Analysis
-
max time kernel
108s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 10:35
Static task
static1
Behavioral task
behavioral1
Sample
48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bbN.exe
Resource
win7-20240903-en
General
-
Target
48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bbN.exe
-
Size
163KB
-
MD5
a23236babee4baa7c3900d679458b530
-
SHA1
af8b60dab1a21d24ba5fd827f355e9ff4bd05569
-
SHA256
48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bb
-
SHA512
d2047e22e0f00252ec07105406e543dd43b9759b096001a1cb7a7ea05d6e1ce446fe8f3e30a269b0b25b49689f78edbd44c4c6c1558a2baf9ffaf04a4e3da5a7
-
SSDEEP
1536:Pr1zhsYnvD3VVcZ9rklProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:T1X0vrkltOrWKDBr+yJb
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jbfheo32.exePmlmkn32.exeHekgfj32.exeLflbkcll.exeKnippe32.exeBqkill32.exeGbchdp32.exeJnlkedai.exeAhdpjn32.exeCbeapmll.exeEfafgifc.exeBoenhgdd.exeJlbejloe.exeMfcmmp32.exeGknkpjfb.exeHjedffig.exeAlelqb32.exeHaoimcgg.exeAakebqbj.exePhonha32.exeNofefp32.exePllgnl32.exeAeddnp32.exeJlfpdh32.exeGpolbo32.exeKpqggh32.exeAgbkmijg.exeAfjeceml.exeIpkdek32.exeJddnfd32.exeInainbcn.exeMjpbam32.exeBhnikc32.exeIialhaad.exeMlofcf32.exeFalcae32.exeBmofagfp.exeBopocbcq.exeDiicml32.exeDggbcf32.exeDkcndeen.exeBoipmj32.exeNbcjnilj.exePdkoch32.exeGlgcbf32.exeIfmqfm32.exeApjkcadp.exeLppbkgcj.exeNcjginjn.exeBjicdmmd.exeLfealaol.exeQjnkcekm.exeAqkpeopg.exeCbbdjm32.exeFpggamqc.exeNabfjpak.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfheo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hekgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflbkcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knippe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqkill32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbchdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahdpjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efafgifc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlbejloe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gknkpjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alelqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haoimcgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakebqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeddnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlfpdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpolbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbkmijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjeceml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkdek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jddnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inainbcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boenhgdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iialhaad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlofcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Falcae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopocbcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diicml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggbcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcndeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boipmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbfheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbcjnilj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgcbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmqfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjkcadp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppbkgcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjginjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjicdmmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfealaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnkcekm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkpeopg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbdjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabfjpak.exe -
Berbew family
-
Gozi family
-
Executes dropped EXE 64 IoCs
Processes:
