\system32\Lphlck32.exe46⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Lgdafeln.exeC:\Windows\system32\Lgdafeln.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:592 -
C:\Windows\SysWOW64\Lkffohon.exeC:\Windows\system32\Lkffohon.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Lhjghlng.exeC:\Windows\system32\Lhjghlng.exe50⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Mgodjico.exeC:\Windows\system32\Mgodjico.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe54⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Mnpbgbdd.exeC:\Windows\system32\Mnpbgbdd.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Mgigpgkd.exeC:\Windows\system32\Mgigpgkd.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Ncpgeh32.exeC:\Windows\system32\Ncpgeh32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Nnnbqeib.exeC:\Windows\system32\Nnnbqeib.exe64⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Njdbefnf.exeC:\Windows\system32\Njdbefnf.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Oejgbonl.exeC:\Windows\system32\Oejgbonl.exe66⤵PID:2112
-
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe67⤵PID:1688
-
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Ojilqf32.exeC:\Windows\system32\Ojilqf32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:304 -
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe70⤵
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe71⤵
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe72⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe73⤵PID:2832
-
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe76⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe77⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe79⤵
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\Pkkeeikj.exeC:\Windows\system32\Pkkeeikj.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Poinkg32.exeC:\Windows\system32\Poinkg32.exe82⤵PID:888
-
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Qpmgho32.exeC:\Windows\system32\Qpmgho32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:524 -
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe86⤵PID:1912
-
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Akbgdkgm.exeC:\Windows\system32\Akbgdkgm.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Bgkeol32.exeC:\Windows\system32\Bgkeol32.exe89⤵PID:2856
-
C:\Windows\SysWOW64\Bnemlf32.exeC:\Windows\system32\Bnemlf32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe91⤵PID:3024
-
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe92⤵PID:2800
-
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Bgpnjkgi.exeC:\Windows\system32\Bgpnjkgi.exe94⤵
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe95⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Bqhbcqmj.exeC:\Windows\system32\Bqhbcqmj.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Bbjoki32.exeC:\Windows\system32\Bbjoki32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Cmocha32.exeC:\Windows\system32\Cmocha32.exe98⤵PID:2620
-
C:\Windows\SysWOW64\Cbllph32.exeC:\Windows\system32\Cbllph32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Cmapna32.exeC:\Windows\system32\Cmapna32.exe100⤵PID:1964
-
C:\Windows\SysWOW64\Cfjdfg32.exeC:\Windows\system32\Cfjdfg32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Cgkanomj.exeC:\Windows\system32\Cgkanomj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Cneiki32.exeC:\Windows\system32\Cneiki32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Ckijdm32.exeC:\Windows\system32\Ckijdm32.exe104⤵PID:2608
-
C:\Windows\SysWOW64\Cafbmdbh.exeC:\Windows\system32\Cafbmdbh.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Cnjbfhqa.exeC:\Windows\system32\Cnjbfhqa.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Dnlolhoo.exeC:\Windows\system32\Dnlolhoo.exe107⤵PID:2688
-
C:\Windows\SysWOW64\Dfgdpj32.exeC:\Windows\system32\Dfgdpj32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Dckdio32.exeC:\Windows\system32\Dckdio32.exe109⤵PID:2360
-
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe110⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Dlifcqfl.exeC:\Windows\system32\Dlifcqfl.exe111⤵
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Ehpgha32.exeC:\Windows\system32\Ehpgha32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\Eahkag32.exeC:\Windows\system32\Eahkag32.exe113⤵PID:2840
-
C:\Windows\SysWOW64\Eajhgg32.exeC:\Windows\system32\Eajhgg32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Edmnnakm.exeC:\Windows\system32\Edmnnakm.exe117⤵PID:3020
-
C:\Windows\SysWOW64\Eaangfjf.exeC:\Windows\system32\Eaangfjf.exe118⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Fcbjon32.exeC:\Windows\system32\Fcbjon32.exe119⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Feccqime.exeC:\Windows\system32\Feccqime.exe120⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe121⤵
- Modifies registry class
PID:2776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-