Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07/03/2025, 03:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe
-
Size
84KB
-
MD5
59f07e3797833cc78d3614a4a5904e67
-
SHA1
65216bdd8e059f3b9dc2bd855fc3af3a49a71577
-
SHA256
3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413
-
SHA512
4a9743c9b0a9d49e49fd09fae7aa308b04a3252fbf204a90a93abd246f5e8369a0ee5453f574df70fc31aaabd253bea4d11046457226d1895623e303c9187ed0
-
SSDEEP
1536:RoQO2E2yqbEywbxaA8ANZLvfPDyH6n8dEelLYR7xeGSmUmmmmmmmmmmmmmmdGnZ:RoQO2E2yTvFB3PDyH6n8djlLYR7xr3
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjkmijh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabhdefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngaig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmpnjai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oacbdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabfjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcakbjpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnflnfbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmcpjfcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opebpdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnhajlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpghfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmekpmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelljepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcocgkbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkfmmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clnhajlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Defljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdlclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgoaap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chgimh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfadcemm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdjceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbilhkig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oheppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hndoifdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmmcgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkhdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhagiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakdjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgoobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejadibmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcdlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqpbpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjkmijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hadhjaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Echlmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fclbgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gapoob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfgcieii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ileoknhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdoci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbgnhfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfihml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkcebg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipdqmje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heijidbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihnmfoli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqjfpbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmngof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlocka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfadcemm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igffmkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkfhglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcffgnnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liekddkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenioenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odckfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejadibmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecjibgdh.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1908 Bbcjca32.exe 2868 Bafkookd.exe 2804 Bhpclica.exe 2852 Bllomg32.exe 2608 Bedcembk.exe 3052 Bjalndpb.exe 1680 Bakdjn32.exe 1320 Ckchcc32.exe 2252 Camqpnel.exe 1976 Chgimh32.exe 2260 Ckfeic32.exe 1064 Cmdaeo32.exe 592 Cpbnaj32.exe 2392 Cdnjaibm.exe 2204 Ckhbnb32.exe 2192 Cpejfjha.exe 1084 Cgobcd32.exe 1760 Ceacoqfi.exe 824 Cmikpngk.exe 1652 Cojghf32.exe 2132 Cgaoic32.exe 1696 Chblqlcj.exe 2348 Clnhajlc.exe 2304 Dchpnd32.exe 1216 Defljp32.exe 1580 Dibhjokm.exe 2836 Dkcebg32.exe 2280 Deiipp32.exe 1044 Dlbaljhn.exe 2800 Dkeahf32.exe 2676 Dapjdq32.exe 3060 Dglbmg32.exe 1456 Dkhnmfle.exe 2924 Dabfjp32.exe 2940 Ddpbfl32.exe 2980 Dgoobg32.exe 1052 Dnhgoa32.exe 1712 Ddbolkac.exe 752 Dcepgh32.exe 2144 Epipql32.exe 2272 Echlmh32.exe 2492 Ejadibmh.exe 1008 Elpqemll.exe 3004 Eoomai32.exe 2120 Ecjibgdh.exe 1700 Elbmkm32.exe 2032 Eoajgh32.exe 3012 Ejfnda32.exe 2740 Ehinpnpm.exe 2788 Ekhjlioa.exe 2824 Eocfmh32.exe 2736 Ebabicfn.exe 2240 Ehlkfn32.exe 3044 Ekjgbi32.exe 1900 Eoecbheg.exe 2992 Enhcnd32.exe 2176 