Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 03:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ccb52c0b1a1426f7319cbcf8432ed177e30d9ff88667e914a6dce116ab355436.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
ccb52c0b1a1426f7319cbcf8432ed177e30d9ff88667e914a6dce116ab355436.exe
-
Size
163KB
-
MD5
2c81598ae1d270de0502a5f50b40f181
-
SHA1
238999030d15a32d068dc243f82c19cad9d7431c
-
SHA256
ccb52c0b1a1426f7319cbcf8432ed177e30d9ff88667e914a6dce116ab355436
-
SHA512
e6a31462ec144cb0dc0a5e4ba1dd1e46dd042f6961d1a714220fa7d7b1be3942ceed11ed777a24b1c2e4df985b8ff18727d13c3d3916b314f005fcb2a4d2cd03
-
SSDEEP
1536:PMm9/E/sHMIZLefjA6i6aFfwhtix38vlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:Um+/BfjfaFfwbSMvltOrWKDBr+yJb
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pfojdh32.exeGmggfp32.exeGimqajgh.exeMnegbp32.exeJlbejloe.exeKapfiqoj.exeLedepn32.exePhbhcmjl.exeDjcoai32.exeJpaleglc.exeManmoq32.exeGpqjglii.exeFligqhga.exeGpolbo32.exeDndgfpbo.exeCmflbf32.exeNhokljge.exeAahbbkaq.exeNfcabp32.exeBepmoh32.exeDkndie32.exeLchfib32.exeAcccdj32.exeCbbdjm32.exeCjliajmo.exeIphioh32.exeLjhefhha.exeBabcil32.exeAomifecf.exeCjgpfk32.exeJpegkj32.exeBdlfjh32.exePidabppl.exeNjmhhefi.exeFelbnn32.exeKodnmkap.exeCpmapodj.exeDhphmj32.exeQkjgegae.exeFmkqpkla.exeLggejg32.exeQfkqjmdg.exeApeknk32.exeOjbacd32.exeBpkdjofm.exeConanfli.exePfccogfc.exeGkkgpc32.exeMjlhgaqp.exeOgjdmbil.exeMbgeqmjp.exeAekddhcb.exeDfdpad32.exeBdojjo32.exeJoqafgni.exeHlambk32.exeMgclpkac.exeNelfeo32.exeQhkdof32.exeMpclce32.exeMokfja32.exeCcblbb32.exeNndjndbh.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfojdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimqajgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlbejloe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapfiqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ledepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phbhcmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djcoai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Manmoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqjglii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fligqhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpolbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmflbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aahbbkaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfcabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bepmoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkndie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acccdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbbdjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphioh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhefhha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babcil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomifecf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgpfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpegkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidabppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kodnmkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhphmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lggejg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apeknk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbacd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkdjofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkndie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkgpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlhgaqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjdmbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbgeqmjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdpad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joqafgni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlambk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgclpkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhkdof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpclce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccblbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndjndbh.exe -
Berbew family
-
Gozi family
-
