Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 00:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
593907c0fe06e57e1762ff4cbd666c38782b58bd2140c8689d7142cd64fa430dN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
593907c0fe06e57e1762ff4cbd666c38782b58bd2140c8689d7142cd64fa430dN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
593907c0fe06e57e1762ff4cbd666c38782b58bd2140c8689d7142cd64fa430dN.exe
-
Size
148KB
-
MD5
c63bf56d321b6e1ec0d967a920610b60
-
SHA1
baa2e932428f37a857162394e48ff279ef7a7fd1
-
SHA256
593907c0fe06e57e1762ff4cbd666c38782b58bd2140c8689d7142cd64fa430d
-
SHA512
95cee5e5eec4cc87c7088ac83f6dde3fcade44e4c47255859c5219ca60ba61757bd4f3aaf3510dc8ac1a8eab01b4fe7b4939616bba9e03eeffb36b5252fb0698
-
SSDEEP
3072:uXsI9YFf/hzB03zPWOY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:u8I9Yd5103COKOdzOdkOdezOd
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihphkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajhndkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlgdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdckaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojcjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gehbjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apaadpng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afghneoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibmgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolblopj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbdgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckjknfnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdoihpbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofecami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boflmdkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naecop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkaicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aomifecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkalplel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llodgnja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppolhcnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepifi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijnep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaqdegaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Licfngjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbmkpie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpqkad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epndknin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmafajfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlhljhbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejkmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooagno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afelhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aokcklid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amlogfel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahdged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jilnqqbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oondnini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idghpmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfggkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koodbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oejbfmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kodnmkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iijaka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqffjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbqqkkbo.exe -
Executes dropped EXE 64 IoCs
pid Process 2368 Inkjhi32.exe 3644 Ihqoeb32.exe 2744 Iokgal32.exe 5032 Idgojc32.exe 2756 Iomcgl32.exe 4508 Idjlpc32.exe 316 Ikcdlmgf.exe 1008 Ibnligoc.exe 4516 Ieliebnf.exe 2720 Indmnh32.exe 3428 Iijaka32.exe 2824 Jodjhkkj.exe 3504 Jilnqqbj.exe 3040 Jnifigpa.exe 2404 Jecofa32.exe 1964 Joiccj32.exe 2956 Jfbkpd32.exe 4464 Jgdhgmep.exe 2740 Jpkphjeb.exe 3528 Jpmlnjco.exe 2408 Jfgdkd32.exe 3352 Kppici32.exe 2360 Knbiofhg.exe 2240 Kgknhl32.exe 3868 Kflnfcgg.exe 3972 Kngcje32.exe 2020 Kimghn32.exe 4812 Kbekqdjh.exe 844 Khbdikip.exe 5024 Kiaqcnpb.exe 2528 Lfealaol.exe 2736 Lnqeqd32.exe 2640 Lppbkgcj.exe 3620 Lbnngbbn.exe 2536 Lhkgoiqe.exe 848 Lpbopfag.exe 4372 Lflgmqhd.exe 4316 Llipehgk.exe 2724 Leadnm32.exe 5064 Mlklkgei.exe 2980 Mpghkf32.exe 2448 Miomdk32.exe 624 Mpieqeko.exe 1212 Mfcmmp32.exe 4416 Mlpeff32.exe 3404 Midfokpm.exe 1292 Mhgfkg32.exe 3472 Moaogand.exe 2564 Mfhfhong.exe 3828 Mleoafmn.exe 2124 Mpqkad32.exe 2028 Nlglfe32.exe 2904 Ngmpcn32.exe 1340 Nhnlkfpp.exe 4720 Nbcqiope.exe 3540 Nebmekoi.exe 1224 Npgabc32.exe 3536 Nedjjj32.exe 4332 Nlnbgddc.exe 5016 Npjnhc32.exe 688 Ngdfdmdi.exe 936 Nlqomd32.exe 1648 Ogfcjm32.exe 1760 Oidofh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Inainbcn.exe Iggaah32.exe File opened for modification C:\Windows\SysWOW64\Hbhijepa.exe Hloqml32.exe File