Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:47
Static task
static1
Behavioral task
behavioral1
Sample
34841a13f96e9a9004e39fcedf574be371405ad1620cf3832804d3dfbd1ea7acN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
34841a13f96e9a9004e39fcedf574be371405ad1620cf3832804d3dfbd1ea7acN.exe
Resource
win10v2004-20241007-en
General
-
Target
34841a13f96e9a9004e39fcedf574be371405ad1620cf3832804d3dfbd1ea7acN.exe
-
Size
97KB
-
MD5
b1eb8011e5822af13bcec6f66eb48150
-
SHA1
c4d927ba6ad6f2daa9efcd06043128c71fea3554
-
SHA256
34841a13f96e9a9004e39fcedf574be371405ad1620cf3832804d3dfbd1ea7ac
-
SHA512
bd91ffb604b73aa3a663fba87c6dbeca459834121fbd7209adbdaddc8ff127cb9095a15f4cfb9d1f2e237614af20092582c1a161e6f2c665288a6ab77479a626
-
SSDEEP
1536:aqtItAyIINcIEaf64ebwyJa4XUwXfzwE57pvJXeYZ6:cAyIINcIEaf6NNJasPzwm7pJXeK6
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Amfobp32.exeOkchnk32.exeObafpg32.exeOjhpimhp.exeMniallpq.exeAaiimadl.exeEcgodpgb.exePdhbmh32.exeIahgad32.exeOifppdpd.exeNclikl32.exeFfceip32.exeEkjded32.exeFohfbpgi.exeJibmgi32.exeGihgfk32.exeIliinc32.exeOcohmc32.exeBfendmoc.exeBigbmpco.exeIbpgqa32.exeIgedlh32.exeHbjoeojc.exeLchfib32.exeBanjnm32.exeEbdlangb.exeGihpkd32.exeAhjgjj32.exeAlpbecod.exeFimhjl32.exeGcghkm32.exeCbeapmll.exeCjnffjkl.exeIqbbpm32.exeMeepdp32.exeOjajin32.exeBnlhncgi.exeLllagh32.exeEfgemb32.exeMlofcf32.exeIpdndloi.exeKapfiqoj.exeFkgillpj.exeEfpomccg.exeGnepna32.exeJjpode32.exeNqcejcha.exeKjccdkki.exeGflhoo32.exeIgdgglfl.exeBboffejp.exePqbala32.exeIjogmdqm.exeGjdaodja.exeHlegnjbm.exeFdnhih32.exeLjclki32.exeDkahilkl.exeHqdkkp32.exeHegmlnbp.exeJknfcofa.exeFganqbgg.exeGiqkkf32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfobp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okchnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhpimhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mniallpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiimadl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgodpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iahgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nclikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjded32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibmgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihgfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iliinc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocohmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfendmoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigbmpco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibpgqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igedlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banjnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdlangb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihpkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpbecod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcghkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqbbpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meepdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojajin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlofcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kapfiqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkgillpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnepna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjccdkki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflhoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdgglfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bboffejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibpgqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqbala32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijogmdqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdaodja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlegnjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdnhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljclki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqdkkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hegmlnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jknfcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giqkkf32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Fielph32.exeFhflnpoi.exeGmcdffmq.