Analysis
-
max time kernel
115s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 16:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f81225cf2387ac248575171f5b68aad7c4756284c6225fe2b8240690d0f8fce8N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
f81225cf2387ac248575171f5b68aad7c4756284c6225fe2b8240690d0f8fce8N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
f81225cf2387ac248575171f5b68aad7c4756284c6225fe2b8240690d0f8fce8N.exe
-
Size
96KB
-
MD5
1365bb28bd9d488193ee3d5ac6155e70
-
SHA1
e1484d61476acd93b2ff11d047e75c7b55566d8a
-
SHA256
f81225cf2387ac248575171f5b68aad7c4756284c6225fe2b8240690d0f8fce8
-
SHA512
54d7c6000365dfdbb40a577fc629cae07247882de929db91d230bfbcee0f10ada7ed0b60723cdc9556135327fd231bbd79fcaa54d7631792c94d05a7837acdc6
-
SSDEEP
1536:ikXzk/IV7c//wQVls7Ia3zTXzzq/2LIf7RZObZUUWaegPYA:i6z6IV7JQzy3vXzzqEQClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ilmmni32.exeFohfbpgi.exeBfmolc32.exeOophlo32.exeNcqlkemc.exeBajqda32.exeNoblkqca.exeGflhoo32.exeHlnjbedi.exeBhpofl32.exeHjlkge32.exeGfmojenc.exeEbimgcfi.exeEoepebho.exeHiacacpg.exeHpkknmgd.exeNjljch32.exeBmbnnn32.exeJkomneim.exeMccfdmmo.exeNlkgmh32.exeEfjimhnh.exeHloqml32.exeHbgkei32.exeHnphoj32.exeKedlip32.exeBkdcbd32.exeCjecpkcg.exeDfjpfj32.exeAbfdpfaj.exeBaepolni.exeImiehfao.exeMcfbkpab.exeCgfbbb32.exeKgflcifg.exeMcbpjg32.exeKplmliko.exeKcbnnpka.exeEkmhejao.exeGfeaopqo.exeOhlqcagj.exeLhnhajba.exeLplfcf32.exeQaflgago.exeFbfcmhpg.exeCndeii32.exePnfiplog.exePmnbfhal.exeBmjkic32.exeHifmmb32.exeObafpg32.exeHildmn32.exeOacoqnci.exePbekii32.exeIogopi32.exeJppnpjel.exeAalmimfd.exeIliinc32.exeBkphhgfc.exeDmoohe32.exeEbdcld32.exeHahokfag.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilmmni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohfbpgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfmolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oophlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncqlkemc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noblkqca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gflhoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlkge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebimgcfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoepebho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiacacpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkknmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njljch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkomneim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlkgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjimhnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hloqml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgkei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedlip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abfdpfaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baepolni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfbkpab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfbbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgflcifg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbpjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplmliko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbnnpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohlqcagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnhajba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplfcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaflgago.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfcmhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndeii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfiplog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnbfhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmjkic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oacoqnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jppnpjel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmimfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccfdmmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iliinc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkphhgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahokfag.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Gddbcp32.exeGpkchqdj.exeHhbkinel.exeHjchaf32.exeHpmpnp32.exeHammhcij.exeHjhalefe.exeHdmein32.exeHdpbon32.exeHjlkge32.exeIgqkqiai.exeIhphkl32.exeIdghpmnp.exeIqmidndd.exeIjfnmc32.exeIjhjcchb.exeJdnoplhh.exeJkhgmf32.exeJbaojpgb.exeJdpkflfe.exeJkjcbe32.exeJbfheo32.exeJkomneim.exeJdgafjpn.exeKqnbkl32.exeKelkaj32.exeKbpkkn32.exeKnflpoqf.exeKkjlic32.exeKageaj32.exeLeenhhdn.exeLkofdbkj.exeLgffic32.exeLankbigo.exeLldopb32.exeLbngllob.exeLbpdblmo.exeLlhikacp.exeMhoipb32.exeMahnhhod.exeMjpbam32.exeMeefofek.exeMbighjdd.exeMhfppabl.exeMejpje32.exeNobdbkhf.exeNhkikq32.exeNoeahkfc.exeNijeec32.exeNhpbfpka.exeNbefdijg.exeNolgijpk.exeNiakfbpa.exeOkchnk32.exeOidhlb32.exeOoqqdi32.exeOaompd32.exeOldamm32.exeOemefcap.exeOkjnnj32.exeObafpg32.exeOhnohn32.exeOafcqcea.exePojcjh32.exepid Process 836 Gddbcp32.exe 2804 Gpkchqdj.exe 856 Hhbkinel.exe 1008 Hjchaf32.exe 2508 Hpmpnp32.exe 4716 Hammhcij.exe 2080 Hjhalefe.exe 5028 Hdmein32.exe 4468 Hdpbon32.exe 3864 Hjlkge32.exe 4764 Igqkqiai.exe 4272 Ihphkl32.exe 4968 Idghpmnp.exe 4312 Iqmidndd.exe 1988 Ijfnmc32.exe 456 Ijhjcchb.exe 2940 Jdnoplhh.exe 2168 Jkhgmf32.exe 1036 Jbaojpgb.exe 2616 Jdpkflfe.exe 4340 Jkjcbe32.exe 1652 Jbfheo32.exe 1820 Jkomneim.exe 624 Jdgafjpn.exe 4964 Kqnbkl32.exe 1288 Kelkaj32.exe 3600 Kbpkkn32.exe 3636 Knflpoqf.exe 4172 Kkjlic32.exe 1332 Kageaj32.exe 3796 Leenhhdn.exe 2512 Lkofdbkj.exe 4640 Lgffic32.exe 4128 Lankbigo.exe 1200 Lldopb32.exe 2104 Lbngllob.exe 2448 Lbpdblmo.exe 4952 Llhikacp.exe 1808 Mhoipb32.exe 4944 Mahnhhod.exe 1720 Mjpbam32.exe 544 Meefofek.exe 4296 Mbighjdd.exe 1328 Mhfppabl.exe 4712 Mejpje32.exe 2360 Nobdbkhf.exe 3888 Nhkikq32.exe 1568 Noeahkfc.exe 4336 Nijeec32.exe 2720 Nhpbfpka.exe 3896 Nbefdijg.exe 3828 Nolgijpk.exe 2724 Niakfbpa.exe 2892 Okchnk32.exe 4080 Oidhlb32.exe 3996 Ooqqdi32.exe 3088 Oaompd32.exe 4728 Oldamm32.exe 3868 Oemefcap.exe 2200 Okjnnj32.exe 8 Obafpg32.exe 3136 Ohnohn32.exe 4988 Oafcqcea.exe 3276 Pojcjh32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cmcolgbj.exeDmoohe32.exeQemhbj32.exeLcclncbh.exeGfokoelp.exeGldglf32.exeKcidmkpq.exeMjjkaabc.exeCoiaiakf.exeCohkokgj.exeFkhpfbce.exeBfolacnc.exeIdcepgmg.exeKdbjhbbd.exeNaecop32.exeHlbcnd32.exeOblhcj32.exeOclkgccf.exeLgffic32.exeKkpbin32.exeHifcgion.exeCancekeo.exeDodjjimm.exeHlpfhe32.exeLggejg32.exeEoepebho.exeOonlfo32.exePfccogfc.exeGpkchqdj.exeJpfepf32.exeKmdlffhj.exeGpelhd32.exeBoenhgdd.exeQclmck32.exeChdialdl.exeHpfbcn32.exeNjljch32.exeCfipef32.exeOiccje32.exeCcmcgcmp.exeCbeapmll.exeFmkqpkla.exeKoodbl32.exeAonhghjl.exeMlljnf32.exeAabkbono.exeOldamm32.exeFdqfll32.exeMjdebfnd.exeFfnknafg.exeGflhoo32.exeImiehfao.exeAlnmjjdb.exeChnlgjlb.exePhfjcf32.exeGmfplibd.exeApmhiq32.exeFeenjgfq.exeLldopb32.exeCcmgiaig.exeFfobhg32.exeMgclpkac.exeBaadiiif.exedescription ioc Process File created C:\Windows\SysWOW64\Ccmgiaig.exe Cmcolgbj.exe File opened for modification C:\Windows\SysWOW64\Dpnkdq32.exe Dmoohe32.exe File created C:\Windows\SysWOW64\Ockkandf.dll Qemhbj32.exe File created C:\Windows\SysWOW64\Lindkm32.exe Lcclncbh.exe File created C:\Windows\SysWOW64\Dhhdcojj.dll Gfokoelp.exe File created C:\Windows\SysWOW64\Gncchb32.exe Gldglf32.exe File created C:\Windows\SysWOW64\Mglpdp32.dll Kcidmkpq.exe File opened for modification C:\Windows\SysWOW64\Mqdcnl32.exe Mjjkaabc.exe File opened for modification C:\Windows\SysWOW64\Cfcjfk32.exe Coiaiakf.exe File created C:\Windows\SysWOW64\Cbfgkffn.exe Cohkokgj.exe File created C:\Windows\SysWOW64\Ofblbapl.dll Fkhpfbce.exe File opened for modification C:\Windows\SysWOW64\Baepolni.exe Bfolacnc.exe File opened for modification C:\Windows\SysWOW64\Igbalblk.exe Idcepgmg.exe File opened for modification C:\Windows\SysWOW64\Ljobpiql.exe Kdbjhbbd.exe File created C:\Windows\SysWOW64\Qlgpod32.exe Qemhbj32.exe File created C:\Windows\SysWOW64\Hbceobam.dll Naecop32.exe File opened for modification C:\Windows\SysWOW64\Hblkjo32.exe Hlbcnd32.exe File opened for modification C:\Windows\SysWOW64\Oifppdpd.exe Oblhcj32.exe File created C:\Windows\SysWOW64\Nphihiif.dll Oclkgccf.exe File created C:\Windows\SysWOW64\Lankbigo.exe Lgffic32.exe File created C:\Windows\SysWOW64\Knooej32.exe