Executes dropped EXE 64 IoCs
Processes:
Jkaicd32.exeJbkbpoog.exeKiggbhda.exeKkfcndce.exeKndojobi.exeKnflpoqf.exeKeqdmihc.exeKjmmepfj.exeKecabifp.exeKjpijpdg.exeLeenhhdn.exeLgcjdd32.exeLbinam32.exeLkabjbih.exeLnpofnhk.exeLghcocol.exeLnbklm32.exeLelchgne.exeLjilqnlm.exeLijlof32.exeMngegmbc.exeMeamcg32.exeMlkepaam.exeMahnhhod.exeMlmbfqoj.exeMajjng32.exeMhdckaeo.exeMnnkgl32.exeMalgcg32.exeMblcnj32.exeMifljdjo.exeNobdbkhf.exeNihipdhl.exeNjiegl32.exeNbqmiinl.exeNeoieenp.exeNbcjnilj.exeNimbkc32.exeNojjcj32.exeNahgoe32.exeNiooqcad.exeNlnkmnah.exeNkqkhk32.exeNbgcih32.exeOondnini.exeOehlkc32.exeOlbdhn32.exeOkedcjcm.exeOblmdhdo.exeOldamm32.exeOemefcap.exeOlgncmim.exeOkjnnj32.exeObafpg32.exeOiknlagg.exeOklkdi32.exeOafcqcea.exePllgnl32.exePkogiikb.exePahpfc32.exePhbhcmjl.exePolppg32.exePakllc32.exePoomegpf.exepid Process 2152 Jkaicd32.exe 3724 Jbkbpoog.exe 404 Kiggbhda.exe 3932 Kkfcndce.exe 5000 Kndojobi.exe 1496 Knflpoqf.exe 2336 Keqdmihc.exe 1972 Kjmmepfj.exe 2368 Kecabifp.exe 4832 Kjpijpdg.exe 4044 Leenhhdn.exe 1492 Lgcjdd32.exe 4076 Lbinam32.exe 2688 Lkabjbih.exe 440 Lnpofnhk.exe 1736 Lghcocol.exe 5092 Lnbklm32.exe 4232 Lelchgne.exe 3828 Ljilqnlm.exe 4108 Lijlof32.exe 2240 Mngegmbc.exe 3044 Meamcg32.exe 1112 Mlkepaam.exe 2036 Mahnhhod.exe 1604 Mlmbfqoj.exe 3036 Majjng32.exe 312 Mhdckaeo.exe 3940 Mnnkgl32.exe 3208 Malgcg32.exe 2040 Mblcnj32.exe 2612 Mifljdjo.exe 2648 Nobdbkhf.exe 4272 Nihipdhl.exe 2204 Njiegl32.exe 2288 Nbqmiinl.exe 2924 Neoieenp.exe 2188 Nbcjnilj.exe 2024 Nimbkc32.exe 2144 Nojjcj32.exe 336 Nahgoe32.exe 3488 Niooqcad.exe 3700 Nlnkmnah.exe 2972 Nkqkhk32.exe 4940 Nbgcih32.exe 3312 Oondnini.exe 3668 Oehlkc32.exe 2804 Olbdhn32.exe 3732 Okedcjcm.exe 4280 Oblmdhdo.exe 928 Oldamm32.exe 2312 Oemefcap.exe 3664 Olgncmim.exe 3768 Okjnnj32.exe 3588 Obafpg32.exe 2992 Oiknlagg.exe 4136 Oklkdi32.exe 4344 Oafcqcea.exe 1316 Pllgnl32.exe 2156 Pkogiikb.exe 3016 Pahpfc32.exe 3420 Phbhcmjl.exe 1088 Polppg32.exe 1288 Pakllc32.exe 976 Poomegpf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nnafno32.exeMqjbddpl.exeFfobhg32.exePdhbmh32.exeAnclbkbp.exeKflide32.exeBkdcbd32.exeEfepbi32.exeGflhoo32.exeChdialdl.exeOqoefand.exeLnbklm32.exeQhkdof32.exeMjlhgaqp.exeBhmbqm32.exeNcbafoge.exeGlcaambb.exeBpkdjofm.exeCklhcfle.exeIefphb32.exeNkqkhk32.exeCkpbnb32.exeDbbffdlq.exeConanfli.exeEqiibjlj.exeDqpfmlce.exeDdnobj32.exeEohmkb32.exeJoqafgni.exeEcgcfm32.exePmcclm32.exeBaadiiif.exeLgibpf32.exeDfdpad32.exeIplkpa32.exeMhdckaeo.exeMblcnj32.exeCcmgiaig.exeFbajbi32.exeCoqncejg.exeDahmfpap.exeGaebef32.exeGfokoelp.exeJgeghp32.exeLnldla32.exeBpjmph32.exeMnegbp32.exeJbepme32.exeCjliajmo.exeJcbdgb32.exeAhaceo32.exeNfihbk32.exeHhimhobl.exeJekjcaef.exePapfgbmg.exeKngkqbgl.exeQacameaj.exeDgjoif32.exeDgbanq32.exeFjohde32.exeBdickcpo.exeFqppci32.exeMlofcf32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Npbceggm.exe Nnafno32.exe File created C:\Windows\SysWOW64\Alapqh32.dll Mqjbddpl.exe File created C:\Windows\SysWOW64\Fimodc32.exe Ffobhg32.exe File opened for modification C:\Windows\SysWOW64\Pmaffnce.exe Pdhbmh32.exe File created C:\Windows\SysWOW64\Bdcebook.dll Anclbkbp.exe File opened for modification C:\Windows\SysWOW64\Klfaapbl.exe Kflide32.exe File created C:\Windows\SysWOW64\Bckkca32.exe Bkdcbd32.exe File opened for modification C:\Windows\SysWOW64\Elbhjp32.exe Efepbi32.exe File created C:\Windows\SysWOW64\Nqdmimbf.dll Gflhoo32.exe File opened for modification C:\Windows\SysWOW64\Conanfli.exe Chdialdl.exe File opened for modification C:\Windows\SysWOW64\Oflmnh32.exe Oqoefand.exe File created C:\Windows\SysWOW64\Njfkbf32.dll Lnbklm32.exe File opened for modification C:\Windows\SysWOW64\Qachgk32.exe Qhkdof32.exe File opened for modification C:\Windows\SysWOW64\Mmkdcm32.exe Mjlhgaqp.exe File created C:\Windows\SysWOW64\Bklomh32.exe Bhmbqm32.exe File opened for modification C:\Windows\SysWOW64\Niojoeel.exe Ncbafoge.exe File created C:\Windows\SysWOW64\Gfheof32.exe Glcaambb.exe File created C:\Windows\SysWOW64\Gbhhlfgd.dll Bpkdjofm.exe File opened for modification C:\Windows\SysWOW64\Cnjdpaki.exe Cklhcfle.exe File created C:\Windows\SysWOW64\Qejpnh32.dll Iefphb32.exe File created C:\Windows\SysWOW64\Gghocf32.dll