Ffpkob32.exe 2588 Fdblkoco.exe 936 Fgqhgjbb.exe 2276 Fnkpcd32.exe 2072 Fbfldc32.exe 564 Fipdqmje.exe 1528 Fgcdlj32.exe 2360 Fjaqhe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2216 3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe 2216 3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe 1908 Bbcjca32.exe 1908 Bbcjca32.exe 2868 Bafkookd.exe 2868 Bafkookd.exe 2804 Bhpclica.exe 2804 Bhpclica.exe 2852 Bllomg32.exe 2852 Bllomg32.exe 2608 Bedcembk.exe 2608 Bedcembk.exe 3052 Bjalndpb.exe 3052 Bjalndpb.exe 1680 Bakdjn32.exe 1680 Bakdjn32.exe 1320 Ckchcc32.exe 1320 Ckchcc32.exe 2252 Camqpnel.exe 2252 Camqpnel.exe 1976 Chgimh32.exe 1976 Chgimh32.exe 2260 Ckfeic32.exe 2260 Ckfeic32.exe 1064 Cmdaeo32.exe 1064 Cmdaeo32.exe 592 Cpbnaj32.exe 592 Cpbnaj32.exe 2392 Cdnjaibm.exe 2392 Cdnjaibm.exe 2204 Ckhbnb32.exe 2204 Ckhbnb32.exe 2192 Cpejfjha.exe 2192 Cpejfjha.exe 1084 Cgobcd32.exe 1084 Cgobcd32.exe 1760 Ceacoqfi.exe 1760 Ceacoqfi.exe 824 Cmikpngk.exe 824 Cmikpngk.exe 1652 Cojghf32.exe 1652 Cojghf32.exe 2132 Cgaoic32.exe 2132 Cgaoic32.exe 1696 Chblqlcj.exe 1696 Chblqlcj.exe 2348 Clnhajlc.exe 2348 Clnhajlc.exe 2304 Dchpnd32.exe 2304 Dchpnd32.exe 1216 Defljp32.exe 1216 Defljp32.exe 1580 Dibhjokm.exe 1580 Dibhjokm.exe 2836 Dkcebg32.exe 2836 Dkcebg32.exe 2280 Deiipp32.exe 2280 Deiipp32.exe 1044 Dlbaljhn.exe 1044 Dlbaljhn.exe 2800 Dkeahf32.exe 2800 Dkeahf32.exe 2676 Dapjdq32.exe 2676 Dapjdq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gcakbjpl.exe Gpeoakhc.exe File created C:\Windows\SysWOW64\Gegaeabe.exe Gfdaid32.exe File created C:\Windows\SysWOW64\Iokahhac.exe Ikoehj32.exe File created C:\Windows\SysWOW64\Mjbghkfi.exe Mhckloge.exe File created C:\Windows\SysWOW64\Ppicjm32.dll Mdmhfpkg.exe File opened for modification C:\Windows\SysWOW64\Nljjqbfp.exe Nmgjee32.exe File opened for modification C:\Windows\SysWOW64\Iencdc32.exe Iabhdefo.exe File created C:\Windows\SysWOW64\Ihnmfoli.exe Iaddid32.exe File created C:\Windows\SysWOW64\Jjmoge32.dll Iljifm32.exe File created C:\Windows\SysWOW64\Lmcdkbao.exe Lelljepm.exe File opened for modification C:\Windows\SysWOW64\Miiaogio.exe Mjgqcj32.exe File created C:\Windows\SysWOW64\Eoomai32.exe Elpqemll.exe File created C:\Windows\SysWOW64\Edjdohaf.dll Fgcdlj32.exe File opened for modification C:\Windows\SysWOW64\Hjhchg32.exe Gapoob32.exe File opened for modification C:\Windows\SysWOW64\Kdgfpbaf.exe Jbijcgbc.exe File created C:\Windows\SysWOW64\Omeini32.exe Oobiclmh.exe File opened for modification C:\Windows\SysWOW64\Fpcblkje.exe Fqpbpo32.exe File created C:\Windows\SysWOW64\Ifhgcgjq.exe Ioaobjin.exe File created C:\Windows\SysWOW64\Jpeafo32.exe Jhniebne.exe File created C:\Windows\SysWOW64\Alggph32.dll Kcamln32.exe File created C:\Windows\SysWOW64\Mgoaap32.exe Leqeed32.exe File opened for modification C:\Windows\SysWOW64\Bafkookd.exe Bbcjca32.exe File created C:\Windows\SysWOW64\Bjalndpb.exe Bedcembk.exe File opened for modification C:\Windows\SysWOW64\Cpbnaj32.exe Cmdaeo32.exe File opened for modification C:\Windows\SysWOW64\Fkambhgf.exe Fgeabi32.exe File created C:\Windows\SysWOW64\Hbhagiem.exe Hdeall32.exe File created C:\Windows\SysWOW64\Hmneebeb.exe Hjoiiffo.exe File created C:\Windows\SysWOW64\Iockhigl.exe Ileoknhh.exe File opened for modification C:\Windows\SysWOW64\Iaddid32.exe Ibadnhmb.exe File created C:\Windows\SysWOW64\Mojkpqcn.dll Deiipp32.exe File created C:\Windows\SysWOW64\Aledmn32.dll Fnafdc32.exe File created C:\Windows\SysWOW64\Camlob32.dll Gbfhcf32.exe File created C:\Windows\SysWOW64\Iijfeeok.dll Iokahhac.exe File created C:\Windows\SysWOW64\Knpkhhhg.exe Kkaolm32.exe File opened for modification C:\Windows\SysWOW64\Liekddkh.exe Lffohikd.exe File created C:\Windows\SysWOW64\Mnncii32.exe Mjbghkfi.exe File created C:\Windows\SysWOW64\Niqgof32.exe Naionh32.exe File created C:\Windows\SysWOW64\Fjecidcb.dll Ddpbfl32.exe File created C:\Windows\SysWOW64\Ohpchcao.dll Bhpclica.exe File created C:\Windows\SysWOW64\Ekhjlioa.exe Ehinpnpm.exe File opened for modification C:\Windows\SysWOW64\Jcmgal32.exe Jpnkep32.exe File opened for modification C:\Windows\SysWOW64\Jjkiie32.exe Jfpmifoa.exe File created C:\Windows\SysWOW64\Cgejdc32.dll Lkfdfo32.exe File created C:\Windows\SysWOW64\Nggbjggc.dll Ocdnloph.exe File created C:\Windows\SysWOW64\Jinqgg32.dll Fkambhgf.exe File created C:\Windows\SysWOW64\Nfkokh32.dll Iainddpg.exe File created C:\Windows\SysWOW64\Kdnlpaln.exe Kbppdfmk.exe File opened for modification C:\Windows\SysWOW64\Ljpnch32.exe Lgabgl32.exe File created C:\Windows\SysWOW64\Pkjfgc32.dll Lffohikd.exe File created C:\Windows\SysWOW64\Oomlfpdi.exe Opjlkc32.exe File created C:\Windows\SysWOW64\Elpqemll.exe Ejadibmh.exe File opened for modification C:\Windows\SysWOW64\Enhcnd32.exe Eoecbheg.exe File created C:\Windows\SysWOW64\Dabfjp32.exe Dkhnmfle.exe File created C:\Windows\SysWOW64\Aempha32.dll Ckhbnb32.exe File opened for modification C:\Windows\SysWOW64\Camqpnel.exe Ckchcc32.exe File opened for modification C:\Windows\SysWOW64\Jkdoci32.exe Jcmgal32.exe File created C:\Windows\SysWOW64\Mdmhfpkg.exe Manljd32.exe File opened for modification C:\Windows\SysWOW64\Nfpnnk32.exe Nbdbml32.exe File opened for modification C:\Windows\SysWOW64\Cgaoic32.exe Cojghf32.exe File opened for modification C:\Windows\SysWOW64\Eoomai32.exe Elpqemll.exe File created C:\Windows\SysWOW64\Hjhchg32.exe Gapoob32.exe File opened for modification C:\Windows\SysWOW64\Kdjceb32.exe Kfgcieii.exe File created C:\Windows\SysWOW64\Lkcgapjl.exe Liekddkh.exe File created C:\Windows\SysWOW64\Lkfdfo32.exe Lmcdkbao.