Analysis
-
max time kernel
107s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 15:56
Behavioral task
behavioral1
Sample
03a6c7b50d5e1d34b2f8b2671d4a48c44a846ac3d35b0030feb6db028efbd9eeN.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
03a6c7b50d5e1d34b2f8b2671d4a48c44a846ac3d35b0030feb6db028efbd9eeN.exe
-
Size
93KB
-
MD5
e16cdac65f5e7886464a941b4e8a3b60
-
SHA1
97f4bd1fbd462fdc5bf36e60c80d1cd6aaa46692
-
SHA256
03a6c7b50d5e1d34b2f8b2671d4a48c44a846ac3d35b0030feb6db028efbd9ee
-
SHA512
eb85deda12c607bcbed743488b1049f50601f345cddbdb32af1138e4a88ed1880736201df94dea2262d84820a5381ea7012a2b8829b57752393617a9af3878c9
-
SSDEEP
1536:T7+FkGWqlCYP0ijnhTtB8rdo7hOp1DaYfMZRWuLsV+1Z:TEkGWKRBYhohOpgYfc0DV+1Z
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fdhcgaic.exeEjfeng32.exeAogbfi32.exeMekgdl32.exeCbbdjm32.exeIbcaknbi.exeGigheh32.exeDhlpqc32.exeInomhbeq.exeFfobhg32.exeLklbdm32.exeEhcfaboo.exePocpfphe.exeBnfihkqm.exeMcbpjg32.exeNqpcjj32.exeBpnihiio.exeHifcgion.exeMgnlkfal.exeBobabg32.exeBmmpfn32.exeKnooej32.exeIlnbicff.exeBjnmpl32.exeBmofagfp.exeHloqml32.exeHlambk32.exeLknojl32.exeCcbadp32.exeBkaobnio.exeNcqlkemc.exeApaadpng.exeDcogje32.exeJjmcnbdm.exeElbhjp32.exeCmdfgm32.exeAggpfkjj.exeFligqhga.exeHdkidohn.exeLnnbqnjn.exeJpaleglc.exeFlkdfh32.exeEnpmld32.exeHemdlj32.exePaeelgnj.exePcicklnn.exeCmhigf32.exeFbfcmhpg.exeCmfclm32.exeLmdemd32.exeGnqfcbnj.exeMblcnj32.exeOkkdic32.exeOlgemcli.exeCioilg32.exePajeam32.exeBifmqo32.exeGnjjfegi.exeOhfami32.exeFmkqpkla.exePhjenbhp.exeIdhnkf32.exeKcndbp32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhcgaic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfeng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mekgdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbdjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcaknbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhlpqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inomhbeq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffobhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklbdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehcfaboo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfihkqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqpcjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnihiio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifcgion.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnlkfal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmmpfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knooej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnbicff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmofagfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hloqml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlambk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkaobnio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncqlkemc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcogje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjmcnbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elbhjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmdfgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggpfkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fligqhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdkidohn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnbqnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpaleglc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enpmld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemdlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paeelgnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcicklnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbfcmhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmfclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdemd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnqfcbnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mblcnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olgemcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cioilg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajeam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifmqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnjjfegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkqpkla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjenbhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcndbp32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