created C:\Windows\SysWOW64\Mkadfj32.exe Megljppl.exe File created C:\Windows\SysWOW64\Mnegbp32.exe Mgloefco.exe File created C:\Windows\SysWOW64\Mmmqhl32.exe Mgphpe32.exe File created C:\Windows\SysWOW64\Chfegk32.exe Cponen32.exe File created C:\Windows\SysWOW64\Jfgdkd32.exe Jpmlnjco.exe File created C:\Windows\SysWOW64\Inmpcc32.exe Igchfiof.exe File created C:\Windows\SysWOW64\Noomkkpc.dll Dbjkkl32.exe File opened for modification C:\Windows\SysWOW64\Fpggamqc.exe Ffobhg32.exe File created C:\Windows\SysWOW64\Caienjfd.exe Cibmlmeb.exe File created C:\Windows\SysWOW64\Gcnobqph.dll Jjjghcfp.exe File opened for modification C:\Windows\SysWOW64\Efblbbqd.exe Enkdaepb.exe File created C:\Windows\SysWOW64\Apmhiq32.exe Aajhndkb.exe File created C:\Windows\SysWOW64\Bjfjka32.exe Bppfmigl.exe File created C:\Windows\SysWOW64\Ckmonl32.exe Chnbbqpn.exe File created C:\Windows\SysWOW64\Piiqdm32.dll Dbqqkkbo.exe File created C:\Windows\SysWOW64\Hdokdg32.exe Hlhccj32.exe File created C:\Windows\SysWOW64\Empmffib.dll Ijegcm32.exe File opened for modification C:\Windows\SysWOW64\Iijaka32.exe Indmnh32.exe File created C:\Windows\SysWOW64\Olijhmgj.exe Oiknlagg.exe File created C:\Windows\SysWOW64\Dibkjmof.dll Geohklaa.exe File opened for modification C:\Windows\SysWOW64\Ahaceo32.exe Adfgdpmi.exe File created C:\Windows\SysWOW64\Jqglkmlj.exe Jnhpoamf.exe File created C:\Windows\SysWOW64\Fdmfqg32.dll Nbgcih32.exe File opened for modification C:\Windows\SysWOW64\Diccgfpd.exe Dbjkkl32.exe File opened for modification C:\Windows\SysWOW64\Ljobpiql.exe Lklbdm32.exe File created C:\Windows\SysWOW64\Pllgnl32.exe Oimkbaed.exe File created C:\Windows\SysWOW64\Deqcbpld.exe Dngjff32.exe File opened for modification C:\Windows\SysWOW64\Ibnligoc.exe Ikcdlmgf.exe File opened for modification C:\Windows\SysWOW64\Eibfck32.exe Efdjgo32.exe File opened for modification C:\Windows\SysWOW64\Oldjcg32.exe Oejbfmpg.exe File opened for modification C:\Windows\SysWOW64\Pdfehh32.exe Pahilmoc.exe File created C:\Windows\SysWOW64\Aqjpajgi.dll Chiblk32.exe File opened for modification C:\Windows\SysWOW64\Bcahmb32.exe Boflmdkk.exe File opened for modification C:\Windows\SysWOW64\Fbajbi32.exe Fpbmfn32.exe File created C:\Windows\SysWOW64\Kniieo32.exe Kjmmepfj.exe File created C:\Windows\SysWOW64\Epmfkk32.dll Bjnmpl32.exe File created C:\Windows\SysWOW64\Gpojkp32.dll Bdfpkm32.exe File created C:\Windows\SysWOW64\Ngmpcn32.exe Nlglfe32.exe File created C:\Windows\SysWOW64\Liokmchg.dll Ehcfaboo.exe File created C:\Windows\SysWOW64\Bafehe32.dll Mkadfj32.exe File created C:\Windows\SysWOW64\Qcbhah32.dll Cdecgbfa.exe File opened for modification C:\Windows\SysWOW64\Jcmdaljn.exe Ipoheakj.exe File created C:\Windows\SysWOW64\Cnaaib32.exe Ckbemgcp.exe File created C:\Windows\SysWOW64\Hnflfgji.dll Cponen32.exe File created C:\Windows\SysWOW64\Dpmcmd32.dll Amaqjp32.exe File created C:\Windows\SysWOW64\Ejfeng32.exe Embddb32.exe File created C:\Windows\SysWOW64\Gkbofaoj.dll Emmkiclm.exe File created C:\Windows\SysWOW64\Iaghgm32.dll Ldgccb32.exe File opened for modification C:\Windows\SysWOW64\Qhkdof32.exe Qemhbj32.exe File opened for modification C:\Windows\SysWOW64\Gpnfge32.exe Gmojkj32.exe File opened for modification C:\Windows\SysWOW64\Hefnkkkj.exe Holfoqcm.exe File created C:\Windows\SysWOW64\Mlbkap32.exe Micoed32.exe File created C:\Windows\SysWOW64\Ppejnh32.dll Aaiimadl.exe File created C:\Windows\SysWOW64\Knhebpni.dll Pahpfc32.exe File created C:\Windows\SysWOW64\Bkoigdom.exe Bjnmpl32.exe File created C:\Windows\SysWOW64\Gkmdecbg.exe Gbfldf32.exe File opened for modification C:\Windows\SysWOW64\Pldcjeia.exe Pejkmk32.exe File opened for modification C:\Windows\SysWOW64\Jiglnf32.exe Jekqmhia.exe File created C:\Windows\SysWOW64\Imjekecm.dll Ghpocngo.exe File created C:\Windows\SysWOW64\Jnmijq32.exe Jgcamf32.exe File created C:\Windows\SysWOW64\Holfoqcm.exe Hlnjbedi.exe File created C:\Windows\SysWOW64\Dbdjofbi.dll Ppjbmc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 428 16868 WerFault.exe 1028 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjdmbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjbbfgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmcfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehfcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbajbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomifecf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnfbcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkffkhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpocngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmpcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpabe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngcje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhoipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmdme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piphgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcahmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igajal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiiicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnemi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgacokc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpoihnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmlnjco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceddf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbcfbjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biadeoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmiclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcikgacl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfcaohp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apodoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neccpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaoaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnbgddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bppfmigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjiao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fflohaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cflkpblf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnfge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaqdegaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbemgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndjndbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkegpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcceg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlhljhbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmklglpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmqfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opclldhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgndoeag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbkinel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqpamb32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhefcoo.dll" Pccahbmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adcjop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cadlbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghmbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkaicd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcbdgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaindh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll" Adcjop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhfedil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omgmeigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpildobq.dll" Oemefcap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nghekkmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jngbjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enqjamin.dll" Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppejnh32.dll" Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enabbk32.dll" Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcblj32.dll" Jkimho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aajhndkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiikaj32.dll" Nafjjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcobaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgjophm.dll" Gljgbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbegml32.dll" Hmbphg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liokmchg.dll" Ehcfaboo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkimho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll" Bpdnjple.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll" Bdojjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopocbcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkdliame.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolkod32.dll" Fmfnpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbhmo32.dll" Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdcghbo.dll" Jepjhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Injmcmej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mogcihaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnifigpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jecofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdahg32.dll" Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaiilmd.dll" Licfngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkmdecbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igchfiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Higjaoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll" Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipoopgnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idkkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpoeg32.dll" Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfamapjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdclcbj.dll" Efmmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlphbnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaoid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfpffeaj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4244 