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3692 3512 WerFault.exe 304 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjneoeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnncii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odckfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchokq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdeall32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhagiem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khglkqfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpnch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omeini32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhopgkin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jempcgad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnfmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dibhjokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoajgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioheci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqgjkbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlocka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpejfjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjkmijh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhqfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmikpngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Defljp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgoobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmnkpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkhch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malpee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceacoqfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbolkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfogneop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjoiiffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbppdfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpkbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjgbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihjcko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjalndpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljnaocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheppe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpbja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcocgkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebmpcjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmgal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhckloge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobiclmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camqpnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epipql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhnal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmngof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjlap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naionh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpeoakhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndhddaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niqgof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opebpdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgefn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjceb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecbjd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhopbilb.dll" Gfdaid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcmgal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhniebne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbncof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgiglh32.dll" Mlhmkbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkgjak32.dll" Oacbdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elpqemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjoiiffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ileoknhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfkokh32.dll" Iainddpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jojnglco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkaaolf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chgimh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhopgkin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgcieii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leqeed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbilhkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckchcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfadcemm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnpkcl32.dll" Ioaobjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihjmonk.dll" Jfpmifoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbkchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncndladm.dll" Ejfnda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfogneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhlcal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjoiiffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcbociq.dll" Jnpoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejikmqhk.dll" Jojnglco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifadmn32.dll" Knddcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhckloge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdfggipp.dll" 