exeGpaqbbld.exeGdmmbq32.exeGgkiol32.exeGhkeio32.exeGnhnaf32.exeGdafnpqh.exeGklnjj32.exeGaefgd32.exeGddbcp32.exeGiqkkf32.exeGdfoio32.exeHkpheidp.exeHdilnojp.exeHjedffig.exeHnaqgd32.exeHhfedm32.exeHjhalefe.exeHncmmd32.exeHaoimcgg.exeHglaej32.exeHaafcb32.exeHjlkge32.exeIdbodn32.exeIjogmdqm.exeIqipio32.exeIkndgg32.exeInmpcc32.exeIdghpmnp.exeIgedlh32.exeIqmidndd.exeIdieem32.exeIkcmbfcj.exeIbmeoq32.exeIhgnkkbd.exeIgjngh32.exeIndfca32.exeIqbbpm32.exeJhijqj32.exeJjjghcfp.exeJbaojpgb.exeJdpkflfe.exeJkjcbe32.exeJnhpoamf.exeJqglkmlj.exeJgadgf32.exeJbfheo32.exeJhpqaiji.exeJjamia32.exeJbiejoaj.exeJibmgi32.exeJkaicd32.exeJbkbpoog.exeKiejmi32.exeKnbbep32.exeKqpoakco.exeKiggbhda.exeKkfcndce.exeKenggi32.exeKkhpdcab.exeKjkpoq32.exeKaehljpj.exepid process 2792 Fielph32.exe 1496 Fhflnpoi.exe 2556 Gmcdffmq.exe 1460 Gpaqbbld.exe 5004 Gdmmbq32.exe 2144 Ggkiol32.exe 3004 Ghkeio32.exe 216 Gnhnaf32.exe 4772 Gdafnpqh.exe 2964 Gklnjj32.exe 4516 Gaefgd32.exe 2944 Gddbcp32.exe 3992 Giqkkf32.exe 824 Gdfoio32.exe 4076 Hkpheidp.exe 1384 Hdilnojp.exe 1948 Hjedffig.exe 4116 Hnaqgd32.exe 2660 Hhfedm32.exe 3968 Hjhalefe.exe 1332 Hncmmd32.exe 3636 Haoimcgg.exe 2744 Hglaej32.exe 1032 Haafcb32.exe 1224 Hjlkge32.exe 4676 Idbodn32.exe 4956 Ijogmdqm.exe 3288 Iqipio32.exe 408 Ikndgg32.exe 4176 Inmpcc32.exe 3672 Idghpmnp.exe 232 Igedlh32.exe 2516 Iqmidndd.exe 1656 Idieem32.exe 5072 Ikcmbfcj.exe 3980 Ibmeoq32.exe 4744 Ihgnkkbd.exe 3104 Igjngh32.exe 1128 Indfca32.exe 1260 Iqbbpm32.exe 3984 Jhijqj32.exe 3988 Jjjghcfp.exe 3160 Jbaojpgb.exe 4600 Jdpkflfe.exe 1376 Jkjcbe32.exe 2040 Jnhpoamf.exe 4008 Jqglkmlj.exe 5052 Jgadgf32.exe 4328 Jbfheo32.exe 4996 Jhpqaiji.exe 2056 Jjamia32.exe 1600 Jbiejoaj.exe 4696 Jibmgi32.exe 1028 Jkaicd32.exe 4360 Jbkbpoog.exe 4440 Kiejmi32.exe 1756 Knbbep32.exe 3964 Kqpoakco.exe 4392 Kiggbhda.exe 428 Kkfcndce.exe 1880 Kenggi32.exe 2784 Kkhpdcab.exe 1096 Kjkpoq32.exe 4208 Kaehljpj.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lqkqhm32.exeDafppp32.exeLchfib32.exeAcqgojmb.exeFqphic32.exeGiqkkf32.exeAfgacokc.exeJjpode32.exeGgepalof.exeAhbjoe32.exePcjiff32.exeGjfnedho.exeHkpqkcpd.exeNaecop32.exeKapfiqoj.exeKdmqmc32.exeJiiicf32.exeOjajin32.exePnifekmd.exeAdhdjpjf.exeGnhnaf32.exePkcadhgm.exeFmikeaap.exeLbhool32.exePmhbqbae.exeHghfnioq.exeJlhljhbg.exeNqmfdj32.exePnplfj32.exeFmcjpl32.exeFnlmhc32.exeHpioin32.exeHbnaeh32.exeJeolckne.exeLjfhqh32.exePkpmdbfd.exeOhfami32.exeEdgbii32.exeGcghkm32.exeIhmfco32.exeNhahaiec.exeBajqda32.exeFqppci32.exeLljdai32.exeGjcmngnj.exeKcejco32.exeOdhifjkg.exeHihibbjo.exeBddcenpi.exeDkndie32.exeGnqfcbnj.exeHblkjo32.exeNcqlkemc.exeGjficg32.exeIqipio32.exeBopocbcq.exeJjoiil32.exeDcnlnaom.exeOanfen32.exePopbpqjh.exeLomjicei.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Lcimdh32.exe Lqkqhm32.exe File created C:\Windows\SysWOW64\Dgcihgaj.exe Dafppp32.exe File created C:\Windows\SysWOW64\Lhenai32.exe Lchfib32.exe File opened for modification C:\Windows\SysWOW64\Abcgjg32.exe Acqgojmb.exe File created C:\Windows\SysWOW64\Okkbgpmc.dll Fqphic32.exe File opened for modification C:\Windows\SysWOW64\Gdfoio32.exe Giqkkf32.exe File opened for modification C:\Windows\SysWOW64\Alcfei32.exe Afgacokc.exe File opened for modification C:\Windows\SysWOW64\Kpjgaoqm.exe Jjpode32.exe File opened for modification C:\Windows\SysWOW64\Gjcmngnj.exe Ggepalof.exe File created C:\Windows\SysWOW64\Akqfkp32.exe Ahbjoe32.exe File created C:\Windows\SysWOW64\Ijnmaj32.dll Pcjiff32.exe File opened for modification C:\Windows\SysWOW64\Gpcfmkff.exe Gjfnedho.exe File created C:\Windows\SysWOW64\Opkpck32.dll Hkpqkcpd.exe File created C:\Windows\SysWOW64\Nlkfjqib.dll Naecop32.exe File opened for modification C:\Windows\SysWOW64\Kocgbend.exe Kapfiqoj.exe File created C:\Windows\SysWOW64\Hapfpelh.dll Kapfiqoj.exe File opened for modification C:\Windows\SysWOW64\Knfeeimj.exe Kdmqmc32.exe File created C:\Windows\SysWOW64\Pnjbcghk.dll Jiiicf32.exe File created C:\Windows\SysWOW64\Ikjllm32.dll Ojajin32.exe File opened for modification C:\Windows\SysWOW64\Pdenmbkk.exe Pnifekmd.exe File created C:\Windows\SysWOW64\Ekbmje32.dll Adhdjpjf.exe File created C:\Windows\SysWOW64\Enhpaj32.dll Gnhnaf32.exe File opened for modification C:\Windows\SysWOW64\Pcjiff32.exe Pkcadhgm.exe File created C:\Windows\SysWOW64\Fjmkoeqi.exe Fmikeaap.exe File