Ikcdlmgf.exeIfihif32.exeIgjeanmj.exeIndmnh32.exeIijaka32.exeJodjhkkj.exeJfnbdecg.exeJoffnk32.exeJiokfpph.exeJnkcogno.exeJiaglp32.exeJkodhk32.exeJfehed32.exeJkaqnk32.exeJfgdkd32.exeJieagojp.exeKnbiofhg.exeKgknhl32.exeKflnfcgg.exeKpdboimg.exeKeakgpko.exeKnippe32.exeKiodmn32.exeKlmpiiai.exeKefdbo32.exeLpkiph32.exeLfealaol.exeLhfmdj32.exeLnqeqd32.exeLejnmncd.exeLhijijbg.exeLppbkgcj.exeLihfcm32.exeLbqklb32.exeLikcilhh.exeLbchba32.exeMimpolee.exeMbedga32.exeMedqcmki.exeMlnipg32.exeMbhamajc.exeMfcmmp32.exeMibijk32.exeMplafeil.exeMbjnbqhp.exeMidfokpm.exeMlbbkfoq.exeMoaogand.exeMekgdl32.exeMleoafmn.exeMbognp32.exeNemcjk32.exeNlglfe32.exeNbadcpbh.exeNiklpj32.exeNlihle32.exeNebmekoi.exeNpgabc32.exeNgaionfl.exeNhbfff32.exeNomncpcg.exeNgdfdmdi.exeNibbqicm.exeNlqomd32.exepid Process 1596 Ikcdlmgf.exe 4416 Ifihif32.exe 3324 Igjeanmj.exe 1268 Indmnh32.exe 1804 Iijaka32.exe 4784 Jodjhkkj.exe 1744 Jfnbdecg.exe 620 Joffnk32.exe 2924 Jiokfpph.exe 1636 Jnkcogno.exe 4088 Jiaglp32.exe 4932 Jkodhk32.exe 5072 Jfehed32.exe 1088 Jkaqnk32.exe 4764 Jfgdkd32.exe 1864 Jieagojp.exe 1016 Knbiofhg.exe 2968 Kgknhl32.exe 5032 Kflnfcgg.exe 4800 Kpdboimg.exe 528 Keakgpko.exe 3632 Knippe32.exe 1824 Kiodmn32.exe 1828 Klmpiiai.exe 2320 Kefdbo32.exe 956 Lpkiph32.exe 2040 Lfealaol.exe 1692 Lhfmdj32.exe 3940 Lnqeqd32.exe 4192 Lejnmncd.exe 2976 Lhijijbg.exe 3496 Lppbkgcj.exe 1080 Lihfcm32.exe 2676 Lbqklb32.exe 1528 Likcilhh.exe 508 Lbchba32.exe 4448 Mimpolee.exe 2088 Mbedga32.exe 3960 Medqcmki.exe 2944 Mlnipg32.exe 4624 Mbhamajc.exe 2036 Mfcmmp32.exe 4472 Mibijk32.exe 2728 Mplafeil.exe 2404 Mbjnbqhp.exe 5076 Midfokpm.exe 3032 Mlbbkfoq.exe 5084 Moaogand.exe 2784 Mekgdl32.exe 3208 Mleoafmn.exe 4840 Mbognp32.exe 1800 Nemcjk32.exe 3440 Nlglfe32.exe 2400 Nbadcpbh.exe 1876 Niklpj32.exe 3152 Nlihle32.exe 4760 Nebmekoi.exe 2160 Npgabc32.exe 2168 Ngaionfl.exe 2908 Nhbfff32.exe 1940 Nomncpcg.exe 1444 Ngdfdmdi.exe 696 Nibbqicm.exe 2912 Nlqomd32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kcejco32.exeFelbnn32.exePafkgphl.exeJcdjbk32.exePdmdnadc.exeJiaglp32.exeCjjcfabm.exeLnbklm32.exeBknlbhhe.exeCkbncapd.exeFdcjlb32.exeHipmfjee.exeLfgipd32.exeEqiibjlj.exeFkhpfbce.exeMilidebi.exeHmlpaoaj.exeJpfepf32.exeGfhndpol.exePdjgha32.exeOeheqm32.exeBakgoh32.exeNofefp32.exeQoifflkg.exeCpeohh32.exeKageaj32.exeAahbbkaq.exeLohqnd32.exe48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bbN.exeOpcqnb32.exeIkndgg32.exeAcmobchj.exeOllnhb32.exeHgmgqc32.exeFligqhga.exeQaqegecm.exeFkbkdkpp.exeGnlgleef.exeKjkpoq32.exeKjepjkhf.exeFnipbc32.exePmphaaln.exeMcecjmkl.exeFmmmfj32.exeOhlqcagj.exeBhnikc32.exeBaegibae.exeBmmpfn32.exeIpgbdbqb.exeJppnpjel.exePbekii32.exeJdedak32.exeNlphbnoe.exePlmmif32.exeMmmqhl32.exeIolhkh32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Lklbdm32.exe Kcejco32.exe File created C:\Windows\SysWOW64\Ebcneqod.dll Felbnn32.exe File created C:\Windows\SysWOW64\Pcegclgp.exe Pafkgphl.exe File created C:\Windows\SysWOW64\Olieecnn.dll Jcdjbk32.exe File created C:\Windows\SysWOW64\Qjfmkk32.exe Pdmdnadc.exe File created C:\Windows\SysWOW64\Bekdaogi.dll File opened for modification C:\Windows\SysWOW64\Jkodhk32.exe Jiaglp32.exe File opened for modification C:\Windows\SysWOW64\Cmipblaq.exe Cjjcfabm.exe File opened for modification C:\Windows\SysWOW64\Lelchgne.exe Lnbklm32.exe File opened for modification C:\Windows\SysWOW64\Bnlhncgi.exe Bknlbhhe.exe File created C:\Windows\SysWOW64\Cmpjoloh.exe Ckbncapd.exe File created C:\Windows\SysWOW64\Fmlneg32.exe Fdcjlb32.exe File opened for modification C:\Windows\SysWOW64\Hpiecd32.exe Hipmfjee.exe File opened for modification C:\Windows\SysWOW64\Lnoaaaad.exe Lfgipd32.exe File opened for modification C:\Windows\SysWOW64\Egcaod32.exe Eqiibjlj.exe File created C:\Windows\SysWOW64\Fnfmbmbi.exe Fkhpfbce.exe File created C:\Windows\SysWOW64\Pognhd32.dll Milidebi.exe File created C:\Windows\SysWOW64\Efpgoecp.dll Hmlpaoaj.exe File created C:\Windows\SysWOW64\Jklinohd.exe Jpfepf32.exe File opened for modification C:\Windows\SysWOW64\Gldglf32.exe Gfhndpol.exe File opened for modification C:\Windows\SysWOW64\Pjdpelnc.exe Pdjgha32.exe File created C:\Windows\SysWOW64\Ojdnid32.exe Oeheqm32.exe File created C:\Windows\SysWOW64\Bheplb32.exe Bakgoh32.exe File created C:\Windows\SysWOW64\Nbebbk32.exe Nofefp32.exe File created C:\Windows\SysWOW64\Ppebjo32.dll Qoifflkg.exe File created C:\Windows\SysWOW64\Kcllei32.dll Cpeohh32.exe File opened for modification C:\Windows\SysWOW64\Kgamnded.exe Kageaj32.exe File created C:\Windows\SysWOW64\Oddfcg32.dll Aahbbkaq.exe File created C:\Windows\SysWOW64\Lebijnak.exe Lohqnd32.exe File created C:\Windows\SysWOW64\Ikcdlmgf.exe 48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bbN.exe File created C:\Windows\SysWOW64\Ocamjm32.exe Opcqnb32.exe File opened for modification C:\Windows\SysWOW64\Inmpcc32.exe Ikndgg32.exe File created C:\Windows\SysWOW64\Negcig32.dll Acmobchj.exe File created C:\Windows\SysWOW64\Gcjdam32.exe File opened for modification C:\Windows\SysWOW64\Kajfdk32.exe File created C:\Windows\SysWOW64\Lilqdd32.dll Ollnhb32.exe File created C:\Windows\SysWOW64\Njfkbf32.dll Lnbklm32.exe File created C:\Windows\SysWOW64\Icdheded.exe Hgmgqc32.exe File created C:\Windows\SysWOW64\Kaaldjil.exe File opened for modification C:\Windows\SysWOW64\Fpdcag32.exe Fligqhga.exe File created