Kkpbin32.exe File created C:\Windows\SysWOW64\Hpqldc32.exe Hifcgion.exe File opened for modification C:\Windows\SysWOW64\Cdmoafdb.exe Cancekeo.exe File opened for modification C:\Windows\SysWOW64\Deqcbpld.exe Dodjjimm.exe File created C:\Windows\SysWOW64\Ndmdae32.dll Hlpfhe32.exe File created C:\Windows\SysWOW64\Qmfqknfm.dll Lggejg32.exe File created C:\Windows\SysWOW64\Kpjccmbf.dll Eoepebho.exe File created C:\Windows\SysWOW64\Oblhcj32.exe Oonlfo32.exe File created C:\Windows\SysWOW64\Paihlpfi.exe Pfccogfc.exe File created C:\Windows\SysWOW64\Imjekecm.dll Gpkchqdj.exe File created C:\Windows\SysWOW64\Mlofpg32.dll Jpfepf32.exe File created C:\Windows\SysWOW64\Nbkdke32.dll Kmdlffhj.exe File opened for modification C:\Windows\SysWOW64\Gimqajgh.exe Gpelhd32.exe File opened for modification C:\Windows\SysWOW64\Bacjdbch.exe Boenhgdd.exe File created C:\Windows\SysWOW64\Bcomgibl.dll Qclmck32.exe File created C:\Windows\SysWOW64\Olaafabl.dll Chdialdl.exe File created C:\Windows\SysWOW64\Ccegac32.dll Hpfbcn32.exe File created C:\Windows\SysWOW64\Emkbpmep.dll Njljch32.exe File created C:\Windows\SysWOW64\Chglab32.exe Cfipef32.exe File opened for modification C:\Windows\SysWOW64\Oonlfo32.exe Oiccje32.exe File created C:\Windows\SysWOW64\Cancekeo.exe Ccmcgcmp.exe File created C:\Windows\SysWOW64\Cioilg32.exe Cbeapmll.exe File created C:\Windows\SysWOW64\Fpimlfke.exe Fmkqpkla.exe File created C:\Windows\SysWOW64\Kgflcifg.exe Koodbl32.exe File opened for modification C:\Windows\SysWOW64\Adkqoohc.exe Aonhghjl.exe File opened for modification C:\Windows\SysWOW64\Mcfbkpab.exe Mlljnf32.exe File created C:\Windows\SysWOW64\Ckjfdocc.dll Aabkbono.exe File created C:\Windows\SysWOW64\Oemefcap.exe Oldamm32.exe File opened for modification C:\Windows\SysWOW64\Ffobhg32.exe Fdqfll32.exe File created C:\Windows\SysWOW64\Meiioonj.exe Mjdebfnd.exe File opened for modification C:\Windows\SysWOW64\Fmhdkknd.exe Ffnknafg.exe File created C:\Windows\SysWOW64\Gmfplibd.exe Gflhoo32.exe File created C:\Windows\SysWOW64\Ejhdfi32.dll Imiehfao.exe File opened for modification C:\Windows\SysWOW64\Achegd32.exe Alnmjjdb.exe File opened for modification C:\Windows\SysWOW64\Dafppp32.exe Chnlgjlb.exe File created C:\Windows\SysWOW64\Khliclno.dll Phfjcf32.exe File opened for modification C:\Windows\SysWOW64\Gpelhd32.exe Gmfplibd.exe File opened for modification C:\Windows\SysWOW64\Ahdpjn32.exe Apmhiq32.exe File created C:\Windows\SysWOW64\Gokbgpeg.exe Feenjgfq.exe File opened for modification C:\Windows\SysWOW64\Lbngllob.exe Lldopb32.exe File created C:\Windows\SysWOW64\Cijpahho.exe Ccmgiaig.exe File created C:\Windows\SysWOW64\Qekpedip.dll Ffobhg32.exe File created C:\Windows\SysWOW64\Dpglbfpm.dll Mgclpkac.exe File created C:\Windows\SysWOW64\Bhkmec32.exe Baadiiif.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3236 1524 WerFault.exe 817 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hbjoeojc.exeIikmbh32.exeLgdidgjg.exeQfmmplad.exeCdpcal32.exeNbefdijg.exeCmcolgbj.exeJgkdbacp.exePhfjcf32.exeOpnbae32.exeLcclncbh.exeLomjicei.exeMbgeqmjp.exeHdpbon32.exeNijeec32.exeNmlddqem.exeFmhdkknd.exeIplkpa32.exeMjlhgaqp.exeQacameaj.exeAlnmjjdb.exeFibhpbea.exeBllbaa32.exeFpkibf32.exeKjblje32.exeDaeifj32.exePlejdkmm.exeEcbjkngo.exeJnelok32.exeNjkkbehl.exeHifcgion.exeApmhiq32.exeEfjimhnh.exeKdmqmc32.exeLcjcnoej.exeDeqcbpld.exeHhaggp32.exeFpjcgm32.exeHbhijepa.exeBoeebnhp.exePnplfj32.exeDdgibkpc.exeFikbocki.exeJcikgacl.exeLoighj32.exeJidinqpb.exeBkmeha32.exeCkpamabg.exeGihgfk32.exeIbhkfm32.exeLlmhaold.exeEhlhih32.exeFbhpch32.exeOnnmdcjm.exeHbohpn32.exeGidnkkpc.exeKcidmkpq.exeLobjni32.exeAimogakj.exeLldopb32.exeEcefqnel.exeKnooej32.exeMokmdh32.exeAabkbono.