Analysis
-
max time kernel
121s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2024 16:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2d48262c936c39fa3bcece66fcb674400ef22cc314288cc7fef7fac460622ea.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
e2d48262c936c39fa3bcece66fcb674400ef22cc314288cc7fef7fac460622ea.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e2d48262c936c39fa3bcece66fcb674400ef22cc314288cc7fef7fac460622ea.exe
-
Size
96KB
-
MD5
47f4f06d462cf2e3758fbe0bfcb153a2
-
SHA1
dab8d3d8203b64c5d82a1579ed50a2afc0954e75
-
SHA256
e2d48262c936c39fa3bcece66fcb674400ef22cc314288cc7fef7fac460622ea
-
SHA512
b31697b4170fd7b931d0283a40e6e41ce672a3df146ba9a66114bcc0c67054a4beae7cafb73a10b59ae835a49ec57742664ab955a3095910ef5aef7826d5b2ae
-
SSDEEP
1536:XuNYdgZr3xRqp4LivZ6FFvfCo2L77RZObZUUWaegPYA:cogZr3ijvZ6Dvi7ClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ncabfkqo.exePkbjjbda.exeOmdppiif.exePnplfj32.exeGnjjfegi.exeBebblb32.exeOlbdhn32.exeCglbhhga.exePgefeajb.exeFhofmq32.exeKnenkbio.exeAkpoaj32.exeLbinam32.exeNlhkgi32.exeHnfamjqg.exeFolaiqng.exeOpeiadfg.exeCdfkolkf.exeFfmfchle.exeFimhjl32.exeLjeafb32.exeLhfmdj32.exeIeliebnf.exeOjdgnn32.exeAfpjel32.exeNckndeni.exeNknobkje.exeGhhhcomg.exeHninbj32.exeIfbbig32.exeJjoiil32.exeDooaoj32.exeEdpgli32.exeEbdcld32.exeHfjdqmng.exeFkllnbjc.exeOlijhmgj.exePabblb32.exeBelebq32.exeFdqfll32.exeBkdcbd32.exeGbofcghl.exeBheplb32.exeCfadkb32.exeOeicejia.exeLljklo32.exeHdicienl.exeEmoinpcd.exeOanfen32.exeGbnoiqdq.exeHedafk32.exeLckiihok.exeMfqlfb32.exeOmpfej32.exeCjbpaf32.exeBhblllfo.exeCgndoeag.exeMnmdme32.exeDfnbgc32.exeNgdmod32.exeCdhhdlid.exeQjnkcekm.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncabfkqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbjjbda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdppiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnplfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjjfegi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbdhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglbhhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgefeajb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhofmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knenkbio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlhkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnfamjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folaiqng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opeiadfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmfchle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhkgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimhjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhfmdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieliebnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opeiadfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknobkje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhhcomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hninbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifbbig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjoiil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edpgli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjdqmng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkllnbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olijhmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pabblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdqfll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbofcghl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfadkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeicejia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lljklo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdicienl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emoinpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompfej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhblllfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgndoeag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnbgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhhdlid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnkcekm.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Kfmepi32.exeKlimip32.exeKebbafoj.exeKdcbom32.exeKipkhdeq.exeKbhoqj32.exeKibgmdcn.exeLbjlfi32.exeLmppcbjd.exeLfhdlh32.exeLpqiemge.exeLiimncmf.exeLdoaklml.exeLikjcbkc.exeLdanqkki.exeLebkhc32.exeLphoelqn.exeMbfkbhpa.exeMlopkm32.exeMegdccmb.exeMckemg32.exeMiemjaci.exeMlefklpj.exeMcpnhfhf.exeMiifeq32.exeNdokbi32.exeNilcjp32.exeNpfkgjdn.exeNjnpppkn.exeNlmllkja.exeNgbpidjh.exeNnlhfn32.exeNgdmod32.exeNjciko32.exeNckndeni.exeNfjjppmm.exeNnqbanmo.exeOcnjidkf.exeOncofm32.exeOdmgcgbi.exeOfnckp32.exeOpdghh32.exeOgnpebpj.exeOnhhamgg.exeOqfdnhfk.exeOgpmjb32.exeOlmeci32.exeOddmdf32.exeOfeilobp.exePmoahijl.exePgefeajb.exePjcbbmif.exePqmjog32.exePggbkagp.exePnakhkol.exePcncpbmd.exePjhlml32.exePdmpje32.exePjjhbl32.exePmidog32.exePgnilpah.exeQnhahj32.exeQqfmde32.exeBebblb32.exepid Process 1856 Kfmepi32.exe 4964 Klimip32.exe 1508 Kebbafoj.exe 3032 Kdcbom32.exe 1624 Kipkhdeq.exe 436 Kbhoqj32.exe 3536 Kibgmdcn.exe 992 Lbjlfi32.exe 1144 Lmppcbjd.exe 3548 Lfhdlh32.exe 3428 Lpqiemge.exe 2040 Liimncmf.exe 4748 Ldoaklml.exe 4760 Likjcbkc.exe 5064 Ldanqkki.exe 724 Lebkhc32.exe 2188 Lphoelqn.exe 372 Mbfkbhpa.exe 3512 Mlopkm32.exe 3384 Megdccmb.exe 2824 Mckemg32.exe 4008 Miemjaci.exe 1172 Mlefklpj.exe 2272 Mcpnhfhf.exe 1944 Miifeq32.exe 4148 Ndokbi32.exe 4088 Nilcjp32.exe 988 Npfkgjdn.exe 2776 Njnpppkn.exe 3452 Nlmllkja.exe 1356 Ngbpidjh.exe 1468 Nnlhfn32.exe 2636 Ngdmod32.exe 1076 Njciko32.exe 2508 Nckndeni.exe 2388 Nfjjppmm.exe 3636 Nnqbanmo.exe 1180 Ocnjidkf.exe 2268 Oncofm32.exe 5036 Odmgcgbi.exe 2276 Ofnckp32.exe 3688 Opdghh32.exe 1616 Ognpebpj.exe 1820 Onhhamgg.exe 856 Oqfdnhfk.exe 1244 Ogpmjb32.exe 4372 Olmeci32.exe 5116 Oddmdf32.exe 3312 Ofeilobp.exe 3260 Pmoahijl.exe 3132 Pgefeajb.exe 3832 Pjcbbmif.exe 1512 Pqmjog32.exe 1984 Pggbkagp.exe 4784 Pnakhkol.exe 4968 Pcncpbmd.exe 4416 Pjhlml32.exe 2884 Pdmpje32.exe 1476 Pjjhbl32.exe 2844 Pmidog32.exe 380 Pgnilpah.exe 4548 Qnhahj32.exe 1636 Qqfmde32.exe 4676 Bebblb32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fhbimf32.exeIljpij32.exeEblimcdf.exeGgqida32.exeKfjapcii.exeOlijhmgj.exeHigjaoci.exeMkmkkjko.exeNlkgmh32.exeOnkidm32.exeGnfhfl32.exeDclkee32.exeKageaj32.exeQlggjk32.exeAfkknogn.exeJjjpnlbd.exeDnmhpg32.exeJmbhoeid.exeLgibpf32.exeFnckpmql.exeMeepdp32.exeOhhnbhok.exeBdbnjdfg.exeFnaokmco.exeGnhdkl32.exeMolelb32.exeAcpbbi32.exeDfamapjo.exeFpjcgm32.exeGbabigfj.exeKofkbk32.exeCdpcal32.exeJgakbm32.exeJnhpoamf.exeLbinam32.exeAkamff32.exeAcmobchj.exeNpiiffqe.exeBgpcliao.exeQhmqdemc.exeCfpffeaj.exeFmgejhgn.exePkadoiip.exeBjbfklei.exeDhocqigp.exeEejjjl32.exeIdkkpf32.exeMmhgmmbf.exeKbhoqj32.exeFddqghpd.exeGkaopp32.exeGgilil32.exeKelkaj32.exeCjjlkk32.exeKqfngd32.exeNgdmod32.exeJiaglp32.exeLhfmdj32.exeQlmgopjq.exeOjfcdnjc.exeHakgmjoh.exeKhbdikip.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Folaiqng.exe Fhbimf32.exe File created C:\Windows\SysWOW64\Iinqbn32.exe Iljpij32.exe File created C:\Windows\SysWOW64\Eejeiocj.exe Eblimcdf.exe File opened for modification C:\Windows\SysWOW64\Gnkaalkd.exe Ggqida32.exe File created C:\Windows\SysWOW64\Nnbebofc.dll Kfjapcii.exe File opened for modification C:\Windows\SysWOW64\Obcceg32.exe Olijhmgj.exe File created C:\Windows\SysWOW64\Hdmoohbo.exe Higjaoci.exe File created C:\Windows\SysWOW64\Mnkggfkb.exe Mkmkkjko.exe File created C:\Windows\SysWOW64\Neclenfo.exe Nlkgmh32.exe File opened for modification C:\Windows\SysWOW64\Oplfkeob.exe Onkidm32.exe File opened for modification C:\Windows\SysWOW64\Gdppbfff.exe Gnfhfl32.exe File opened for modification C:\Windows\SysWOW64\Djfcaohp.exe Dclkee32.exe File opened for modification C:\Windows\SysWOW64\Kinmcg32.exe Kageaj32.exe File opened for modification C:\Windows\SysWOW64\Qadoba32.exe Qlggjk32.exe File created C:\Windows\SysWOW64\Hhfjcdon.dll Afkknogn.exe File opened for modification C:\Windows\SysWOW64\Jpdhkf32.exe Jjjpnlbd.exe File created C:\Windows\SysWOW64\Dfdpad32.exe Dnmhpg32.exe File opened for modification C:\Windows\SysWOW64\Jpaekqhh.exe Jmbhoeid.exe File created C:\Windows\SysWOW64\Lncjlq32.exe Lgibpf32.exe File created C:\Windows\SysWOW64\Cbokknag.dll Fnckpmql.exe File opened for modification C:\Windows\SysWOW64\Mkohaj32.exe Meepdp32.exe