C:\Windows\SysWOW64\Qfmmplad.exe Qaqegecm.exe File opened for modification C:\Windows\SysWOW64\Leoejh32.exe File opened for modification C:\Windows\SysWOW64\Fielph32.exe Fkbkdkpp.exe File created C:\Windows\SysWOW64\Gahcmd32.exe Gnlgleef.exe File created C:\Windows\SysWOW64\Kbbhqn32.exe Kjkpoq32.exe File created C:\Windows\SysWOW64\Iekkfckg.dll Kjepjkhf.exe File created C:\Windows\SysWOW64\Fmlbhekk.dll Fnipbc32.exe File opened for modification C:\Windows\SysWOW64\Ppnenlka.exe Pmphaaln.exe File created C:\Windows\SysWOW64\Bigpblgh.dll File created C:\Windows\SysWOW64\Maiccajf.exe Mcecjmkl.exe File created C:\Windows\SysWOW64\Fnnjmbpm.exe Fmmmfj32.exe File created C:\Windows\SysWOW64\Bdlgcp32.dll Ohlqcagj.exe File created C:\Windows\SysWOW64\Qdhogopn.dll Bhnikc32.exe File created C:\Windows\SysWOW64\Ndikch32.dll Baegibae.exe File opened for modification C:\Windows\SysWOW64\Boklbi32.exe Bmmpfn32.exe File opened for modification C:\Windows\SysWOW64\Ibfnqmpf.exe Ipgbdbqb.exe File created C:\Windows\SysWOW64\Dbkqqe32.dll Jppnpjel.exe File opened for modification C:\Windows\SysWOW64\Pfagighf.exe Pbekii32.exe File created C:\Windows\SysWOW64\Jgcamf32.exe Jdedak32.exe File created C:\Windows\SysWOW64\Haplhc32.dll Kjkpoq32.exe File opened for modification C:\Windows\SysWOW64\Oehlkc32.exe Nlphbnoe.exe File opened for modification C:\Windows\SysWOW64\Pkbjjbda.exe Plmmif32.exe File created C:\Windows\SysWOW64\Cnocia32.dll Mmmqhl32.exe File opened for modification C:\Windows\SysWOW64\Iajdgcab.exe Iolhkh32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 10632 8212 1247 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gfeaopqo.exeGejhef32.exeHdilnojp.exeJkhgmf32.exeBdojjo32.exeMlbkap32.exeGbnoiqdq.exeFnfmbmbi.exeJimldogg.exeGlcaambb.exeFmhdkknd.exeKefiopki.exePfccogfc.exeQljjjqlc.exeHhbkinel.exeBaegibae.exeIhdldn32.exeCjaifp32.exeAnclbkbp.exeJifecp32.exeBcddcbab.exeFijkdmhn.exeIinqbn32.exeQeodhjmo.exeCgcmjd32.exeMehcdfch.exeQaflgago.exeBafndi32.exeCdkifmjq.exeCkebcg32.exeAodfajaj.exeLjbfpo32.exeGpcmga32.exeDjelgied.exeIgdnabjh.exeCohkokgj.exeDbkqfe32.exeNcjginjn.exeCpeohh32.exeOcjoadei.exeAhaceo32.exeJodjhkkj.exeMejpje32.exeOophlo32.exeOgpepl32.exeIpjedh32.exeGmeakf32.exeKenggi32.exeJlgoek32.exeJoffnk32.exeDakacjdb.exeHmdlmg32.exeIpgbdbqb.exeEoepebho.exeNlphbnoe.exeJpfepf32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaopqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejhef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdilnojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhgmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnoiqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfmbmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimldogg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcaambb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefiopki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfccogfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qljjjqlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbkinel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baegibae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdldn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjaifp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anclbkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcddcbab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijkdmhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinqbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeodhjmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcmjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehcdfch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaflgago.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkifmjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodfajaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcmga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djelgied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdnabjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohkokgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjginjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpeohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjoadei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahaceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jodjhkkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpepl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenggi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joffnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakacjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdlmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipgbdbqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoepebho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlphbnoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfepf32.exe -