Nkqkhk32.exe File created C:\Windows\SysWOW64\Jecampmk.dll Ckpbnb32.exe File created C:\Windows\SysWOW64\Dfnbgc32.exe Dbbffdlq.exe File opened for modification C:\Windows\SysWOW64\Cammjakm.exe Conanfli.exe File created C:\Windows\SysWOW64\Hbnckkha.dll Eqiibjlj.exe File created C:\Windows\SysWOW64\Dgjoif32.exe Dqpfmlce.exe File opened for modification C:\Windows\SysWOW64\Dglkoeio.exe Ddnobj32.exe File opened for modification C:\Windows\SysWOW64\Eqiibjlj.exe Eohmkb32.exe File created C:\Windows\SysWOW64\Jekjcaef.exe Joqafgni.exe File created C:\Windows\SysWOW64\Nmnpml32.dll Ecgcfm32.exe File created C:\Windows\SysWOW64\Qmepam32.exe Pmcclm32.exe File created C:\Windows\SysWOW64\Bdpaeehj.exe Baadiiif.exe File opened for modification C:\Windows\SysWOW64\Mmfkhmdi.exe Lgibpf32.exe File created C:\Windows\SysWOW64\Jfegnkqm.dll Dfdpad32.exe File opened for modification C:\Windows\SysWOW64\Ieidhh32.exe Iplkpa32.exe File created C:\Windows\SysWOW64\Mnnkgl32.exe Mhdckaeo.exe File created C:\Windows\SysWOW64\Faaigehd.dll Mblcnj32.exe File opened for modification C:\Windows\SysWOW64\Cjgpfk32.exe Ccmgiaig.exe File created C:\Windows\SysWOW64\Fjhacf32.exe Fbajbi32.exe File created C:\Windows\SysWOW64\Cdmfllhn.exe Coqncejg.exe File opened for modification C:\Windows\SysWOW64\Dgeenfog.exe Dahmfpap.exe File opened for modification C:\Windows\SysWOW64\Ghojbq32.exe Gaebef32.exe File created C:\Windows\SysWOW64\Gkkgpc32.exe Gfokoelp.exe File created C:\Windows\SysWOW64\Hdjgko32.dll Jgeghp32.exe File created C:\Windows\SysWOW64\Eanmnefk.dll Lnldla32.exe File created C:\Windows\SysWOW64\Labnlj32.dll Bpjmph32.exe File created C:\Windows\SysWOW64\Mgnlkfal.exe Mnegbp32.exe File created C:\Windows\SysWOW64\Kedlip32.exe Jbepme32.exe File created C:\Windows\SysWOW64\Jdqlliil.dll Cjliajmo.exe File created C:\Windows\SysWOW64\Inngdb32.dll Jcbdgb32.exe File created C:\Windows\SysWOW64\Aokkahlo.exe Ahaceo32.exe File created C:\Windows\SysWOW64\Bepjbf32.dll Nfihbk32.exe File created C:\Windows\SysWOW64\Pkpbai32.dll Hhimhobl.exe File created C:\Windows\SysWOW64\Jhifomdj.exe Jekjcaef.exe File opened for modification C:\Windows\SysWOW64\Nmcpoedn.exe Nfihbk32.exe File created C:\Windows\SysWOW64\Dqklch32.dll Papfgbmg.exe File created C:\Windows\SysWOW64\Jkjpda32.dll Kngkqbgl.exe File opened for modification C:\Windows\SysWOW64\Afpjel32.exe Qacameaj.exe File created C:\Windows\SysWOW64\Dndgfpbo.exe Dgjoif32.exe File opened for modification C:\Windows\SysWOW64\Diqnjl32.exe Dgbanq32.exe File created C:\Windows\SysWOW64\Fmndpq32.exe Fjohde32.exe File created C:\Windows\SysWOW64\Coohhlpe.exe Bdickcpo.exe File created C:\Windows\SysWOW64\Fgjhpcmo.exe Fqppci32.exe File created C:\Windows\SysWOW64\Mqjbddpl.exe Mlofcf32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5960 5900 WerFault.exe 840 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Malgcg32.exeFijdjfdb.exeGghdaa32.exeHiacacpg.exeBdlfjh32.exeBiiobo32.exeDbjkkl32.exeLcjcnoej.exeLjclki32.exeOacoqnci.exeAhbjoe32.exeLlmhaold.exeNjbgmjgl.exeDmhand32.exeEmbddb32.exeFdepgkgj.exeLnangaoa.exeDqpfmlce.exeKhlklj32.exeHbgkei32.exeJadgnb32.exeHloqml32.exeHlhccj32.exeLenicahg.exeOhmhmh32.exeAnaomkdb.exeFbgihaji.exeLedepn32.exeHdjbiheb.exeFilapfbo.exeIcdheded.exeJohggfha.exePfccogfc.exeIpbaol32.exeIpdndloi.exeLghcocol.exeGfheof32.exeNpgmpf32.exeBhmbqm32.exeFnkfmm32.exeHaaaaeim.exeJoekag32.exeCacmpj32.exeDjqblj32.exeDmdhcddh.exeAknifq32.exeCoqncejg.exeHecjke32.exeJlbejloe.exeFqppci32.exeOfgdcipq.exeJknfcofa.exeDfiildio.exeLqmmmmph.exeNfcabp32.exePmpolgoi.exeBdfpkm32.exeMnnkgl32.exeQikgco32.exeCihclh32.exeIplkpa32.exeEqlfhjig.exeFpgpgfmh.exePcegclgp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijdjfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghdaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiacacpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdlfjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjkkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjcnoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljclki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacoqnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmhaold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbgmjgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdepgkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnangaoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqpfmlce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlklj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbgkei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadgnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hloqml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenicahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmhmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anaomkdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledepn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjbiheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filapfbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdheded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johggfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfccogfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipbaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipdndloi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghcocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfheof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkfmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haaaaeim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joekag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacmpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djqblj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdhcddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknifq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coqncejg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecjke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqppci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgdcipq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknfcofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiildio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqmmmmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpolgoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfpkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnnkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qikgco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplkpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqlfhjig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpgfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcegclgp.exe -
Modifies registry class 64 IoCs
Processes:
Adikdfna.exeBnfihkqm.exeCljobphg.exeBaegibae.exeModpib32.exePolppg32.exeMqjbddpl.exeEblpgjha.exeQcclld32.exeFlqdlnde.exePhbhcmjl.exePabblb32.exeOmqmop32.exePmlmkn32.exeNncccnol.exeGpolbo32.exeIimcma32.exePimfpc32.exeAfkknogn.exeEfepbi32.exeCancekeo.exeBckkca32.exeCihclh32.exeDjelgied.exeGmggfp32.exeLqpamb32.exeLjhefhha.exeHpqldc32.exeOqklkbbi.exePapfgbmg.exeKdkdgchl.exeOakbehfe.exeHaaaaeim.exeAlqjpi32.exeBheffh32.exeHmpjmn32.exeDgjoif32.exeGgmmlamj.exeKamjda32.exeCpljehpo.exeLkabjbih.exeMeamcg32.exeFelbnn32.exeJlbejloe.exeDblgpl32.exeFllkqn32.exeJgeghp32.exeOmegjomb.exeGbkkik32.exeOemefcap.exeEbejfk32.exeCkgohf32.exeCmedjl32.exeLelchgne.exeEmdajb32.exeKmaopfjm.exeNgjbaj32.exeEfeihb32.exeMgphpe32.exeCpmapodj.exeDhphmj32.exeEdplhjhi.exeBfendmoc.exeFmkgkapm.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgofgjn.dll" Adikdfna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfihkqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchcpi32.dll" Cljobphg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofbdcmb.dll" Polppg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqjbddpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhidngmn.dll" Eblpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendmajn.dll" Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phbhcmjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pabblb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omqmop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmlmkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqfid32.dll" Gpolbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