File opened for modification C:\Windows\SysWOW64\Oobfob32.exe Ohhnbhok.exe File created C:\Windows\SysWOW64\Jkdgfllg.dll Bdbnjdfg.exe File created C:\Windows\SysWOW64\Fjmkqm32.dll Fnaokmco.exe File opened for modification C:\Windows\SysWOW64\Gdbmhf32.exe Gnhdkl32.exe File created C:\Windows\SysWOW64\Mfcmmp32.exe Molelb32.exe File created C:\Windows\SysWOW64\Jeipof32.dll Acpbbi32.exe File created C:\Windows\SysWOW64\Emlenj32.exe Dfamapjo.exe File created C:\Windows\SysWOW64\Belqaa32.dll Fpjcgm32.exe File created C:\Windows\SysWOW64\Gmggfp32.exe Gbabigfj.exe File opened for modification C:\Windows\SysWOW64\Dfdpad32.exe Dnmhpg32.exe File created C:\Windows\SysWOW64\Kjlopc32.exe Kofkbk32.exe File created C:\Windows\SysWOW64\Ijilflah.dll Cdpcal32.exe File opened for modification C:\Windows\SysWOW64\Jnkcogno.exe Jgakbm32.exe File created C:\Windows\SysWOW64\Egfdnejf.dll Jnhpoamf.exe File created C:\Windows\SysWOW64\Licfngjd.exe Lbinam32.exe File created C:\Windows\SysWOW64\Aakebqbj.exe Akamff32.exe File created C:\Windows\SysWOW64\Afkknogn.exe Acmobchj.exe File created C:\Windows\SysWOW64\Dempqa32.dll Npiiffqe.exe File created C:\Windows\SysWOW64\Ebggoi32.dll Bgpcliao.exe File opened for modification C:\Windows\SysWOW64\Aogiap32.exe Qhmqdemc.exe File created C:\Windows\SysWOW64\Ckmonl32.exe Cfpffeaj.exe File created C:\Windows\SysWOW64\Kednfemc.dll Fmgejhgn.exe File created C:\Windows\SysWOW64\Pefhlaie.exe Pkadoiip.exe File created C:\Windows\SysWOW64\Bkdcbd32.exe Bjbfklei.exe File created C:\Windows\SysWOW64\Doilmc32.exe Dhocqigp.exe File created C:\Windows\SysWOW64\Gfbelofc.dll Eejjjl32.exe File created C:\Windows\SysWOW64\Ikdcmpnl.exe Idkkpf32.exe File created C:\Windows\SysWOW64\Dckajh32.dll Mmhgmmbf.exe File created C:\Windows\SysWOW64\Nhgaocmg.dll Kbhoqj32.exe File opened for modification C:\Windows\SysWOW64\Fgbmccpg.exe Fddqghpd.exe File opened for modification C:\Windows\SysWOW64\Hakgmjoh.exe Gkaopp32.exe File created C:\Windows\SysWOW64\Bpqhgk32.dll Ggilil32.exe File created C:\Windows\SysWOW64\Agbgbe32.dll Kelkaj32.exe File opened for modification C:\Windows\SysWOW64\Ckkiccep.exe Cjjlkk32.exe File created C:\Windows\SysWOW64\Amlkko32.dll Kqfngd32.exe File created C:\Windows\SysWOW64\Njciko32.exe Ngdmod32.exe File opened for modification C:\Windows\SysWOW64\Jpkphjeb.exe Jiaglp32.exe File created C:\Windows\SysWOW64\Inojnf32.dll Lhfmdj32.exe File opened for modification C:\Windows\SysWOW64\Aokcklid.exe Qlmgopjq.exe File opened for modification C:\Windows\SysWOW64\Omdppiif.exe Ojfcdnjc.exe File created C:\Windows\SysWOW64\Hdicienl.exe Hakgmjoh.exe File created C:\Windows\SysWOW64\Kpiljh32.exe Khbdikip.exe File created C:\Windows\SysWOW64\Palbkhoj.dll Olijhmgj.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 7868 9164 WerFault.exe 1069 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Npchgdcd.exeGphgbafl.exeMnphmkji.exeIjqmhnko.exeEkmhejao.exeKbpbed32.exeFhofmq32.exeNhmeapmd.exeNcabfkqo.exeOghghb32.exeJllokajf.exeQaqegecm.exeLdanqkki.exeOofaiokl.exeLihpif32.exeJlolpq32.exeDkqaoe32.exeOlbdhn32.exeIfmqfm32.exeJofalmmp.exeOplfkeob.exeHbhijepa.exeIgdnabjh.exeLicfngjd.exePlpqil32.exeNmgjia32.exeLgibpf32.exeIfdonfka.exeKfjapcii.exeNplkmckj.exeEbommi32.exeJgpmmp32.exeAnmfbl32.exeIjadbdoj.exeLnadagbm.exeMidfokpm.exeNeppokal.exeGklnjj32.exeAkglloai.exeEbdcld32.exeFimhjl32.exeNadleilm.exeBhpfqcln.exeGdncmghi.exeGkglja32.exeGkjhoq32.exeBiadeoce.exeEjflhm32.exeFhmigagd.exeLeopnglc.exeGmdcfidg.exeMogcihaj.exeLlhikacp.exeQhlkilba.exeAcokhc32.exeKnfeeimj.exeCkmonl32.exeBgnffj32.exeBacjdbch.exeOlmeci32.exeQlmgopjq.exeMgehfkop.exeLikjcbkc.exeLfhnaa32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npchgdcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphgbafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnphmkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqmhnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmhejao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpbed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhofmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmeapmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncabfkqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllokajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqegecm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldanqkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oofaiokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lihpif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbdhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmqfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofalmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplfkeob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhijepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdnabjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licfngjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpqil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgibpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdonfka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfjapcii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplkmckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebommi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmfbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijadbdoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnadagbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Midfokpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neppokal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akglloai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdcld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimhjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadleilm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpfqcln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdncmghi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkglja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkjhoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biadeoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejflhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmigagd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leopnglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdcfidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogcihaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhikacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhlkilba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acokhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfeeimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacjdbch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmeci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlmgopjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgehfkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likjcbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhnaa32.exe -
Modifies registry class 64 IoCs
Processes:
Medqcmki.exeNlleaeff.exeEiieicml.exeBgbpaipl.exeHdpiid32.exeIgcoqocb.exeGfheof32.exeOlmeci32.exeFedmqk32.exeNgdmod32.exeBgbdcgld.exeMlbbkfoq.exeMnphmkji.exePabblb32.exeInqbclob.exeCogddd32.exeLphoelqn.exeBaicac32.exeKoaagkcb.exeLckiihok.exeKechmoil.exeKnflpoqf.exeGgnedlao.exeGmfplibd.exeDgejpd32.exeEdmclccp.exeNlfnaicd.exeAogiap32.exeAlkijdci.exeMjaabq32.exeOqfdnhfk.exeGdncmghi.exeFechomko.exeOmpfej32.exeMimpolee.exeFlqdlnde.exeEpikpo32.exeNhahaiec.exeLoighj32.exeMlopkm32.exeBmofagfp.exeOofaiokl.exeOhqbhdpj.exeKgdpni32.exeAonhghjl.exeQqfmde32.exeGnfhfl32.exeEoekia32.exeEmpoiimf.exeEofgpikj.exeBahdob32.exeCdkifmjq.exeFnaokmco.exeDjklmo32.exeLppbkgcj.exeBjaqpbkh.exeDlkbjqgm.exeFfclcgfn.exeOjbacd32.exeGmdcfidg.exeBalpgb32.exeHhnbpb32.exeOjdgnn32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Medqcmki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlleaeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lagajn32.dll" Eiieicml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdggmekl.dll" Hdpiid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igcoqocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olmeci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fedmqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll" Ngdmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgbdcgld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlbbkfoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcocace.dll" Mnphmkji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pabblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll" Cogddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll" Lphoelqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdbkbbn.dll" Koaagkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjhenbq.dll" Kechmoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihqiqn32.dll" Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggnedlao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqjkhbpd.dll" Dgejpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edmclccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mamjbp32.dll" Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idllbp32.dll" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoljp32.dll" Alkijdci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjaabq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqfdnhfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdncmghi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fechomko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ompfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgkhpld.dll" Mimpolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfibje32.dll" Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlopkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oofaiokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohqbhdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aonhghjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcqpq32.dll" Gnfhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Empoiimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkbjd32.dll" Eofgpikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bahdob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdkifmjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnaokmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djklmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lppbkgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edogedqq.dll" Bjaqpbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlkbjqgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffclcgfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojbacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmdcfidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngidlo32.dll" Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojdgnn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e2d48262c936c39fa3bcece66fcb674400ef22cc314288cc7fef7fac460622ea.exeKfmepi32.exeKlimip32.exeKebbafoj.exeKdcbom32.exeKipkhdeq.exeKbhoqj32.exeKibgmdcn.exeLbjlfi32.exeLmppcbjd.exeLfhdlh32.exeLpqiemge.exeLiimncmf.exeLdoaklml.exeLikjcbkc.exeLdanqkki.exeLebkhc32.exeLphoelqn.exeMbfkbhpa.exeMlopkm32.exeMegdccmb.exeMckemg32.exedescription pid Process procid_target PID 232 wrote to memory of 1856 232 e2d48262c936c39fa3bcece66fcb674400ef22cc314288cc7fef7fac460622ea.exe 84 PID 232 wrote to memory of 1856 232 e2d48262c936c39fa3bcece66fcb674400ef22cc314288cc7fef7fac460622ea.exe 84 PID 232 wrote to memory of 1856 232 e2d48262c936c39fa3bcece66fcb674400ef22cc314288cc7fef7fac460622ea.exe 84 PID 1856 wrote to memory of 4964 1856 Kfmepi32.exe 85 PID 1856 wrote to memory of 4964 1856 Kfmepi32.exe 85 PID 1856 wrote to memory of 4964 1856 Kfmepi32.exe 85 PID 4964 wrote to memory of 1508 4964 Klimip32.exe 86 PID 4964 wrote to memory of 1508 4964 Klimip32.exe 86 PID 4964 wrote to memory of 1508 4964 Klimip32.exe 86 PID 1508 wrote to memory of 3032 1508 Kebbafoj.exe 87 PID 1508 wrote to memory of 3032 1508 Kebbafoj.exe 87 PID 1508 wrote to memory of 3032 1508 Kebbafoj.exe 87 PID 3032 wrote to memory of 1624 3032 Kdcbom32.exe 88 PID 3032 wrote to memory of 1624 3032 Kdcbom32.exe 88 PID 3032 wrote to memory of 1624 3032 Kdcbom32.exe 88 PID 1624 wrote to memory of 436 1624 Kipkhdeq.exe 89 PID 1624 wrote to memory of 436 1624 Kipkhdeq.exe 89 PID 1624 wrote to memory of 436 1624 Kipkhdeq.exe 89 PID 436 wrote to memory of 3536 436 Kbhoqj32.exe 90 PID 436 wrote to memory of 3536 436 Kbhoqj32.exe 90 PID 436 wrote to memory of 3536 436 Kbhoqj32.exe 90 PID 3536 wrote to memory of 992 