Mpnnle32.exeMekgdl32.exeMleoafmn.exeMbognp32.exeNhlpfgbb.exeNpchgdcd.exeNeppokal.exeNhnlkfpp.exeNohehq32.exeNgomin32.exeNhpiafnm.exeNpgabc32.exeNedjjj32.exeNlnbgddc.exeNgdfdmdi.exeNibbqicm.exeNplkmckj.exeNcjginjn.exeOidofh32.exeOoagno32.exeOghppm32.exeOhjlgefb.exeOgklelna.exeOlgemcli.exeOofaiokl.exeOgmijllo.exeOljaccjf.exeOcdjpmac.exeOebflhaf.exeOphjiaql.exeOcffempp.exePjpobg32.exePpjgoaoj.exePcicklnn.exePjbkgfej.exePpmcdq32.exePckppl32.exePfillg32.exePlcdiabk.exePpopjp32.exePcmlfl32.exePflibgil.exePhjenbhp.exeAjqgidij.exeAqkpeopg.exeAhfdjanb.exeAckigjmh.exeAjeadd32.exeAobilkcl.exeAgiamhdo.exeAijnep32.exeAmfjeobf.exeAcpbbi32.exeAjjjocap.exeAmhfkopc.exeBogcgj32.exeBfqkddfd.exeBiogppeg.exeBmkcqn32.exeBoipmj32.exeBgpgng32.exeBjodjb32.exeBmmpfn32.exeBcghch32.exepid Process 3900 Mpnnle32.exe 3580 Mekgdl32.exe 3548 Mleoafmn.exe 4452 Mbognp32.exe 1284 Nhlpfgbb.exe 184 Npchgdcd.exe 4524 Neppokal.exe 3308 Nhnlkfpp.exe 3948 Nohehq32.exe 3632 Ngomin32.exe 2072 Nhpiafnm.exe 4556 Npgabc32.exe 3812 Nedjjj32.exe 704 Nlnbgddc.exe 4104 Ngdfdmdi.exe 60 Nibbqicm.exe 2476 Nplkmckj.exe 920 Ncjginjn.exe 708 Oidofh32.exe 3540 Ooagno32.exe 3484 Oghppm32.exe 4304 Ohjlgefb.exe 1220 Ogklelna.exe 1844 Olgemcli.exe 4028 Oofaiokl.exe 316 Ogmijllo.exe 5044 Oljaccjf.exe 1896 Ocdjpmac.exe 548 Oebflhaf.exe 4360 Ophjiaql.exe 4996 Ocffempp.exe 8 Pjpobg32.exe 968 Ppjgoaoj.exe 4364 Pcicklnn.exe 4464 Pjbkgfej.exe 2388 Ppmcdq32.exe 2704 Pckppl32.exe 1188 Pfillg32.exe 4152 Plcdiabk.exe 404 Ppopjp32.exe 1940 Pcmlfl32.exe 3968 Pflibgil.exe 2532 Phjenbhp.exe 4008 Ajqgidij.exe 3036 Aqkpeopg.exe 1600 Ahfdjanb.exe 2548 Ackigjmh.exe 2244 Ajeadd32.exe 1664 Aobilkcl.exe 4560 Agiamhdo.exe 1916 Aijnep32.exe 1952 Amfjeobf.exe 1504 Acpbbi32.exe 1372 Ajjjocap.exe 1044 Amhfkopc.exe 4416 Bogcgj32.exe 5040 Bfqkddfd.exe 572 Biogppeg.exe 892 Bmkcqn32.exe 2032 Boipmj32.exe 2776 Bgpgng32.exe 4504 Bjodjb32.exe 1156 Bmmpfn32.exe 4772 Bcghch32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Njmhhefi.exeKgiiiidd.exeMfnoqc32.exeMcgiefen.exeAjqgidij.exeMehcdfch.exeMblcnj32.exeAcmobchj.exeOghghb32.exeLeopnglc.exeOeheqm32.exeGehbjm32.exeOlfghg32.exeIckglm32.exeKcpjnjii.exeMnjqmpgg.exeInjcmc32.exeLmmolepp.exeMglfplgk.exeNlhkgi32.exeImpliekg.exeOgmijllo.exeIgpdfb32.exeLgepom32.exeHmbphg32.exeFnlmhc32.exeNhnlkfpp.exeBokehc32.exeEjfeng32.exeNhokljge.exeHpnoncim.exeQdoacabq.exeIngpmmgm.exeJnhidk32.exeMnhkbfme.exeOoagno32.exeJjjghcfp.exeKkcfid32.exeBbiado32.exeBhkfkmmg.exeOofaiokl.exeGaopfe32.exeLklbdm32.exeEkkkoj32.exeFmhdkknd.exeIlnbicff.exeOghppm32.exeBogcgj32.exeDgejpd32.exeGfkbde32.exeFihnomjp.exeCgcmjd32.exeEangpgcl.exeMkohaj32.exeCpeohh32.exeBnoknihb.exePjpfjl32.exeKndojobi.exeKenggi32.exeFlngfn32.exeChlflabp.exeIedjmioj.exeLlmhaold.exedescription ioc Process File created C:\Windows\SysWOW64\Gbfnhm32.dll Njmhhefi.exe File opened for modification C:\Windows\SysWOW64\Kflide32.exe Kgiiiidd.exe File created C:\Windows\SysWOW64\Mnegbp32.exe Mfnoqc32.exe File created C:\Windows\SysWOW64\Okehmlqi.dll Mcgiefen.exe File created C:\Windows\SysWOW64\Dfljoa32.dll Ajqgidij.exe File created C:\Windows\SysWOW64\Mieced32.dll Mehcdfch.exe File created C:\Windows\SysWOW64\Fkcocace.dll Mblcnj32.exe File created C:\Windows\SysWOW64\Fjdiliki.dll Acmobchj.exe File opened for modification C:\Windows\SysWOW64\Ojfcdnjc.exe Oghghb32.exe File opened for modification C:\Windows\SysWOW64\Llhikacp.exe Leopnglc.exe File created C:\Windows\SysWOW64\Ohfami32.exe Oeheqm32.exe File opened for modification C:\Windows\SysWOW64\Glbjggof.exe Gehbjm32.exe File created C:\Windows\SysWOW64\Mmddqemj.dll Olfghg32.exe File created C:\Windows\SysWOW64\Ieidhh32.exe Ickglm32.exe File created C:\Windows\SysWOW64\Eelche32.dll Kcpjnjii.exe File opened for modification C:\Windows\SysWOW64\Mqimikfj.exe Mnjqmpgg.exe File created C:\Windows\SysWOW64\Iafonaao.exe Injcmc32.exe File opened for modification