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjoeojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikmbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdidgjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfmmplad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbefdijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmcolgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdbacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfjcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcclncbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomjicei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgeqmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpbon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlddqem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplkpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlhgaqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qacameaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnmjjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibhpbea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjblje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daeifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plejdkmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbjkngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnelok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkkbehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifcgion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmhiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjimhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmqmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjcnoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deqcbpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaggp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjcgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhijepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeebnhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnplfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgibkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikbocki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcikgacl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loighj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidinqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmeha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpamabg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihgfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhkfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmhaold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhpch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnmdcjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidnkkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcidmkpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimogakj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecefqnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knooej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokmdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabkbono.exe -
Modifies registry class 64 IoCs
Processes:
Lokdnjkg.exeMnjqmpgg.exeIqmidndd.exeEcbjkngo.exeIialhaad.exeAfgacokc.exeQfmmplad.exeEfhlhh32.exeFikbocki.exeJpaleglc.exeEfjbcakl.exeGbeejp32.exeBajqda32.exeKqnbkl32.exeAlqjpi32.exeDahmfpap.exeLlnnmhfe.exeEbgpad32.exePpahmb32.exeAaenbd32.exeEojiqb32.exef81225cf2387ac248575171f5b68aad7c4756284c6225fe2b8240690d0f8fce8N.exeDdjmba32.exeNopfpgip.exeHhaggp32.exeFpggamqc.exeHloqml32.exeMjidgkog.exeNiakfbpa.exeBkafmd32.exeEdeeci32.exeOmmceclc.exeJcikgacl.exePopbpqjh.exeLjqhkckn.exePhcgcqab.exeIgbalblk.exeEecphp32.exeFofilp32.exeIbgdlg32.exePfccogfc.exeDgpeha32.exePkcadhgm.exeFnfmbmbi.exeLbpdblmo.exeApjdikqd.exeHifcgion.exeOclkgccf.exeNlcalieg.exePlkpcfal.exeKjblje32.exeIdghpmnp.exeGidnkkpc.exeChdialdl.exeNmfmde32.exeAcokhc32.exeHgmgqc32.exeIgigla32.exeLkofdbkj.exeCioilg32.exeNimmifgo.exePiocecgj.exeFffhifdk.exeGncchb32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lokdnjkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfpfg32.dll" Iqmidndd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecbjkngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjoke32.dll" Iialhaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll" Qfmmplad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efhlhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fikbocki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpaleglc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjbcakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmped32.dll" Kqnbkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicchk32.dll" Llnnmhfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebgpad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgohbq.dll" Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojiqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} f81225cf2387ac248575171f5b68aad7c4756284c6225fe2b8240690d0f8fce8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpggamqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hloqml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjidgkog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niakfbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpcam32.dll" Bkafmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fefmmcgh.dll" Ommceclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcleml32.dll" Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlkdj32.dll" Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljqhkckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phcgcqab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igbalblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfipab32.dll" Eecphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibgdlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgpeha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkcadhgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnfmbmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbpdblmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apjdikqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifcgion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oclkgccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll" Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iangld32.dll" Idghpmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chdialdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmfmde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acokhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgmgqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igigla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnigobn.dll" Lkofdbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cioilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nimmifgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piocecgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabjq32.dll" Gncchb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f81225cf2387ac248575171f5b68aad7c4756284c6225fe2b8240690d0f8fce8N.exeGddbcp32.exeGpkchqdj.exeHhbkinel.exeHjchaf32.exeHpmpnp32.exeHammhcij.exeHjhalefe.exeHdmein32.exeHdpbon32.exeHjlkge32.exeIgqkqiai.exeIhphkl32.exeIdghpmnp.exeIqmidndd.exeIjfnmc32.exeIjhjcchb.exeJdnoplhh.exeJkhgmf32.exeJbaojpgb.exeJdpkflfe.exeJkjcbe32.exedescription pid Process procid_target PID 3064 wrote to memory of 836 3064 f81225cf2387ac248575171f5b68aad7c4756284c6225fe2b8240690d0f8fce8N.exe 83 PID 3064 wrote to memory of 836 3064 f81225cf2387ac248575171f5b68aad7c4756284c6225fe2b8240690d0f8fce8N.exe 83 PID 3064 wrote to memory of 836 3064 f81225cf2387ac248575171f5b68aad7c4756284c6225fe2b8240690d0f8fce8N.exe 83 PID 836 wrote to memory of 2804 836 Gddbcp32.exe 84 PID 836 wrote to memory of 2804 836 Gddbcp32.exe 84 PID 836 wrote to memory of 2804 836 Gddbcp32.exe 84 PID 2804 wrote to memory of 856 2804 Gpkchqdj.exe 85 PID 2804 wrote to memory of 856 2804 Gpkchqdj.exe 85 PID 2804 wrote to memory of 856 2804 Gpkchqdj.exe 85 PID 856 wrote to memory of 1008 856 Hhbkinel.exe 86 PID 856 wrote to memory of 1008 856 Hhbkinel.exe 86 PID 856 wrote to memory of 1008 856 Hhbkinel.exe 86 PID 1008 wrote to memory of 2508 1008 Hjchaf32.exe 87 PID 1008 wrote to memory of 2508 1008 Hjchaf32.exe 87 PID 1008 wrote to memory of 2508 1008 Hjchaf32.exe 87 PID 2508 wrote to memory of 4716 2508 Hpmpnp32.exe 88 PID 2508 wrote to memory of 4716 2508 Hpmpnp32.exe 88 PID 2508 wrote to memory of 4716 2508 Hpmpnp32.exe 88 PID 4716 wrote to memory of 2080 4716 Hammhcij.exe 89 PID 4716 wrote to memory of 2080 4716 Hammhcij.exe 89 PID 4716 wrote to memory of 2080 4716 Hammhcij.exe 89 PID 2080 wrote to memory of 5028 2080 Hjhalefe.exe 90 PID 2080 wrote to memory of 5028 2080 Hjhalefe.exe 90 