3536 Kibgmdcn.exe 92 PID 3536 wrote to memory of 992 3536 Kibgmdcn.exe 92 PID 3536 wrote to memory of 992 3536 Kibgmdcn.exe 92 PID 992 wrote to memory of 1144 992 Lbjlfi32.exe 93 PID 992 wrote to memory of 1144 992 Lbjlfi32.exe 93 PID 992 wrote to memory of 1144 992 Lbjlfi32.exe 93 PID 1144 wrote to memory of 3548 1144 Lmppcbjd.exe 94 PID 1144 wrote to memory of 3548 1144 Lmppcbjd.exe 94 PID 1144 wrote to memory of 3548 1144 Lmppcbjd.exe 94 PID 3548 wrote to memory of 3428 3548 Lfhdlh32.exe 95 PID 3548 wrote to memory of 3428 3548 Lfhdlh32.exe 95 PID 3548 wrote to memory of 3428 3548 Lfhdlh32.exe 95 PID 3428 wrote to memory of 2040 3428 Lpqiemge.exe 96 PID 3428 wrote to memory of 2040 3428 Lpqiemge.exe 96 PID 3428 wrote to memory of 2040 3428 Lpqiemge.exe 96 PID 2040 wrote to memory of 4748 2040 Liimncmf.exe 97 PID 2040 wrote to memory of 4748 2040 Liimncmf.exe 97 PID 2040 wrote to memory of 4748 2040 Liimncmf.exe 97 PID 4748 wrote to memory of 4760 4748 Ldoaklml.exe 98 PID 4748 wrote to memory of 4760 4748 Ldoaklml.exe 98 PID 4748 wrote to memory of 4760 4748 Ldoaklml.exe 98 PID 4760 wrote to memory of 5064 4760 Likjcbkc.exe 99 PID 4760 wrote to memory of 5064 4760 Likjcbkc.exe 99 PID 4760 wrote to memory of 5064 4760 Likjcbkc.exe 99 PID 5064 wrote to memory of 724 5064 Ldanqkki.exe 101 PID 5064 wrote to memory of 724 5064 Ldanqkki.exe 101 PID 5064 wrote to memory of 724 5064 Ldanqkki.exe 101 PID 724 wrote to memory of 2188 724 Lebkhc32.exe 102 PID 724 wrote to memory of 2188 724 Lebkhc32.exe 102 PID 724 wrote to memory of 2188 724 Lebkhc32.exe 102 PID 2188 wrote to memory of 372 2188 Lphoelqn.exe 103 PID 2188 wrote to memory of 372 2188 Lphoelqn.exe 103 PID 2188 wrote to memory of 372 2188 Lphoelqn.exe 103 PID 372 wrote to memory of 3512 372 Mbfkbhpa.exe 104 PID 372 wrote to memory of 3512 372 Mbfkbhpa.exe 104 PID 372 wrote to memory of 3512 372 Mbfkbhpa.exe 104 PID 3512 wrote to memory of 3384 3512 Mlopkm32.exe 105 PID 3512 wrote to memory of 3384 3512 Mlopkm32.exe 105 PID 3512 wrote to memory of 3384 3512 Mlopkm32.exe 105 PID 3384 wrote to memory of 2824 3384 Megdccmb.exe 106 PID 3384 wrote to memory of 2824 3384 Megdccmb.exe 106 PID 3384 wrote to memory of 2824 3384 Megdccmb.exe 106 PID 2824 wrote to memory of 4008 2824 Mckemg32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d48262c936c39fa3bcece66fcb674400ef22cc314288cc7fef7fac460622ea.exe"C:\Users\Admin\AppData\Local\Temp\e2d48262c936c39fa3bcece66fcb674400ef22cc314288cc7fef7fac460622ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe23⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe24⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe25⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe26⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe27⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe28⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe29⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe30⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe31⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Ngbpidjh.exeC:\Windows\system32\Ngbpidjh.exe32⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe33⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe35⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe37⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe38⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe39⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe40⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe41⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe42⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe43⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe44⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe45⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe47⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe49⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe50⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe51⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe53⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe54⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe55⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe56⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe57⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe58⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe59⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe60⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe61⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe62⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe63⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe66⤵PID:3640
-
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe67⤵
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe68⤵PID:2140
-
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe69⤵
- Modifies registry class
PID:4056 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe70⤵PID:1952
-
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe71⤵PID:4804
-
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe72⤵PID:4528
-
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe73⤵PID:4344
-
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe75⤵PID:3764
-
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe76⤵PID:4260
-
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe77⤵PID:5000
-
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe78⤵PID:1140
-
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe79⤵PID:3440
-
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe80⤵PID:2360
-
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4464 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe82⤵PID:1532
-
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5136 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe85⤵PID:5184
-
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe86⤵PID:5224
-
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe87⤵PID:5272
-
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe88⤵PID:5316
-
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe89⤵PID:5360
-
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe90⤵PID:5420
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe91⤵PID:5464
-
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe92⤵PID:5500
-
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe93⤵PID:5572
-
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe94⤵PID:5620
-
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe95⤵PID:5672
-
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe96⤵PID:5740
-
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe97⤵
- Drops file in System32 directory
PID:5788 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe98⤵PID:5848
-
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe99⤵PID:5904
-
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe100⤵PID:5960
-
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe101⤵PID:6036
-
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6096 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe103⤵PID:6140
-
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe104⤵PID:5176
-
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe105⤵PID:5260
-
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe106⤵PID:5284
-
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe107⤵PID:5408
-
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe108⤵PID:5492
-
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe109⤵
- Drops file in System32 directory
PID:5588 -
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe110⤵PID:5664
-
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe111⤵PID:5756
-
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4560 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe113⤵PID:5952
-
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe114⤵
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe115⤵PID:6124
-
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe116⤵PID:5220
-
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5312 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe118⤵PID:5440
-
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe119⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe120⤵PID:5720
-
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe121⤵PID:5828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-