C:\Windows\SysWOW64\Lddgmbpb.exe Lmmolepp.exe File opened for modification C:\Windows\SysWOW64\Mjkblhfo.exe Mglfplgk.exe File created C:\Windows\SysWOW64\Njkkbehl.exe Nlhkgi32.exe File created C:\Windows\SysWOW64\Joahqn32.exe Impliekg.exe File opened for modification C:\Windows\SysWOW64\Oljaccjf.exe Ogmijllo.exe File created C:\Windows\SysWOW64\Iphioh32.exe Igpdfb32.exe File created C:\Windows\SysWOW64\Haaaidfk.dll Lgepom32.exe File opened for modification C:\Windows\SysWOW64\Hbohpn32.exe Hmbphg32.exe File opened for modification C:\Windows\SysWOW64\Fefedmil.exe Fnlmhc32.exe File created C:\Windows\SysWOW64\Nohehq32.exe Nhnlkfpp.exe File created C:\Windows\SysWOW64\Fdflahpe.dll Bokehc32.exe File created C:\Windows\SysWOW64\Fbajbi32.exe Ejfeng32.exe File created C:\Windows\SysWOW64\Nlkgmh32.exe Nhokljge.exe File created C:\Windows\SysWOW64\Jiejjepo.dll Hpnoncim.exe File created C:\Windows\SysWOW64\Qfmmplad.exe Qdoacabq.exe File opened for modification C:\Windows\SysWOW64\Igpdfb32.exe Ingpmmgm.exe File opened for modification C:\Windows\SysWOW64\Jdaaaeqg.exe Jnhidk32.exe File created C:\Windows\SysWOW64\Mmkkmc32.exe Mnhkbfme.exe File opened for modification C:\Windows\SysWOW64\Oghppm32.exe Ooagno32.exe File created C:\Windows\SysWOW64\Jdpkflfe.exe Jjjghcfp.exe File opened for modification C:\Windows\SysWOW64\Knbbep32.exe Kkcfid32.exe File created C:\Windows\SysWOW64\Bfendmoc.exe Bbiado32.exe File opened for modification C:\Windows\SysWOW64\Boenhgdd.exe Bhkfkmmg.exe File created C:\Windows\SysWOW64\Ogmijllo.exe Oofaiokl.exe File created C:\Windows\SysWOW64\Qkdbgdbg.dll Gaopfe32.exe File created C:\Windows\SysWOW64\Dmmcnn32.dll Lklbdm32.exe File created C:\Windows\SysWOW64\Enigke32.exe Ekkkoj32.exe File created C:\Windows\SysWOW64\Flkdfh32.exe Fmhdkknd.exe File opened for modification C:\Windows\SysWOW64\Ibhkfm32.exe Ilnbicff.exe File opened for modification C:\Windows\SysWOW64\Ohjlgefb.exe Oghppm32.exe File created C:\Windows\SysWOW64\Bfqkddfd.exe Bogcgj32.exe File created C:\Windows\SysWOW64\Djdflp32.exe Dgejpd32.exe File opened for modification C:\Windows\SysWOW64\Gpcfmkff.exe Gfkbde32.exe File opened for modification C:\Windows\SysWOW64\Flfkkhid.exe Fihnomjp.exe File opened for modification C:\Windows\SysWOW64\Cjaifp32.exe Cgcmjd32.exe File opened for modification C:\Windows\SysWOW64\Edmclccp.exe Eangpgcl.exe File opened for modification C:\Windows\SysWOW64\Bbiado32.exe Bokehc32.exe File created C:\Windows\SysWOW64\Dpglbfpm.dll Mkohaj32.exe File opened for modification C:\Windows\SysWOW64\Cglgjeci.exe Cpeohh32.exe File created C:\Windows\SysWOW64\Ciggeb32.dll Bnoknihb.exe File created C:\Windows\SysWOW64\Paiogf32.exe Pjpfjl32.exe File opened for modification C:\Windows\SysWOW64\Kenggi32.exe Kndojobi.exe File opened for modification C:\Windows\SysWOW64\Knflpoqf.exe Kenggi32.exe File opened for modification C:\Windows\SysWOW64\Ffclcgfn.exe Flngfn32.exe File created C:\Windows\SysWOW64\Mbibld32.dll Chlflabp.exe File created C:\Windows\SysWOW64\Lpcncmnn.dll Iedjmioj.exe File created C:\Windows\SysWOW64\Ombnni32.dll Llmhaold.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4924 4584 WerFault.exe 932 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cbgnemjj.exeJnlkedai.exeLbgalmej.exeIgpdfb32.exePonfka32.exeNqpcjj32.exeCpeohh32.exeDcigeooj.exeHbjoeojc.exeNadleilm.exeQjfmkk32.exePcmlfl32.exeHacbhb32.exeOohgdhfn.exeMkmkkjko.exeOhfami32.exeDabhdinj.exeBnfihkqm.exeCihclh32.exeDcpmen32.exePjpfjl32.exeEaqdegaj.exeHjjnae32.exeCfqmpl32.exeCioilg32.exePocfpf32.exeDdnfmqng.exeFlmqlg32.exeBfqkddfd.exeLqkgbcff.exeAahbbkaq.exeEmjgim32.exeKflide32.exeGeohklaa.exeFpjjac32.exeEblpgjha.exeLokdnjkg.exeNgdfdmdi.exeFbajbi32.exeGlbjggof.exeOocmii32.exeCjjcfabm.exeIphioh32.exeIlafiihp.exeAhdged32.exeBpnihiio.exeJlobkg32.exeDflfac32.exeKgflcifg.exeDfiildio.exeOnkidm32.exeLjceqb32.exeMcbpjg32.exeGijekg32.exeJkomneim.exeNliaao32.exeQljcoj32.exeEjfeng32.exeHlcjhkdp.exeNenbjo32.exeMqimikfj.exeClchbqoo.exeIeidhh32.exeAagkhd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgnemjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlkedai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgalmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpcjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpeohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcigeooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjoeojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadleilm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmlfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohgdhfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmkkjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfami32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfihkqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpmen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaqdegaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfqmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cioilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocfpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfmqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmqlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqkddfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkgbcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahbbkaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geohklaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjjac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblpgjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokdnjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdfdmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbajbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbjggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjcfabm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilafiihp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnihiio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlobkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgflcifg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiildio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkidm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljceqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkomneim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nliaao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qljcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfeng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlcjhkdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenbjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqimikfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clchbqoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieidhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagkhd32.exe -
Modifies registry class 64 IoCs
Processes:
Jpenfp32.exeKniieo32.exeBkmmaeap.exePoliea32.exeKkpbin32.exeOcgbld32.exeBgelgi32.exeIgqkqiai.exeEblpgjha.exeHgfapd32.exePpopjp32.exeOkkdic32.exeAhbjoe32.exeJinboekc.exeKgiiiidd.exePlcdiabk.exeNbnpcj32.exeNjmhhefi.exeGimqajgh.exeOakbehfe.exeEjalcgkg.exeMonjjgkb.exeDdgibkpc.exeHkjjlhle.exeKecabifp.exeLlhikacp.exeJnlkedai.exeLcimdh32.exeOnkidm32.exePifnhpmi.exeEicedn32.exeJpaekqhh.exeBdickcpo.exeQpeahb32.exeCjmpkqqj.exeLndham32.exeNihipdhl.exeMnegbp32.exePdenmbkk.exeAmnlme32.exeCdbpgl32.exeGdoihpbk.exeCdbfab32.exeEkodjiol.exeOphjiaql.exeBfedoc32.exeKenggi32.exeFlinkojm.exeKcbfcigf.exeCnjdpaki.exeKcpahpmd.exeMglfplgk.exeJngbjd32.exeIqpfjnba.exeNjkkbehl.exeAonoao32.exeHpnoncim.exeDmbbhkjf.exeFiliii32.exeGmeakf32.exeHmbfbn32.exeAhgcjddh.exeHedafk32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpenfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkmmaeap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poliea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkpbin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocgbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll" Bgelgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eblpgjha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgfapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lddkje32.dll" Ppopjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okkdic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahbjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jinboekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdbkbbn.dll" Kgiiiidd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plcdiabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbnpcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmhhefi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gimqajgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oakbehfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejalcgkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgibkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkjjlhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcfgpga.dll" Kecabifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpchnbbb.dll" Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifenan32.dll" Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcimdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onkidm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pifnhpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eicedn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdickcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjmpkqqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lndham32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nihipdhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdenmbkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll" Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqcmhb32.dll" Gdoihpbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khfclo32.dll" Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdkep32.dll" Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ophjiaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haffcnib.dll" Bfedoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cclnpmna.dll" Kenggi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flinkojm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnjdpaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcpahpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jngbjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkjjlhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqpfjnba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbiec32.dll" Aonoao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnoncim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmbbhkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmdjdfgl.dll" Filiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkiebg32.dll" Gmeakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahgcjddh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hedafk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
03a6c7b50d5e1d34b2f8b2671d4a48c44a846ac3d35b0030feb6db028efbd9eeN.exeMpnnle32.exeMekgdl32.exeMleoafmn.exeMbognp32.exeNhlpfgbb.exeNpchgdcd.exeNeppokal.exeNhnlkfpp.exeNohehq32.exeNgomin32.exeNhpiafnm.exeNpgabc32.exeNedjjj32.exeNlnbgddc.exeNgdfdmdi.exeNibbqicm.exeNplkmckj.exeNcjginjn.exeOidofh32.exeOoagno32.exeOghppm32.exedescription pid Process procid_target PID 2620 wrote to memory of 3900 2620 03a6c7b50d5e1d34b2f8b2671d4a48c44a846ac3d35b0030feb6db028efbd9eeN.exe 84 PID 2620 wrote to memory of 3900 2620 03a6c7b50d5e1d34b2f8b2671d4a48c44a846ac3d35b0030feb6db028efbd9eeN.exe 84 PID 2620 wrote to memory of 3900 2620 03a6c7b50d5e1d34b2f8b2671d4a48c44a846ac3d35b0030feb6db028efbd9eeN.exe 84 PID 3900 wrote to memory of 3580 3900 Mpnnle32.exe 85 PID 3900 wrote to memory of 3580 3900 Mpnnle32.exe 85 PID 3900 wrote to memory of 3580 3900 Mpnnle32.exe 85 PID 3580 wrote to memory of 3548 3580 Mekgdl32.exe 86 PID 3580 wrote to memory of 3548 3580 Mekgdl32.exe 86 PID 3580 wrote to memory of 3548 3580 Mekgdl32.exe 86 PID 3548 wrote to memory of 4452 3548 Mleoafmn.exe 87 PID 3548 wrote to memory of 4452 3548 Mleoafmn.exe 87 PID 3548 wrote to memory of 4452 3548 Mleoafmn.exe 87 PID 4452 wrote to memory of 1284 4452 Mbognp32.exe 88 PID 4452 wrote to memory of 1284 4452 Mbognp32.exe 88 PID 4452 wrote to memory of 1284 4452 Mbognp32.exe 88 PID 1284 wrote to memory of 184 1284 Nhlpfgbb.exe 89 PID 1284 wrote to memory of 184 1284 Nhlpfgbb.exe 89 PID 1284 wrote to memory of 184 1284 Nhlpfgbb.exe 89 PID 184 wrote to memory of 4524 184 Npchgdcd.exe 90 PID 184 wrote to