PID 2080 wrote to memory of 5028 2080 Hjhalefe.exe 90 PID 5028 wrote to memory of 4468 5028 Hdmein32.exe 91 PID 5028 wrote to memory of 4468 5028 Hdmein32.exe 91 PID 5028 wrote to memory of 4468 5028 Hdmein32.exe 91 PID 4468 wrote to memory of 3864 4468 Hdpbon32.exe 92 PID 4468 wrote to memory of 3864 4468 Hdpbon32.exe 92 PID 4468 wrote to memory of 3864 4468 Hdpbon32.exe 92 PID 3864 wrote to memory of 4764 3864 Hjlkge32.exe 94 PID 3864 wrote to memory of 4764 3864 Hjlkge32.exe 94 PID 3864 wrote to memory of 4764 3864 Hjlkge32.exe 94 PID 4764 wrote to memory of 4272 4764 Igqkqiai.exe 95 PID 4764 wrote to memory of 4272 4764 Igqkqiai.exe 95 PID 4764 wrote to memory of 4272 4764 Igqkqiai.exe 95 PID 4272 wrote to memory of 4968 4272 Ihphkl32.exe 96 PID 4272 wrote to memory of 4968 4272 Ihphkl32.exe 96 PID 4272 wrote to memory of 4968 4272 Ihphkl32.exe 96 PID 4968 wrote to memory of 4312 4968 Idghpmnp.exe 97 PID 4968 wrote to memory of 4312 4968 Idghpmnp.exe 97 PID 4968 wrote to memory of 4312 4968 Idghpmnp.exe 97 PID 4312 wrote to memory of 1988 4312 Iqmidndd.exe 98 PID 4312 wrote to memory of 1988 4312 Iqmidndd.exe 98 PID 4312 wrote to memory of 1988 4312 Iqmidndd.exe 98 PID 1988 wrote to memory of 456 1988 Ijfnmc32.exe 99 PID 1988 wrote to memory of 456 1988 Ijfnmc32.exe 99 PID 1988 wrote to memory of 456 1988 Ijfnmc32.exe 99 PID 456 wrote to memory of 2940 456 Ijhjcchb.exe 100 PID 456 wrote to memory of 2940 456 Ijhjcchb.exe 100 PID 456 wrote to memory of 2940 456 Ijhjcchb.exe 100 PID 2940 wrote to memory of 2168 2940 Jdnoplhh.exe 101 PID 2940 wrote to memory of 2168 2940 Jdnoplhh.exe 101 PID 2940 wrote to memory of 2168 2940 Jdnoplhh.exe 101 PID 2168 wrote to memory of 1036 2168 Jkhgmf32.exe 102 PID 2168 wrote to memory of 1036 2168 Jkhgmf32.exe 102 PID 2168 wrote to memory of 1036 2168 Jkhgmf32.exe 102 PID 1036 wrote to memory of 2616 1036 Jbaojpgb.exe 103 PID 1036 wrote to memory of 2616 1036 Jbaojpgb.exe 103 PID 1036 wrote to memory of 2616 1036 Jbaojpgb.exe 103 PID 2616 wrote to memory of 4340 2616 Jdpkflfe.exe 104 PID 2616 wrote to memory of 4340 2616 Jdpkflfe.exe 104 PID 2616 wrote to memory of 4340 2616 Jdpkflfe.exe 104 PID 4340 wrote to memory of 1652 4340 Jkjcbe32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\f81225cf2387ac248575171f5b68aad7c4756284c6225fe2b8240690d0f8fce8N.exe"C:\Users\Admin\AppData\Local\Temp\f81225cf2387ac248575171f5b68aad7c4756284c6225fe2b8240690d0f8fce8N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe23⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe25⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe27⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe28⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe29⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe30⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe31⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe32⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4640 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe35⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe37⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe39⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe40⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe41⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe42⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe43⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe44⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe45⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe46⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe47⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe48⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe49⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe51⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe53⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe55⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe56⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe57⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe58⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4728 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe60⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe61⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe63⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe64⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe65⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe66⤵PID:2348