3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhonin32.dll" Fnkpcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmneebeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khglkqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnlnid32.dll" Kfbemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnnepij.dll" Mjpkbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npcika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmioapf.dll" Defljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epipql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eocfmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gipqpplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihlpqonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iplnpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmlkk32.dll" Kkfhglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemjqoee.dll" Fnoiocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bedcembk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lchclmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkhalo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nepach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hipdajoc.dll" Nmgjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmbclmp.dll" Bllomg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdblkoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghenamai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlmnebq.dll" Ghgjflof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkhgnk32.dll" Ihnmfoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jndhddaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkobgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lelljepm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hagepa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdeall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdjceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjpkbk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 1908 2216 3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe 30 PID 2216 wrote to memory of 1908 2216 3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe 30 PID 2216 wrote to memory of 1908 2216 3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe 30 PID 2216 wrote to memory of 1908 2216 3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe 30 PID 1908 wrote to memory of 2868 1908 Bbcjca32.exe 31 PID 1908 wrote to memory of 2868 1908 Bbcjca32.exe 31 PID 1908 wrote to memory of 2868 1908 Bbcjca32.exe 31 PID 1908 wrote to memory of 2868 1908 Bbcjca32.exe 31 PID 2868 wrote to memory of 2804 2868 Bafkookd.exe 32 PID 2868 wrote to memory of 2804 2868 Bafkookd.exe 32 PID 2868 wrote to memory of 2804 2868 Bafkookd.exe 32 PID 2868 wrote to memory of 2804 2868 Bafkookd.exe 32 PID 2804 wrote to memory of 2852 2804 Bhpclica.exe 33 PID 2804 wrote to memory of 2852 2804 Bhpclica.exe 33 PID 2804 wrote to memory of 2852 2804 Bhpclica.exe 33 PID 2804 wrote to memory of 2852 2804 Bhpclica.exe 33 PID 2852 wrote to memory of 2608 2852 Bllomg32.exe 34 PID 2852 wrote to memory of 2608 2852 Bllomg32.exe 34 PID 2852 wrote to memory of 2608 2852 Bllomg32.exe 34 PID 2852 wrote to memory of 2608 2852 Bllomg32.exe 34 PID 2608 wrote to memory of 3052 2608 Bedcembk.exe 35 PID 2608 wrote to memory of 3052 2608 Bedcembk.exe 35 PID 2608 wrote to memory of 3052 2608 Bedcembk.exe 35 PID 2608 wrote to memory of 3052 2608 Bedcembk.exe 35 PID 3052 wrote to memory of 1680 3052 Bjalndpb.exe 36 PID 3052 wrote to memory of 1680 3052 Bjalndpb.exe 36 PID 3052 wrote to memory of 1680 3052 Bjalndpb.exe 36 PID 3052 wrote to memory of 1680 3052 Bjalndpb.exe 36 PID 1680 wrote to memory of 1320 1680 Bakdjn32.exe 37 PID 1680 wrote to memory of 1320 1680 Bakdjn32.exe 37 PID 1680 wrote to memory of 1320 1680 Bakdjn32.exe 37 PID 1680 wrote to memory of 1320 1680 Bakdjn32.exe 37 PID 1320 wrote to memory of 2252 1320 Ckchcc32.exe 38 PID 1320 wrote to memory of 2252 1320 Ckchcc32.exe 38 PID 1320 wrote to memory of 2252 1320 Ckchcc32.exe 38 PID 1320 wrote to memory of 2252 1320 Ckchcc32.exe 38 PID 2252 wrote to memory of 1976 2252 Camqpnel.exe 39 PID 2252 wrote to memory of 1976 2252 Camqpnel.exe 39 PID 2252 wrote to memory of 1976 2252 Camqpnel.exe 39 PID 2252 wrote to memory of 1976 2252 Camqpnel.exe 39 PID 1976 wrote to memory of 2260 1976 Chgimh32.exe 40 PID 1976 wrote to memory of 2260 1976 Chgimh32.exe 40 PID 1976 wrote to memory of 2260 1976 Chgimh32.exe 40 PID 