Modifies registry class 64 IoCs
Processes:
Ibhkfm32.exeBddcenpi.exeJjdjoane.exeGbfldf32.exeCmipblaq.exeAeddnp32.exeCfkmkf32.exeKgmcce32.exeHpiecd32.exeNbebbk32.exeGklnjj32.exeCofnik32.exeLikhem32.exeCcmcgcmp.exeMjpbam32.exeIpeeobbe.exeMimpolee.exeCbbdjm32.exe48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bbN.exeLlodgnja.exeFphnlcdo.exeFfnknafg.exeKlhnfo32.exeMmhgmmbf.exeOfmdio32.exeMleoafmn.exeAfjeceml.exeObafpg32.exeKjblje32.exePlagcbdn.exeHnodaecc.exeGmdjapgb.exeJpfepf32.exeJcikgacl.exeChqogq32.exeFpdcag32.exeDfoplpla.exeDfgcakon.exeOlicnfco.exeIhdldn32.exeOklkdi32.exeFnnjmbpm.exeAadghn32.exeAhchda32.exeHbihjifh.exeCaghhk32.exeIbcjqgnm.exeEokqkh32.exeAnclbkbp.exeCkbemgcp.exeKbbhqn32.exeKcejco32.exeAoofle32.exePjpfjl32.exeDnmaea32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhkfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjdjoane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhain32.dll" Gbfldf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmipblaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeddnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfkmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgmcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpiecd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obncjbkf.dll" Gklnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpdko32.dll" Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbacd32.dll" Likhem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll" Ccmcgcmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaabap32.dll" Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdcpb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmapeg32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnlgjdd.dll" Mimpolee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbbdjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bbN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oonnoglh.dll" Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fphnlcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpopokm.dll" Ffnknafg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klhnfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmhgmmbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mleoafmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afjeceml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obafpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmacdg32.dll" Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjcjni32.dll" Plagcbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnodaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankcfdg.dll" Gmdjapgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpfepf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbblbdb.dll" Dfgcakon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olicnfco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihdldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdlidhm.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbfciej.dll" Aadghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfljoa32.dll" Ahchda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkklm32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caghhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibcjqgnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjfee32.dll" Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anclbkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpjda32.dll" Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgmgn32.dll" Pjpfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnmaea32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bbN.exeIkcdlmgf.exeIfihif32.exeIgjeanmj.exeIndmnh32.exeIijaka32.exeJodjhkkj.exeJfnbdecg.exeJoffnk32.exeJiokfpph.exeJnkcogno.exeJiaglp32.exeJkodhk32.exeJfehed32.exeJkaqnk32.exeJfgdkd32.exeJieagojp.exeKnbiofhg.exeKgknhl32.exeKflnfcgg.exeKpdboimg.exeKeakgpko.exedescription pid Process procid_target PID 5020 wrote to memory of 1596 5020 48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bbN.exe 84 PID 5020 wrote to memory of 1596 5020 48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bbN.exe 84 PID 5020 wrote to memory of 1596 5020 48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bbN.exe 84 PID 1596 wrote to memory of 4416 1596 Ikcdlmgf.exe 85 PID 1596 wrote to memory of 4416 1596 Ikcdlmgf.exe 85 PID 1596 wrote to memory of 4416 1596 Ikcdlmgf.exe 85 PID 4416 wrote to memory of 3324 4416 Ifihif32.exe 86 PID 4416 wrote to memory of 3324 4416 Ifihif32.exe 86 PID 