created C:\Windows\SysWOW64\Bekdaogi.dll Lbhool32.exe File opened for modification C:\Windows\SysWOW64\Pfagighf.exe Pmhbqbae.exe File created C:\Windows\SysWOW64\Celipg32.dll Hghfnioq.exe File opened for modification C:\Windows\SysWOW64\Jkimho32.exe Jlhljhbg.exe File opened for modification C:\Windows\SysWOW64\Nggnadib.exe Nqmfdj32.exe File created C:\Windows\SysWOW64\Ckbcpc32.dll Pnplfj32.exe File created C:\Windows\SysWOW64\Cjafgpmo.dll Fmcjpl32.exe File created C:\Windows\SysWOW64\Bjdlfi32.dll Fnlmhc32.exe File created C:\Windows\SysWOW64\Blnfhilh.dll Hpioin32.exe File opened for modification C:\Windows\SysWOW64\Hihibbjo.exe Hbnaeh32.exe File created C:\Windows\SysWOW64\Jjmannfj.dll Jeolckne.exe File created C:\Windows\SysWOW64\Jkimho32.exe Jlhljhbg.exe File created C:\Windows\SysWOW64\Lmdemd32.exe Ljfhqh32.exe File created C:\Windows\SysWOW64\Pmoiqneg.exe Pkpmdbfd.exe File created C:\Windows\SysWOW64\Ebjkfjbc.dll Ohfami32.exe File created C:\Windows\SysWOW64\Ekajec32.exe Edgbii32.exe File opened for modification C:\Windows\SysWOW64\Gjaphgpl.exe Gcghkm32.exe File created C:\Windows\SysWOW64\Clmmco32.dll Ihmfco32.exe File created C:\Windows\SysWOW64\Cdbijb32.dll Nhahaiec.exe File opened for modification C:\Windows\SysWOW64\Cggimh32.exe Bajqda32.exe File created C:\Windows\SysWOW64\Figgdg32.exe Fqppci32.exe File opened for modification C:\Windows\SysWOW64\Lafmjp32.exe Lljdai32.exe File created C:\Windows\SysWOW64\Ohgohiia.dll Gjcmngnj.exe File created C:\Windows\SysWOW64\Qcjdoc32.dll Kcejco32.exe File opened for modification C:\Windows\SysWOW64\Oeheqm32.exe Odhifjkg.exe File opened for modification C:\Windows\SysWOW64\Ieojgc32.exe Hihibbjo.exe File created C:\Windows\SysWOW64\Bknlbhhe.exe Bddcenpi.exe File created C:\Windows\SysWOW64\Omjbpn32.dll Dkndie32.exe File created C:\Windows\SysWOW64\Gejopl32.exe Gnqfcbnj.exe File opened for modification C:\Windows\SysWOW64\Hemdlj32.exe Hblkjo32.exe File opened for modification C:\Windows\SysWOW64\Aggpfkjj.exe Adhdjpjf.exe File created C:\Windows\SysWOW64\Lnmodnoo.dll Ncqlkemc.exe File created C:\Windows\SysWOW64\Jdinng32.dll Gjficg32.exe File created C:\Windows\SysWOW64\Dckhejil.dll Iqipio32.exe File created C:\Windows\SysWOW64\Cfldelik.exe Bopocbcq.exe File created C:\Windows\SysWOW64\Jqhafffk.exe Jjoiil32.exe File opened for modification C:\Windows\SysWOW64\Dkedonpo.exe Dcnlnaom.exe File opened for modification C:\Windows\SysWOW64\Ohhnbhok.exe Oanfen32.exe File opened for modification C:\Windows\SysWOW64\Phigif32.exe Popbpqjh.exe File created C:\Windows\SysWOW64\Ipamlopb.dll Lomjicei.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 7908 14012 WerFault.exe Ldikgdpe.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dikihe32.exeAogbfi32.exeDnonkq32.exeHkohchko.exeQaflgago.exeOnapdl32.exeAhmjjoig.exeJhpqaiji.exeFggdpnkf.exeBcddcbab.exeBhpfqcln.exeEnnqfenp.exeHbenoi32.exeJlobkg32.exeEkajec32.exeOiagde32.exeJaqcnl32.exePnkbkk32.exePmkofa32.exePmphaaln.exeCancekeo.exeIiopca32.exeJkjcbe32.exeBfngdn32.exeGkmdecbg.exeLgepom32.exeDkekjdck.exeAllpejfe.exeGpcfmkff.exeKpmdfonj.exeKfnfjehl.exeGijmad32.exeOblhcj32.exeIcachjbb.exe34841a13f96e9a9004e39fcedf574be371405ad1620cf3832804d3dfbd1ea7acN.exeIkndgg32.exeMehcdfch.exeOocmii32.exeGgkiol32.exeNmipdk32.exeIhdldn32.exeGnepna32.exeEfjbcakl.exeJiglnf32.exeJniood32.exeOcohmc32.exeKhabke32.exeCkebcg32.exeFgiaemic.exeIecmhlhb.exeMkohaj32.exeCaqpkjcl.exeJlkafdco.exeMminhceb.exeHhdcmp32.exePblajhje.exeMokmdh32.exeAgdcpkll.exeEmoadlfo.exeIfmqfm32.exeGjhfif32.exeIjqmhnko.exeOhfami32.exeDamfao32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dikihe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogbfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnonkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkohchko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaflgago.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onapdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmjjoig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpqaiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggdpnkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcddcbab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpfqcln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ennqfenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbenoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlobkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekajec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiagde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaqcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkbkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmphaaln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cancekeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiopca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjcbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfngdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmdecbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgepom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkekjdck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allpejfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcfmkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmdfonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnfjehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijmad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblhcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icachjbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 34841a13f96e9a9004e39fcedf574be371405ad1620cf3832804d3dfbd1ea7acN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikndgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehcdfch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmipdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdldn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnepna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiglnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khabke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgiaemic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecmhlhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caqpkjcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkafdco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mminhceb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdcmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblajhje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokmdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdcpkll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoadlfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmqfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjhfif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqmhnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfami32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Damfao32.exe -
Modifies registry class 64 IoCs
Processes:
Ffceip32.exeHehkajig.exeAggpfkjj.exeFjmkoeqi.exeLckiihok.exePdenmbkk.exeCibain32.exeIloidijb.exeNcabfkqo.exeIbcaknbi.exeMmpmnl32.exeBddcenpi.exeNcbafoge.exeAaiimadl.exeDjqblj32.exeGkmdecbg.exeBakgoh32.exeFjmfmh32.exeBajqda32.exeIondqhpl.exeNoblkqca.exeAjaelc32.exeDmjmekgn.exePcobaedj.exeIgdgglfl.exeKemhei32.exeMahnhhod.exeOnapdl32.exePjmjdm32.exeFnfmbmbi.exeBaepolni.exeBdcmkgmm.exeLaffpi32.exeJcanll32.exeHglaej32.exeMlpokp32.exeOoqqdi32.exeBcahmb32.exeLqbncb32.exeBhbcfbjk.exeCkeimm32.exeLchfib32.exeApggckbf.exeJqhafffk.exeLgepom32.exeJebfng32.exeFbgbnkfm.exeHeepfn32.exeJqglkmlj.exeEfblbbqd.exeEfeihb32.exeFmfgek32.exeIgfclkdj.exeFklcgk32.exeHnhkdd32.exeFmfnpa32.exeLjobpiql.exeEnkmfolf.exeLbngllob.exeDikihe32.exeMjodla32.exeNqpcjj32.exePdhkcb32.exeFkofga32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnpamkc.dll" Aggpfkjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjmkoeqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll" Pdenmbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cibain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibcaknbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpmnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcbmgnb.dll" Ncbafoge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhepbll.dll" Djqblj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkmdecbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmqghl.dll" Fjmfmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll" Bajqda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iondqhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpenlneh.dll" Noblkqca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajaelc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmjmekgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcobaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chflphjh.dll" Igdgglfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kemhei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahnhhod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidhnlin.dll" Pjmjdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnfmbmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baepolni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdcmkgmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laffpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffkclmbd.dll" Hglaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlpokp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgpnm32.dll" Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcahmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjhhfnd.dll" Bhbcfbjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckeimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lchfib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apggckbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleeje32.dll" Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemnff32.dll" Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojehbail.dll" Fbgbnkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heepfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqglkmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmfgek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fklcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnhkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npodfe32.dll" Fmfnpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehblpall.dll" Enkmfolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncgjgp32.dll" Dikihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjodla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqpcjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppcbba32.dll" Pdhkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkofga32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
34841a13f96e9a9004e39fcedf574be371405ad1620cf3832804d3dfbd1ea7acN.exeFielph32.exeFhflnpoi.exeGmcdffmq.exeGpaqbbld.exeGdmmbq32.exeGgkiol32.exeGhkeio32.exeGnhnaf32.exeGdafnpqh.exeGklnjj32.exeGaefgd32.exeGddbcp32.exeGiqkkf32.exeGdfoio32.exeHkpheidp.exeHdilnojp.exeHjedffig.exeHnaqgd32.exeHhfedm32.exeHjhalefe.exeHncmmd32.exedescription pid process target process PID 4416 wrote to memory of 2792 4416 34841a13f96e9a9004e39fcedf574be371405ad1620cf3832804d3dfbd1ea7acN.exe Fielph32.exe PID 4416 wrote to memory of 2792 4416 34841a13f96e9a9004e39fcedf574be371405ad1620cf3832804d3dfbd1ea7acN.exe Fielph32.exe PID 4416 wrote to memory of 2792 4416 34841a13f96e9a9004e39fcedf574be371405ad1620cf3832804d3dfbd1ea7acN.exe Fielph32.exe PID 2792 wrote to memory of 1496 2792 Fielph32.exe Fhflnpoi.exe PID 2792 wrote to memory of 1496 2792 Fielph32.exe Fhflnpoi.exe PID 2792 wrote to memory of 1496 2792 Fielph32.exe Fhflnpoi.exe PID 1496 wrote to memory of 2556 1496 Fhflnpoi.exe Gmcdffmq.exe PID 1496 wrote to memory of 2556 1496 Fhflnpoi.exe Gmcdffmq.exe PID 1496 wrote to memory of 2556 1496 Fhflnpoi.exe Gmcdffmq.exe PID 2556 wrote to memory of 1460 2556 Gmcdffmq.exe Gpaqbbld.exe PID 2556 wrote to memory of 1460 2556 Gmcdffmq.exe Gpaqbbld.exe PID 2556 wrote to memory of 1460 2556 Gmcdffmq.exe Gpaqbbld.exe PID 1460 wrote to memory of 5004 1460 Gpaqbbld.exe Gdmmbq32.exe PID 1460 wrote to memory of 5004 1460 Gpaqbbld.exe Gdmmbq32.exe PID 1460 wrote to memory of 5004 1460 Gpaqbbld.exe Gdmmbq32.exe PID 5004 wrote to memory of 2144 5004 Gdmmbq32.exe Ggkiol32.exe PID 5004 wrote to memory of 2144 5004 Gdmmbq32.exe Ggkiol32.exe PID 5004 wrote to memory of 2144 5004 Gdmmbq32.exe Ggkiol32.exe PID 2144 wrote to memory of 3004 2144 Ggkiol32.exe Ghkeio32.exe PID 2144 wrote to memory of 3004 2144 Ggkiol32.exe Ghkeio32.exe PID 2144 wrote to memory of 3004 2144 Ggkiol32.exe Ghkeio32.exe PID 3004 wrote to memory of 216 3004 Ghkeio32.exe Gnhnaf32.exe PID 3004 wrote to memory of 216 3004 Ghkeio32.exe Gnhnaf32.exe PID 3004 wrote to memory of 216 3004 Ghkeio32.exe Gnhnaf32.exe PID 216 wrote to memory of 4772 216 Gnhnaf32.exe Gdafnpqh.exe