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe67⤵PID:1416
-
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe68⤵
- Modifies registry class
PID:4852 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe69⤵PID:2344
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe70⤵PID:1944
-
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe71⤵PID:3376
-
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe72⤵
- System Location Discovery: System Language Discovery
PID:3112 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe73⤵PID:872
-
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe74⤵PID:4684
-
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe75⤵PID:1860
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe76⤵PID:4408
-
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4448 -
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe78⤵PID:4788
-
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe79⤵PID:640
-
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3644 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe81⤵PID:208
-
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe82⤵
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe83⤵
- Modifies registry class
PID:4032 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe84⤵PID:1572
-
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe85⤵PID:5008
-
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe86⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe87⤵PID:5228
-
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe88⤵PID:5272
-
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe89⤵PID:5320
-
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe90⤵PID:5368
-
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe91⤵PID:5428
-
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe92⤵PID:5468
-
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe93⤵PID:5512
-
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe94⤵
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe95⤵PID:5600
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5648 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe97⤵PID:5692
-
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732 -
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe100⤵
- Drops file in System32 directory
PID:5816 -
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe101⤵PID:5856
-
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe102⤵PID:5896
-
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe103⤵PID:5940
-
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe104⤵PID:5984
-
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe105⤵
- Drops file in System32 directory
PID:6028 -
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe106⤵
- Modifies registry class
PID:6072 -
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe107⤵
- Drops file in System32 directory
PID:6116 -
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe108⤵PID:2400
-
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe109⤵PID:5216
-
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe110⤵PID:5296
-
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe111⤵PID:5352
-
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Dpnkdq32.exeC:\Windows\system32\Dpnkdq32.exe113⤵PID:5532
-
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe114⤵PID:5592
-
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe115⤵PID:5664
-
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe116⤵PID:5768
-
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844 -
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe118⤵PID:5908
-
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe119⤵PID:5976
-
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe120⤵PID:6048
-
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe121⤵PID:6108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-