1976 wrote to memory of 2260 1976 Chgimh32.exe 40 PID 2260 wrote to memory of 1064 2260 Ckfeic32.exe 41 PID 2260 wrote to memory of 1064 2260 Ckfeic32.exe 41 PID 2260 wrote to memory of 1064 2260 Ckfeic32.exe 41 PID 2260 wrote to memory of 1064 2260 Ckfeic32.exe 41 PID 1064 wrote to memory of 592 1064 Cmdaeo32.exe 42 PID 1064 wrote to memory of 592 1064 Cmdaeo32.exe 42 PID 1064 wrote to memory of 592 1064 Cmdaeo32.exe 42 PID 1064 wrote to memory of 592 1064 Cmdaeo32.exe 42 PID 592 wrote to memory of 2392 592 Cpbnaj32.exe 43 PID 592 wrote to memory of 2392 592 Cpbnaj32.exe 43 PID 592 wrote to memory of 2392 592 Cpbnaj32.exe 43 PID 592 wrote to memory of 2392 592 Cpbnaj32.exe 43 PID 2392 wrote to memory of 2204 2392 Cdnjaibm.exe 44 PID 2392 wrote to memory of 2204 2392 Cdnjaibm.exe 44 PID 2392 wrote to memory of 2204 2392 Cdnjaibm.exe 44 PID 2392 wrote to memory of 2204 2392 Cdnjaibm.exe 44 PID 2204 wrote to memory of 2192 2204 Ckhbnb32.exe 45 PID 2204 wrote to memory of 2192 2204 Ckhbnb32.exe 45 PID 2204 wrote to memory of 2192 2204 Ckhbnb32.exe 45 PID 2204 wrote to memory of 2192 2204 Ckhbnb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe"C:\Users\Admin\AppData\Local\Temp\3e86feff54289d212a8e1a2a037502c2e4620e03168de017eebd8ab3841a4413.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Bbcjca32.exeC:\Windows\system32\Bbcjca32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Bafkookd.exeC:\Windows\system32\Bafkookd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Bhpclica.exeC:\Windows\system32\Bhpclica.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Bedcembk.exeC:\Windows\system32\Bedcembk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Bakdjn32.exeC:\Windows\system32\Bakdjn32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Ckchcc32.exeC:\Windows\system32\Ckchcc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Camqpnel.exeC:\Windows\system32\Camqpnel.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Chgimh32.exeC:\Windows\system32\Chgimh32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Ckfeic32.exeC:\Windows\system32\Ckfeic32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Cmdaeo32.exeC:\Windows\system32\Cmdaeo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Cpbnaj32.exeC:\Windows\system32\Cpbnaj32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Cdnjaibm.exeC:\Windows\system32\Cdnjaibm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Ckhbnb32.exeC:\Windows\system32\Ckhbnb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Cpejfjha.exeC:\Windows\system32\Cpejfjha.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Cgobcd32.exeC:\Windows\system32\Cgobcd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Ceacoqfi.exeC:\Windows\system32\Ceacoqfi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Cmikpngk.exeC:\Windows\system32\Cmikpngk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:824 -
C:\Windows\SysWOW64\Cojghf32.exeC:\Windows\system32\Cojghf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Cgaoic32.exeC:\Windows\system32\Cgaoic32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Chblqlcj.exeC:\Windows\system32\Chblqlcj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Defljp32.exeC:\Windows\system32\Defljp32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Deiipp32.exeC:\Windows\system32\Deiipp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Dlbaljhn.exeC:\Windows\system32\Dlbaljhn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Dkeahf32.exeC:\Windows\system32\Dkeahf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Dapjdq32.exeC:\Windows\system32\Dapjdq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Dglbmg32.exeC:\Windows\system32\Dglbmg32.exe33⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Dkhnmfle.exeC:\Windows\system32\Dkhnmfle.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Dabfjp32.exeC:\Windows\system32\Dabfjp32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ddpbfl32.exeC:\Windows\system32\Ddpbfl32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Dnhgoa32.exeC:\Windows\system32\Dnhgoa32.exe38⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Ddbolkac.exeC:\Windows\system32\Ddbolkac.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe40⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Epipql32.exeC:\Windows\system32\Epipql32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ejadibmh.exeC:\Windows\system32\Ejadibmh.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Eoomai32.exeC:\Windows\system32\Eoomai32.exe45⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Ecjibgdh.exeC:\Windows\system32\Ecjibgdh.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Elbmkm32.exeC:\Windows\system32\Elbmkm32.exe47⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Eoajgh32.exeC:\Windows\system32\Eoajgh32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Ejfnda32.exeC:\Windows\system32\Ejfnda32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Ehinpnpm.exeC:\Windows\system32\Ehinpnpm.