PID 216 wrote to memory of 4772 216 Gnhnaf32.exe Gdafnpqh.exe PID 216 wrote to memory of 4772 216 Gnhnaf32.exe Gdafnpqh.exe PID 4772 wrote to memory of 2964 4772 Gdafnpqh.exe Gklnjj32.exe PID 4772 wrote to memory of 2964 4772 Gdafnpqh.exe Gklnjj32.exe PID 4772 wrote to memory of 2964 4772 Gdafnpqh.exe Gklnjj32.exe PID 2964 wrote to memory of 4516 2964 Gklnjj32.exe Gaefgd32.exe PID 2964 wrote to memory of 4516 2964 Gklnjj32.exe Gaefgd32.exe PID 2964 wrote to memory of 4516 2964 Gklnjj32.exe Gaefgd32.exe PID 4516 wrote to memory of 2944 4516 Gaefgd32.exe Gddbcp32.exe PID 4516 wrote to memory of 2944 4516 Gaefgd32.exe Gddbcp32.exe PID 4516 wrote to memory of 2944 4516 Gaefgd32.exe Gddbcp32.exe PID 2944 wrote to memory of 3992 2944 Gddbcp32.exe Giqkkf32.exe PID 2944 wrote to memory of 3992 2944 Gddbcp32.exe Giqkkf32.exe PID 2944 wrote to memory of 3992 2944 Gddbcp32.exe Giqkkf32.exe PID 3992 wrote to memory of 824 3992 Giqkkf32.exe Gdfoio32.exe PID 3992 wrote to memory of 824 3992 Giqkkf32.exe Gdfoio32.exe PID 3992 wrote to memory of 824 3992 Giqkkf32.exe Gdfoio32.exe PID 824 wrote to memory of 4076 824 Gdfoio32.exe Hkpheidp.exe PID 824 wrote to memory of 4076 824 Gdfoio32.exe Hkpheidp.exe PID 824 wrote to memory of 4076 824 Gdfoio32.exe Hkpheidp.exe PID 4076 wrote to memory of 1384 4076 Hkpheidp.exe Hdilnojp.exe PID 4076 wrote to memory of 1384 4076 Hkpheidp.exe Hdilnojp.exe PID 4076 wrote to memory of 1384 4076 Hkpheidp.exe Hdilnojp.exe PID 1384 wrote to memory of 1948 1384 Hdilnojp.exe Hjedffig.exe PID 1384 wrote to memory of 1948 1384 Hdilnojp.exe Hjedffig.exe PID 1384 wrote to memory of 1948 1384 Hdilnojp.exe Hjedffig.exe PID 1948 wrote to memory of 4116 1948 Hjedffig.exe Hnaqgd32.exe PID 1948 wrote to memory of 4116 1948 Hjedffig.exe Hnaqgd32.exe PID 1948 wrote to memory of 4116 1948 Hjedffig.exe Hnaqgd32.exe PID 4116 wrote to memory of 2660 4116 Hnaqgd32.exe Hhfedm32.exe PID 4116 wrote to memory of 2660 4116 Hnaqgd32.exe Hhfedm32.exe PID 4116 wrote to memory of 2660 4116 Hnaqgd32.exe Hhfedm32.exe PID 2660 wrote to memory of 3968 2660 Hhfedm32.exe Hjhalefe.exe PID 2660 wrote to memory of 3968 2660 Hhfedm32.exe Hjhalefe.exe PID 2660 wrote to memory of 3968 2660 Hhfedm32.exe Hjhalefe.exe PID 3968 wrote to memory of 1332 3968 Hjhalefe.exe Hncmmd32.exe PID 3968 wrote to memory of 1332 3968 Hjhalefe.exe Hncmmd32.exe PID 3968 wrote to memory of 1332 3968 Hjhalefe.exe Hncmmd32.exe PID 1332 wrote to memory of 3636 1332 Hncmmd32.exe Haoimcgg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34841a13f96e9a9004e39fcedf574be371405ad1620cf3832804d3dfbd1ea7acN.exe"C:\Users\Admin\AppData\Local\Temp\34841a13f96e9a9004e39fcedf574be371405ad1620cf3832804d3dfbd1ea7acN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe23⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe25⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe26⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe27⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3288 -
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe31⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe32⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe34⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe35⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe36⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe37⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe38⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe39⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe40⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe42⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe43⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe44⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe45⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe47⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe49⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe50⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe52⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe53⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe55⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe56⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe57⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe58⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe59⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe60⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe61⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe62⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe63⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe64⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe65⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe66⤵PID:2216