wrote to memory of 2368 4244 593907c0fe06e57e1762ff4cbd666c38782b58bd2140c8689d7142cd64fa430dN.exe 82 PID 4244 wrote to memory of 2368 4244 593907c0fe06e57e1762ff4cbd666c38782b58bd2140c8689d7142cd64fa430dN.exe 82 PID 4244 wrote to memory of 2368 4244 593907c0fe06e57e1762ff4cbd666c38782b58bd2140c8689d7142cd64fa430dN.exe 82 PID 2368 wrote to memory of 3644 2368 Inkjhi32.exe 83 PID 2368 wrote to memory of 3644 2368 Inkjhi32.exe 83 PID 2368 wrote to memory of 3644 2368 Inkjhi32.exe 83 PID 3644 wrote to memory of 2744 3644 Ihqoeb32.exe 84 PID 3644 wrote to memory of 2744 3644 Ihqoeb32.exe 84 PID 3644 wrote to memory of 2744 3644 Ihqoeb32.exe 84 PID 2744 wrote to memory of 5032 2744 Iokgal32.exe 85 PID 2744 wrote to memory of 5032 2744 Iokgal32.exe 85 PID 2744 wrote to memory of 5032 2744 Iokgal32.exe 85 PID 5032 wrote to memory of 2756 5032 Idgojc32.exe 86 PID 5032 wrote to memory of 2756 5032 Idgojc32.exe 86 PID 5032 wrote to memory of 2756 5032 Idgojc32.exe 86 PID 2756 wrote to memory of 4508 2756 Iomcgl32.exe 87 PID 2756 wrote to memory of 4508 2756 Iomcgl32.exe 87 PID 2756 wrote to memory of 4508 2756 Iomcgl32.exe 87 PID 4508 wrote to memory of 316 4508 Idjlpc32.exe 88 PID 4508 wrote to memory of 316 4508 Idjlpc32.exe 88 PID 4508 wrote to memory of 316 4508 Idjlpc32.exe 88 PID 316 wrote to memory of 1008 316 Ikcdlmgf.exe 89 PID 316 wrote to memory of 1008 316 Ikcdlmgf.exe 89 PID 316 wrote to memory of 1008 316 Ikcdlmgf.exe 89 PID 1008 wrote to memory of 4516 1008 Ibnligoc.exe 90 PID 1008 wrote to memory of 4516 1008 Ibnligoc.exe 90 PID 1008 wrote to memory of 4516 1008 Ibnligoc.exe 90 PID 4516 wrote to memory of 2720 4516 Ieliebnf.exe 91 PID 4516 wrote to memory of 2720 4516 Ieliebnf.exe 91 PID 4516 wrote to memory of 2720 4516 Ieliebnf.exe 91 PID 2720 wrote to memory of 3428 2720 Indmnh32.exe 92 PID 2720 wrote to memory of 3428 2720 Indmnh32.exe 92 PID 2720 wrote to memory of 3428 2720 Indmnh32.exe 92 PID 3428 wrote to memory of 2824 3428 Iijaka32.exe 93 PID 3428 wrote to memory of 2824 3428 Iijaka32.exe 93 PID 3428 wrote to memory of 2824 3428 Iijaka32.exe 93 PID 2824 wrote to memory of 3504 2824 Jodjhkkj.exe 94 PID 2824 wrote to memory of 3504 2824 Jodjhkkj.exe 94 PID 2824 wrote to memory of 3504 2824 Jodjhkkj.exe 94 PID 3504 wrote to memory of 3040 3504 Jilnqqbj.exe 95 PID 3504 wrote to memory of 3040 3504 Jilnqqbj.exe 95 PID 3504 wrote to memory of 3040 3504 Jilnqqbj.exe 95 PID 3040 wrote to memory of 2404 3040 Jnifigpa.exe 96 PID 3040 wrote to memory of 2404 3040 Jnifigpa.exe 96 PID 3040 wrote to memory of 2404 3040 Jnifigpa.exe 96 PID 2404 wrote to memory of 1964 2404 Jecofa32.exe 97 PID 2404 wrote to memory of 1964 2404 Jecofa32.exe 97 PID 2404 wrote to memory of 1964 2404 Jecofa32.exe 97 PID 1964 wrote to memory of 2956 1964 Joiccj32.exe 98 PID 1964 wrote to memory of 2956 1964 Joiccj32.exe 98 PID 1964 wrote to memory of 2956 1964 Joiccj32.exe 98 PID 2956 wrote to memory of 4464 2956 Jfbkpd32.exe 99 PID 2956 wrote to memory of 4464 2956 Jfbkpd32.exe 99 PID 2956 wrote to memory of 4464 2956 Jfbkpd32.exe 99 PID 4464 wrote to memory of 2740 4464 Jgdhgmep.exe 100 PID 4464 wrote to memory of 2740 4464 Jgdhgmep.exe 100 PID 4464 wrote to memory of 2740 4464 Jgdhgmep.exe 100 PID 2740 wrote to memory of 3528 2740 Jpkphjeb.exe 101 PID 2740 wrote to memory of 3528 2740 Jpkphjeb.exe 101 PID 2740 wrote to memory of 3528 2740 Jpkphjeb.exe 101 PID 3528 wrote to memory of 2408 3528 Jpmlnjco.exe 102 PID 3528 wrote to memory of 2408 3528 Jpmlnjco.exe 102 PID 3528 wrote to memory of 2408 3528 Jpmlnjco.exe 102 PID 2408 wrote to memory of 3352 2408 Jfgdkd32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\593907c0fe06e57e1762ff4cbd666c38782b58bd2140c8689d7142cd64fa430dN.exe"C:\Users\Admin\AppData\Local\Temp\593907c0fe06e57e1762ff4cbd666c38782b58bd2140c8689d7142cd64fa430dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3352 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe24⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe25⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe26⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe28⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe29⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe30⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe31⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe32⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe33⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe34⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe35⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe36⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe37⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe38⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe39⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe40⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe41⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe42⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe43⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe44⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe45⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe46⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe47⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe48⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe49⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe50⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe51⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe54⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe55⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe56⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe57⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe58⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe59⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4332 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe61⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe62⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe64⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe65⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:888 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe67⤵PID:1700
-
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe68⤵PID:3816
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe69⤵PID:3524
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe70⤵PID:656
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe71⤵PID:3760
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe72⤵PID:4580
-
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1208 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe74⤵PID:4956
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe75⤵PID:2976
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe76⤵PID:2936
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe77⤵PID:876
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe78⤵PID:1620
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe79⤵PID:4500
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe80⤵PID:3260
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe81⤵PID:2604
-
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe82⤵PID:2272
-
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe83⤵PID:5044
-
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe84⤵PID:1432
-
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe85⤵PID:3944
-
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe86⤵PID:4596
-
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe87⤵PID:448
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3120 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe89⤵PID:1968
-
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4004 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe92⤵PID:1672
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe93⤵PID:3160
-
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1004 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe95⤵
- Drops file in System32 directory
PID:212 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe96⤵PID:712
-
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe97⤵PID:4220
-
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe98⤵PID:2388
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe99⤵PID:3712
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe100⤵
- System Location Discovery: System Language Discovery
PID:3652 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe102⤵PID:5072
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe103⤵PID:4520
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe104⤵PID:1148
-
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe105⤵PID:1272
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe107⤵PID:3500
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe108⤵
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe109⤵PID:4568
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe110⤵PID:3596
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe111⤵PID:2256
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe112⤵PID:760
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe113⤵PID:436
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe114⤵PID:4496
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe115⤵PID:2696
-
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe117⤵PID:3692
-
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe118⤵PID:708
-
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe119⤵PID:3476
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe120⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe121⤵PID:1364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-