memory of 4524 184 Npchgdcd.exe 90 PID 184 wrote to memory of 4524 184 Npchgdcd.exe 90 PID 4524 wrote to memory of 3308 4524 Neppokal.exe 91 PID 4524 wrote to memory of 3308 4524 Neppokal.exe 91 PID 4524 wrote to memory of 3308 4524 Neppokal.exe 91 PID 3308 wrote to memory of 3948 3308 Nhnlkfpp.exe 92 PID 3308 wrote to memory of 3948 3308 Nhnlkfpp.exe 92 PID 3308 wrote to memory of 3948 3308 Nhnlkfpp.exe 92 PID 3948 wrote to memory of 3632 3948 Nohehq32.exe 93 PID 3948 wrote to memory of 3632 3948 Nohehq32.exe 93 PID 3948 wrote to memory of 3632 3948 Nohehq32.exe 93 PID 3632 wrote to memory of 2072 3632 Ngomin32.exe 94 PID 3632 wrote to memory of 2072 3632 Ngomin32.exe 94 PID 3632 wrote to memory of 2072 3632 Ngomin32.exe 94 PID 2072 wrote to memory of 4556 2072 Nhpiafnm.exe 95 PID 2072 wrote to memory of 4556 2072 Nhpiafnm.exe 95 PID 2072 wrote to memory of 4556 2072 Nhpiafnm.exe 95 PID 4556 wrote to memory of 3812 4556 Npgabc32.exe 96 PID 4556 wrote to memory of 3812 4556 Npgabc32.exe 96 PID 4556 wrote to memory of 3812 4556 Npgabc32.exe 96 PID 3812 wrote to memory of 704 3812 Nedjjj32.exe 97 PID 3812 wrote to memory of 704 3812 Nedjjj32.exe 97 PID 3812 wrote to memory of 704 3812 Nedjjj32.exe 97 PID 704 wrote to memory of 4104 704 Nlnbgddc.exe 98 PID 704 wrote to memory of 4104 704 Nlnbgddc.exe 98 PID 704 wrote to memory of 4104 704 Nlnbgddc.exe 98 PID 4104 wrote to memory of 60 4104 Ngdfdmdi.exe 99 PID 4104 wrote to memory of 60 4104 Ngdfdmdi.exe 99 PID 4104 wrote to memory of 60 4104 Ngdfdmdi.exe 99 PID 60 wrote to memory of 2476 60 Nibbqicm.exe 100 PID 60 wrote to memory of 2476 60 Nibbqicm.exe 100 PID 60 wrote to memory of 2476 60 Nibbqicm.exe 100 PID 2476 wrote to memory of 920 2476 Nplkmckj.exe 102 PID 2476 wrote to memory of 920 2476 Nplkmckj.exe 102 PID 2476 wrote to memory of 920 2476 Nplkmckj.exe 102 PID 920 wrote to memory of 708 920 Ncjginjn.exe 103 PID 920 wrote to memory of 708 920 Ncjginjn.exe 103 PID 920 wrote to memory of 708 920 Ncjginjn.exe 103 PID 708 wrote to memory of 3540 708 Oidofh32.exe 104 PID 708 wrote to memory of 3540 708 Oidofh32.exe 104 PID 708 wrote to memory of 3540 708 Oidofh32.exe 104 PID 3540 wrote to memory of 3484 3540 Ooagno32.exe 105 PID 3540 wrote to memory of 3484 3540 Ooagno32.exe 105 PID 3540 wrote to memory of 3484 3540 Ooagno32.exe 105 PID 3484 wrote to memory of 4304 3484 Oghppm32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\03a6c7b50d5e1d34b2f8b2671d4a48c44a846ac3d35b0030feb6db028efbd9eeN.exe"C:\Users\Admin\AppData\Local\Temp\03a6c7b50d5e1d34b2f8b2671d4a48c44a846ac3d35b0030feb6db028efbd9eeN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe23⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe24⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe28⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe29⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe30⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe32⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe33⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe34⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe36⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe37⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe38⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe39⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4152 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe43⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe46⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe47⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe48⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe49⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe50⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe51⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe52⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe53⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe54⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe55⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe56⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4416 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5040 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe59⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe60⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe61⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe62⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe63⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe65⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe66⤵