idknpoad.dll" Iimcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll" Pimfpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afkknogn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cancekeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cihclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djelgied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqpamb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaclkia.dll" Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll" Oqklkbbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Papfgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfmgg32.dll" Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haaaaeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafkni32.dll" Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bheffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmejc32.dll" Dgjoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgpamjnb.dll" Ggmmlamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dognaofl.dll" Kamjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpljehpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmbheilp.dll" Lkabjbih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meamcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoiaikp.dll" Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfghc32.dll" Dblgpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgeghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabmaqlh.dll" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbkkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oemefcap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlljlela.dll" Ebejfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckgohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll" Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lelchgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emdajb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmaopfjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngjbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknmmg32.dll" Mgphpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhphmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edplhjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inbhocbm.dll" Bfendmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmiogmig.dll" Fmkgkapm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ccb52c0b1a1426f7319cbcf8432ed177e30d9ff88667e914a6dce116ab355436.exeJkaicd32.exeJbkbpoog.exeKiggbhda.exeKkfcndce.exeKndojobi.exeKnflpoqf.exeKeqdmihc.exeKjmmepfj.exeKecabifp.exeKjpijpdg.exeLeenhhdn.exeLgcjdd32.exeLbinam32.exeLkabjbih.exeLnpofnhk.exeLghcocol.exeLnbklm32.exeLelchgne.exeLjilqnlm.exeLijlof32.exeMngegmbc.exedescription pid Process procid_target PID 4056 wrote to memory of 2152 4056 ccb52c0b1a1426f7319cbcf8432ed177e30d9ff88667e914a6dce116ab355436.exe 84 PID 4056 wrote to memory of 2152 4056 ccb52c0b1a1426f7319cbcf8432ed177e30d9ff88667e914a6dce116ab355436.exe 84 PID 4056 wrote to memory of 2152 4056 ccb52c0b1a1426f7319cbcf8432ed177e30d9ff88667e914a6dce116ab355436.exe 84 PID 2152 wrote to memory of 3724 2152 Jkaicd32.exe 85 PID 2152 wrote to memory of 3724 2152 Jkaicd32.exe 85 PID 2152 wrote to memory of 3724 2152 Jkaicd32.exe 85 PID 3724 wrote to memory of 404 3724 Jbkbpoog.exe 86 PID 3724 wrote to memory of 404 3724 Jbkbpoog.exe 86 PID 3724 wrote to memory of 404 3724 Jbkbpoog.exe 86 PID 404 wrote to memory of 3932 404 Kiggbhda.exe 87 PID 404 wrote to memory of 3932 404 Kiggbhda.exe 87 PID 404 wrote to memory of 3932 404 Kiggbhda.exe 87 PID 3932 wrote to memory of 5000 3932 Kkfcndce.exe 88 PID 3932 wrote to memory of 5000 3932 Kkfcndce.exe 88 PID 3932 wrote to memory of 5000 3932 Kkfcndce.exe 88 PID 5000 wrote to memory of 1496 5000 Kndojobi.exe 89 PID 5000 wrote to memory of 1496 5000 Kndojobi.exe 89 PID 5000 wrote to memory of 1496 5000 Kndojobi.exe 89 PID 1496 wrote to memory of 2336 1496 Knflpoqf.exe 90 PID 1496 wrote to memory of 2336 1496 Knflpoqf.exe 90 PID 1496 wrote to memory of 2336 1496 Knflpoqf.exe 90 PID 2336 wrote to memory of 1972 2336 Keqdmihc.exe 91 PID 2336 wrote to memory of 1972 2336 Keqdmihc.exe 