4416 wrote to memory of 3324 4416 Ifihif32.exe 86 PID 3324 wrote to memory of 1268 3324 Igjeanmj.exe 87 PID 3324 wrote to memory of 1268 3324 Igjeanmj.exe 87 PID 3324 wrote to memory of 1268 3324 Igjeanmj.exe 87 PID 1268 wrote to memory of 1804 1268 Indmnh32.exe 88 PID 1268 wrote to memory of 1804 1268 Indmnh32.exe 88 PID 1268 wrote to memory of 1804 1268 Indmnh32.exe 88 PID 1804 wrote to memory of 4784 1804 Iijaka32.exe 89 PID 1804 wrote to memory of 4784 1804 Iijaka32.exe 89 PID 1804 wrote to memory of 4784 1804 Iijaka32.exe 89 PID 4784 wrote to memory of 1744 4784 Jodjhkkj.exe 90 PID 4784 wrote to memory of 1744 4784 Jodjhkkj.exe 90 PID 4784 wrote to memory of 1744 4784 Jodjhkkj.exe 90 PID 1744 wrote to memory of 620 1744 Jfnbdecg.exe 91 PID 1744 wrote to memory of 620 1744 Jfnbdecg.exe 91 PID 1744 wrote to memory of 620 1744 Jfnbdecg.exe 91 PID 620 wrote to memory of 2924 620 Joffnk32.exe 92 PID 620 wrote to memory of 2924 620 Joffnk32.exe 92 PID 620 wrote to memory of 2924 620 Joffnk32.exe 92 PID 2924 wrote to memory of 1636 2924 Jiokfpph.exe 93 PID 2924 wrote to memory of 1636 2924 Jiokfpph.exe 93 PID 2924 wrote to memory of 1636 2924 Jiokfpph.exe 93 PID 1636 wrote to memory of 4088 1636 Jnkcogno.exe 94 PID 1636 wrote to memory of 4088 1636 Jnkcogno.exe 94 PID 1636 wrote to memory of 4088 1636 Jnkcogno.exe 94 PID 4088 wrote to memory of 4932 4088 Jiaglp32.exe 96 PID 4088 wrote to memory of 4932 4088 Jiaglp32.exe 96 PID 4088 wrote to memory of 4932 4088 Jiaglp32.exe 96 PID 4932 wrote to memory of 5072 4932 Jkodhk32.exe 97 PID 4932 wrote to memory of 5072 4932 Jkodhk32.exe 97 PID 4932 wrote to memory of 5072 4932 Jkodhk32.exe 97 PID 5072 wrote to memory of 1088 5072 Jfehed32.exe 98 PID 5072 wrote to memory of 1088 5072 Jfehed32.exe 98 PID 5072 wrote to memory of 1088 5072 Jfehed32.exe 98 PID 1088 wrote to memory of 4764 1088 Jkaqnk32.exe 99 PID 1088 wrote to memory of 4764 1088 Jkaqnk32.exe 99 PID 1088 wrote to memory of 4764 1088 Jkaqnk32.exe 99 PID 4764 wrote to memory of 1864 4764 Jfgdkd32.exe 100 PID 4764 wrote to memory of 1864 4764 Jfgdkd32.exe 100 PID 4764 wrote to memory of 1864 4764 Jfgdkd32.exe 100 PID 1864 wrote to memory of 1016 1864 Jieagojp.exe 101 PID 1864 wrote to memory of 1016 1864 Jieagojp.exe 101 PID 1864 wrote to memory of 1016 1864 Jieagojp.exe 101 PID 1016 wrote to memory of 2968 1016 Knbiofhg.exe 102 PID 1016 wrote to memory of 2968 1016 Knbiofhg.exe 102 PID 1016 wrote to memory of 2968 1016 Knbiofhg.exe 102 PID 2968 wrote to memory of 5032 2968 Kgknhl32.exe 104 PID 2968 wrote to memory of 5032 2968 Kgknhl32.exe 104 PID 2968 wrote to memory of 5032 2968 Kgknhl32.exe 104 PID 5032 wrote to memory of 4800 5032 Kflnfcgg.exe 105 PID 5032 wrote to memory of 4800 5032 Kflnfcgg.exe 105 PID 5032 wrote to memory of 4800 5032 Kflnfcgg.exe 105 PID 4800 wrote to memory of 528 4800 Kpdboimg.exe 106 PID 4800 wrote to memory of 528 4800 Kpdboimg.exe 106 PID 4800 wrote to memory of 528 4800 Kpdboimg.exe 106 PID 528 wrote to memory of 3632 528 Keakgpko.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bbN.exe"C:\Users\Admin\AppData\Local\Temp\48be369d1a6ead5e47da696b8e6913248abeda018c6fd19720b3539a384377bbN.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe24⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe25⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe26⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe27⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe29⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe30⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe31⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe32⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe34⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe35⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe36⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe37⤵
- Executes dropped EXE
PID:508 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4448 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe39⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe40⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe41⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe42⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe44⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe45⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe46⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe47⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe48⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe49⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe50⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe52⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe53⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe54⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe55⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe56⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe57⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe58⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe59⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe60⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe61⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe62⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe63⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe64⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe65⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4580 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe67⤵PID:3680
-
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe68⤵PID:1304
-
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe69⤵PID:224
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe70⤵PID:1436
-
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe71⤵PID:4532
-
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe72⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe73⤵PID:3560
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe74⤵PID:4328
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe75⤵PID:4432
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe76⤵
- System Location Discovery: System Language Discovery
PID:1172 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe77⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe78⤵PID:3556
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe79⤵PID:2744
-
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe80⤵PID:4268
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe81⤵PID:1880
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe82⤵
- Modifies registry class
PID:3880 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe83⤵PID:1492
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe84⤵PID:4684
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe85⤵PID:5068
-
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe86⤵PID:3192
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe87⤵PID:5064
-
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe88⤵PID:668
-
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe89⤵PID:1416
-
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe90⤵PID:1748
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe91⤵PID:2280
-
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe92⤵
- System Location Discovery: System Language Discovery
PID:3472 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe93⤵
- Drops file in System32 directory
PID:5164 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe94⤵PID:5208
-
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe96⤵PID:5292
-
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe97⤵PID:5336
-
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5376 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe99⤵
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5464 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe101⤵PID:5508
-
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe102⤵PID:5552
-
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe103⤵PID:5596
-
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe104⤵PID:5636
-
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe106⤵PID:5724
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe107⤵PID:5780
-
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe108⤵PID:5824
-
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe109⤵PID:5884
-
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe110⤵PID:5920
-
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe111⤵
- System Location Discovery: System Language Discovery
PID:5960 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe112⤵PID:6016
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe113⤵PID:6088
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe114⤵PID:6128
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe115⤵PID:5132
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe116⤵PID:5216
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe117⤵PID:5320
-
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe118⤵PID:5432
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5500 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe120⤵PID:5588
-
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe121⤵PID:5656
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe122⤵
- Drops file in System32 directory
PID:5732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-