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe51⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Eocfmh32.exeC:\Windows\system32\Eocfmh32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Ebabicfn.exeC:\Windows\system32\Ebabicfn.exe53⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Ehlkfn32.exeC:\Windows\system32\Ehlkfn32.exe54⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Eoecbheg.exeC:\Windows\system32\Eoecbheg.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Enhcnd32.exeC:\Windows\system32\Enhcnd32.exe57⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe58⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Fdblkoco.exeC:\Windows\system32\Fdblkoco.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Fgqhgjbb.exeC:\Windows\system32\Fgqhgjbb.exe60⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Fbfldc32.exeC:\Windows\system32\Fbfldc32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Fgcdlj32.exeC:\Windows\system32\Fgcdlj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe65⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Fbiijb32.exeC:\Windows\system32\Fbiijb32.exe66⤵PID:3036
-
C:\Windows\SysWOW64\Fdgefn32.exeC:\Windows\system32\Fdgefn32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Fgeabi32.exeC:\Windows\system32\Fgeabi32.exe68⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe69⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Fnoiocfj.exeC:\Windows\system32\Fnoiocfj.exe70⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Fqnfkoen.exeC:\Windows\system32\Fqnfkoen.exe71⤵PID:2968
-
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:320 -
C:\Windows\SysWOW64\Ffkncf32.exeC:\Windows\system32\Ffkncf32.exe73⤵PID:2784
-
C:\Windows\SysWOW64\Fnafdc32.exeC:\Windows\system32\Fnafdc32.exe74⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Fqpbpo32.exeC:\Windows\system32\Fqpbpo32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Fpcblkje.exeC:\Windows\system32\Fpcblkje.exe76⤵PID:2420
-
C:\Windows\SysWOW64\Fgjkmijh.exeC:\Windows\system32\Fgjkmijh.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Ffmkhe32.exeC:\Windows\system32\Ffmkhe32.exe78⤵PID:2324
-
C:\Windows\SysWOW64\Fmgcepio.exeC:\Windows\system32\Fmgcepio.exe79⤵PID:2104
-
C:\Windows\SysWOW64\Gpeoakhc.exeC:\Windows\system32\Gpeoakhc.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\Gcakbjpl.exeC:\Windows\system32\Gcakbjpl.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Gfogneop.exeC:\Windows\system32\Gfogneop.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Gmipko32.exeC:\Windows\system32\Gmipko32.exe83⤵PID:2012
-
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe84⤵PID:2160
-
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe85⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Gipqpplq.exeC:\Windows\system32\Gipqpplq.exe87⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Glomllkd.exeC:\Windows\system32\Glomllkd.exe88⤵PID:3056
-
C:\Windows\SysWOW64\Gnmihgkh.exeC:\Windows\system32\Gnmihgkh.exe89⤵PID:1988
-
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Gegaeabe.exeC:\Windows\system32\Gegaeabe.exe91⤵PID:2408
-
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe92⤵
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Gnofng32.exeC:\Windows\system32\Gnofng32.exe93⤵PID:648
-
C:\Windows\SysWOW64\Ganbjb32.exeC:\Windows\system32\Ganbjb32.exe94⤵PID:2384
-
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe95⤵PID:2232
-
C:\Windows\SysWOW64\Ghgjflof.exeC:\Windows\system32\Ghgjflof.exe96⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Gnabcf32.exeC:\Windows\system32\Gnabcf32.exe97⤵PID:1552
-
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe99⤵PID:2780
-
C:\Windows\SysWOW64\Hndoifdp.exeC:\Windows\system32\Hndoifdp.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Hmgodc32.exeC:\Windows\system32\Hmgodc32.exe101⤵PID:2600
-
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe102⤵PID:3028
-
C:\Windows\SysWOW64\Hhlcal32.exeC:\Windows\system32\Hhlcal32.exe103⤵
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe104⤵PID:2296
-
C:\Windows\SysWOW64\Hnflnfbm.exeC:\Windows\system32\Hnflnfbm.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Hadhjaaa.exeC:\Windows\system32\Hadhjaaa.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Hhopgkin.exeC:\Windows\system32\Hhopgkin.exe108⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Hjmmcgha.exeC:\Windows\system32\Hjmmcgha.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Hagepa32.exeC:\Windows\system32\Hagepa32.exe110⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe111⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Hjoiiffo.exeC:\Windows\system32\Hjoiiffo.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Hmneebeb.exeC:\Windows\system32\Hmneebeb.exe114⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Hlqfqo32.exeC:\Windows\system32\Hlqfqo32.exe115⤵PID:2228
-
C:\Windows\SysWOW64\Hdhnal32.exeC:\Windows\system32\Hdhnal32.exe116⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Hmpbja32.exeC:\Windows\system32\Hmpbja32.exe118⤵
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe120⤵PID:1040
-
C:\Windows\SysWOW64\Ihjcko32.exeC:\Windows\system32\Ihjcko32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-