91 PID 2336 wrote to memory of 1972 2336 Keqdmihc.exe 91 PID 1972 wrote to memory of 2368 1972 Kjmmepfj.exe 92 PID 1972 wrote to memory of 2368 1972 Kjmmepfj.exe 92 PID 1972 wrote to memory of 2368 1972 Kjmmepfj.exe 92 PID 2368 wrote to memory of 4832 2368 Kecabifp.exe 93 PID 2368 wrote to memory of 4832 2368 Kecabifp.exe 93 PID 2368 wrote to memory of 4832 2368 Kecabifp.exe 93 PID 4832 wrote to memory of 4044 4832 Kjpijpdg.exe 94 PID 4832 wrote to memory of 4044 4832 Kjpijpdg.exe 94 PID 4832 wrote to memory of 4044 4832 Kjpijpdg.exe 94 PID 4044 wrote to memory of 1492 4044 Leenhhdn.exe 95 PID 4044 wrote to memory of 1492 4044 Leenhhdn.exe 95 PID 4044 wrote to memory of 1492 4044 Leenhhdn.exe 95 PID 1492 wrote to memory of 4076 1492 Lgcjdd32.exe 97 PID 1492 wrote to memory of 4076 1492 Lgcjdd32.exe 97 PID 1492 wrote to memory of 4076 1492 Lgcjdd32.exe 97 PID 4076 wrote to memory of 2688 4076 Lbinam32.exe 98 PID 4076 wrote to memory of 2688 4076 Lbinam32.exe 98 PID 4076 wrote to memory of 2688 4076 Lbinam32.exe 98 PID 2688 wrote to memory of 440 2688 Lkabjbih.exe 99 PID 2688 wrote to memory of 440 2688 Lkabjbih.exe 99 PID 2688 wrote to memory of 440 2688 Lkabjbih.exe 99 PID 440 wrote to memory of 1736 440 Lnpofnhk.exe 100 PID 440 wrote to memory of 1736 440 Lnpofnhk.exe 100 PID 440 wrote to memory of 1736 440 Lnpofnhk.exe 100 PID 1736 wrote to memory of 5092 1736 Lghcocol.exe 102 PID 1736 wrote to memory of 5092 1736 Lghcocol.exe 102 PID 1736 wrote to memory of 5092 1736 Lghcocol.exe 102 PID 5092 wrote to memory of 4232 5092 Lnbklm32.exe 103 PID 5092 wrote to memory of 4232 5092 Lnbklm32.exe 103 PID 5092 wrote to memory of 4232 5092 Lnbklm32.exe 103 PID 4232 wrote to memory of 3828 4232 Lelchgne.exe 104 PID 4232 wrote to memory of 3828 4232 Lelchgne.exe 104 PID 4232 wrote to memory of 3828 4232 Lelchgne.exe 104 PID 3828 wrote to memory of 4108 3828 Ljilqnlm.exe 105 PID 3828 wrote to memory of 4108 3828 Ljilqnlm.exe 105 PID 3828 wrote to memory of 4108 3828 Ljilqnlm.exe 105 PID 4108 wrote to memory of 2240 4108 Lijlof32.exe 106 PID 4108 wrote to memory of 2240 4108 Lijlof32.exe 106 PID 4108 wrote to memory of 2240 4108 Lijlof32.exe 106 PID 2240 wrote to memory of 3044 2240 Mngegmbc.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccb52c0b1a1426f7319cbcf8432ed177e30d9ff88667e914a6dce116ab355436.exe"C:\Users\Admin\AppData\Local\Temp\ccb52c0b1a1426f7319cbcf8432ed177e30d9ff88667e914a6dce116ab355436.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe24⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe25⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe26⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe27⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:312 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3940 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3208 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe32⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe33⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe34⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe35⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe36⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe37⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe38⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe39⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe40⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe41⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe42⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe43⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe45⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe46⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe47⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe48⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe49⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe50⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe51⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe53⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe54⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe55⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe56⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe57⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe58⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe59⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe60⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe61⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe64⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe65⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe66⤵PID:624