- Modifies registry class
PID:4036 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe67⤵PID:3664
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4568 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe69⤵PID:3256
-
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4584 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe71⤵PID:844
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe72⤵PID:4264
-
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe73⤵PID:2372
-
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3392 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe75⤵PID:4720
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe76⤵PID:2036
-
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4108 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe79⤵PID:1404
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe80⤵
- System Location Discovery: System Language Discovery
PID:3296 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe81⤵PID:1480
-
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe82⤵PID:2188
-
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe83⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe84⤵PID:5232
-
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe85⤵PID:5308
-
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe86⤵PID:5344
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe87⤵PID:5400
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe88⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe89⤵PID:5508
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe90⤵PID:5552
-
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe91⤵PID:5596
-
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe92⤵PID:5644
-
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe93⤵
- Drops file in System32 directory
PID:5688 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe94⤵PID:5732
-
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe95⤵
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe96⤵PID:5812
-
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe97⤵PID:5864
-
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe98⤵PID:5908
-
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe99⤵PID:5952
-
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5996 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe101⤵PID:6044
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe102⤵
- System Location Discovery: System Language Discovery
PID:6088 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6128 -
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe104⤵PID:5216
-
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe105⤵PID:5292
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe106⤵PID:5384
-
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe107⤵PID:5436
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe108⤵PID:5548
-
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe109⤵PID:5604
-
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe110⤵PID:5680
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe112⤵PID:5820
-
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe113⤵PID:5900
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe114⤵PID:5960
-
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe115⤵
- Drops file in System32 directory
PID:6032 -
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe116⤵PID:6104
-
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe117⤵PID:5132
-
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe118⤵PID:5332
-
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe119⤵
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe120⤵PID:5584
-
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe121⤵PID:5712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-