-
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe67⤵PID:2640
-
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe68⤵PID:5032
-
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe69⤵PID:3752
-
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe70⤵PID:4540
-
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe71⤵PID:4112
-
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe72⤵PID:1744
-
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe73⤵PID:4904
-
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe74⤵PID:5060
-
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe75⤵PID:3688
-
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe76⤵PID:4028
-
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe77⤵PID:4524
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe78⤵
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe79⤵PID:3200
-
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe80⤵PID:4452
-
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe81⤵PID:3796
-
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe82⤵PID:1536
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1400 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe84⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe85⤵PID:4668
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe86⤵PID:396
-
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe87⤵PID:704
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe88⤵
- Modifies registry class
PID:3956 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe89⤵PID:2388
-
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe90⤵
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe91⤵PID:1344
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe92⤵PID:5136
-
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe93⤵PID:5184
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe94⤵PID:5228
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe95⤵PID:5272
-
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe96⤵PID:5324
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe97⤵PID:5372
-
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe98⤵PID:5428
-
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe99⤵PID:5472
-
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe100⤵PID:5516
-
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe101⤵PID:5560
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe102⤵PID:5604
-
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe103⤵PID:5644
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe104⤵PID:5688
-
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe105⤵PID:5728
-
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe106⤵PID:5772
-
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5816 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe108⤵PID:5860
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe109⤵
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe110⤵PID:5948
-
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe111⤵PID:5992
-
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe112⤵
- System Location Discovery: System Language Discovery
PID:6036 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe113⤵PID:6080
-
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe114⤵PID:6124
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe116⤵PID:5224
-
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe117⤵PID:5312
-
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe118⤵PID:5380
-
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe119⤵PID:5464
-
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe120⤵PID:5528
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe121⤵PID:5596
-
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe122⤵
- Drops file in System32 directory
PID:5684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-