-
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:3416 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe69⤵PID:1468
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe70⤵PID:5012
-
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe71⤵
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe72⤵PID:3880
-
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:372 -
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe74⤵PID:860
-
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe75⤵
- System Location Discovery: System Language Discovery
PID:4164 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe76⤵PID:3820
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe77⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe78⤵PID:5108
-
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe79⤵PID:116
-
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe80⤵PID:1812
-
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe82⤵PID:4208
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe83⤵
- Modifies registry class
PID:4436 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe84⤵PID:428
-
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe85⤵PID:3012
-
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe86⤵
- Modifies registry class
PID:736 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe87⤵PID:2244
-
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe88⤵PID:3688
-
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe89⤵PID:2376
-
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe90⤵PID:5128
-
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe91⤵PID:5172
-
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe92⤵PID:5204
-
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe93⤵PID:5248
-
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe94⤵PID:5296
-
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe95⤵PID:5356
-
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe96⤵PID:5400
-
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe97⤵PID:5468
-
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe98⤵PID:5520
-
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe99⤵PID:5568
-
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe100⤵PID:5612
-
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe101⤵
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe102⤵PID:5740
-
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe103⤵PID:5796
-
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe104⤵PID:5852
-
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe105⤵PID:5896
-
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe106⤵PID:5944
-
C:\Windows\SysWOW64\Bheffh32.exeC:\Windows\system32\Bheffh32.exe107⤵
- Modifies registry class
PID:5988 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe108⤵PID:6028
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe109⤵
- Drops file in System32 directory
PID:6072 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe110⤵
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe111⤵PID:5152
-
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe112⤵PID:5244
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe114⤵PID:5380
-
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe115⤵
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5556 -
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5696 -
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe118⤵PID:5760
-
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5848 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe120⤵PID:5936
-
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe121⤵PID:6004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-