Analysis
-
max time kernel
96s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe
Resource
win10v2004-20241007-en
General
-
Target
9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe
-
Size
323KB
-
MD5
8546e20d6c206c008a8d5a6083af835b
-
SHA1
02fe1bf5d8da5e3a196d09cae0e92a55ddf43592
-
SHA256
9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53
-
SHA512
5b3d69289c30549b0a5f6f1691f9027752ee7a5b345df3138544169d2f31b22fd5746b3dae47efe59374c99f3019c4b34f55bbfe1436599c0cb02626eb0c499f
-
SSDEEP
6144:qmT0fnCj97yPSJclljd3rKzwN8Jlljd3njPX9ZAk3fs:qmT0fn8sPSkjpKXjtjP9Zt0
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hedafk32.exeKgiiiidd.exeHldiinke.exeGpcfmkff.exeKmdlffhj.exeAlqjpi32.exeOdalmibl.exeKfpcoefj.exeNnhmnn32.exeGdmmbq32.exeAeddnp32.exeChiigadc.exeFmkqpkla.exeJhnojl32.exeMnlnbl32.exeBllbaa32.exeQklmpalf.exeBakgoh32.exeJmbhoeid.exeGacjadad.exeJjgchm32.exeMfnoqc32.exeFganqbgg.exeFibhpbea.exeGldglf32.exeKeifdpif.exeOmgcpokp.exeGidnkkpc.exePlkpcfal.exeDmadco32.exeNagiji32.exeGanldgib.exePcjiff32.exeOaqbkn32.exeBajqda32.exeEdopabqn.exeAfpjel32.exeMokfja32.exeBfpdin32.exePjkmomfn.exeNnicid32.exeBnkbcj32.exeFohfbpgi.exeIjhjcchb.exeLbkkgl32.exeJbccge32.exeHgfapd32.exeIoolkncg.exeQdbdcg32.exeBdpaeehj.exeNggnadib.exeBknlbhhe.exeAkcjkfij.exeLjobpiql.exeMjkblhfo.exeMgehfkop.exeConanfli.exeOmalpc32.exeHlambk32.exeIdkkpf32.exeNpepkf32.exeObgohklm.exeLjgpkonp.exeOjigdcll.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgiiiidd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hldiinke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcfmkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alqjpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpcoefj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdmmbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeddnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chiigadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhnojl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnlnbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qklmpalf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakgoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacjadad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgchm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnoqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gldglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keifdpif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plkpcfal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmadco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganldgib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajqda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edopabqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpjel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfpdin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjkmomfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fohfbpgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhjcchb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbccge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfapd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolkncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdbdcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdpaeehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggnadib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknlbhhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcjkfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkblhfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Conanfli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omalpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlambk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npepkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgohklm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljgpkonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojigdcll.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Diicml32.exeDhjckcgi.exeDabhdinj.exeDfoplpla.exeDmihij32.exeDfamapjo.exeEmlenj32.exeEpjajeqo.exeEmnbdioi.exeEdhjqc32.exeEfffmo32.exeEidbij32.exeEmpoiimf.exeEpokedmj.exeEdjgfcec.exeEhfcfb32.exeEjdocm32.exeEmbkoi32.exeEpagkd32.exeEhhpla32.exeEjflhm32.exeEmehdh32.exeEaqdegaj.exeEdopabqn.exeEhjlaaig.exeFkihnmhj.exeFiliii32.exeFmgejhgn.exeFpeafcfa.exeFdamgb32.exeFhmigagd.exeFineoi32.exeFaenpf32.exeFdcjlb32.exeFhofmq32.exeFgbfhmll.exeFipbdikp.exeFmlneg32.exeFpjjac32.exeFdffbake.exeFgdbnmji.exeFkpool32.exeFmnkkg32.exeFpmggb32.exeFdhcgaic.exeFggocmhf.exeFkbkdkpp.exeFmqgpgoc.exeFpodlbng.exeFhflnpoi.exeGkdhjknm.exeGmcdffmq.exeGpaqbbld.exeGdmmbq32.exeGgkiol32.exeGijekg32.exeGpcmga32.exeGhkeio32.exeGkiaej32.exeGilapgqb.exeGacjadad.exeGdafnpqh.exeGgpbjkpl.exeGklnjj32.exepid process 4500 Diicml32.exe 4532 Dhjckcgi.exe 4792 Dabhdinj.exe 4972 Dfoplpla.exe 804 Dmihij32.exe 1252 Dfamapjo.exe 4712 Emlenj32.exe 920 Epjajeqo.exe 3052 Emnbdioi.exe 3856 Edhjqc32.exe 452 Efffmo32.exe 4364 Eidbij32.exe 2904 Empoiimf.exe 2112 Epokedmj.exe 4600 Edjgfcec.exe 532 Ehfcfb32.exe 1928 Ejdocm32.exe 928 Embkoi32.exe 5008 Epagkd32.exe 4896 Ehhpla32.exe 1956 Ejflhm32.exe 4992 Emehdh32.exe 2796 Eaqdegaj.exe 2876 Edopabqn.exe 4408 Ehjlaaig.exe 4084 Fkihnmhj.exe 1940 Filiii32.exe 2652 Fmgejhgn.exe 3300 Fpeafcfa.exe 2456 Fdamgb32.exe 4232 Fhmigagd.exe 640 Fineoi32.exe 2124 Faenpf32.exe 1008 Fdcjlb32.exe 4308 Fhofmq32.exe 1132 Fgbfhmll.exe 2068 Fipbdikp.exe 3684 Fmlneg32.exe 4868 Fpjjac32.exe 3804 Fdffbake.exe 3108 Fgdbnmji.exe 4280 Fkpool32.exe 1808 Fmnkkg32.exe 2764 Fpmggb32.exe 1432 Fdhcgaic.exe 2924 Fggocmhf.exe 2188 Fkbkdkpp.exe 3728 Fmqgpgoc.exe 4872 Fpodlbng.exe 4780 Fhflnpoi.exe 1596 Gkdhjknm.exe 592 Gmcdffmq.exe 4524 Gpaqbbld.exe 712 Gdmmbq32.exe 468 Ggkiol32.exe 4924 Gijekg32.exe 5092 Gpcmga32.exe 3196 Ghkeio32.exe 4404 Gkiaej32.exe 3284 Gilapgqb.exe 2728 Gacjadad.exe 348 Gdafnpqh.exe 3724 Ggpbjkpl.exe 3624 Gklnjj32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ljaoeini.exeKpmdfonj.exeOcohmc32.exeDhjckcgi.exeKnchpiom.exeOmfekbdh.exeFkbkdkpp.exeIlibdmgp.exeIhnkel32.exeJhpqaiji.exeMldhfpib.exeLmgabcge.exeDhclmp32.exeIbcaknbi.exeFhmigagd.exeGdmmbq32.exeLgbloglj.exeGokbgpeg.exeBkoigdom.exeJpbjfjci.exeGnjjfegi.exeAojlaeei.exeMnkggfkb.exeOmjpeo32.exePdkoch32.exeFiaael32.exeMfnoqc32.exeDdifgk32.exeKqnbkl32.exeLacdmh32.exeLckboblp.exeLgpoihnl.exeLokdnjkg.exeLobjni32.exeQdaniq32.exeChiblk32.exeLelchgne.exeHloqml32.exeJqiipljg.exeLbgalmej.exeNlnkmnah.exeAhdged32.exeHibjli32.exeEqncnj32.exeFkihnmhj.exeFineoi32.exeEkaapi32.exeIbhkfm32.exeMhjhmhhd.exeKkpbin32.exeGeohklaa.exeKadpdp32.exeLgkpdcmi.exePhodcg32.exeQklmpalf.exeFkfcqb32.exeBbgeno32.exeHgkkkcbc.exeCfqmpl32.exeIbcjqgnm.exePjlcjf32.exeMeamcg32.exedescription ioc process File created C:\Windows\SysWOW64\Lnmkfh32.exe Ljaoeini.exe File opened for modification C:\Windows\SysWOW64\Keimof32.exe Kpmdfonj.exe File opened for modification C:\Windows\SysWOW64\Ojhpimhp.exe Ocohmc32.exe File created C:\Windows\SysWOW64\Bpnpfack.dll Dhjckcgi.exe File created C:\Windows\SysWOW64\Hmokmkpo.dll Knchpiom.exe File created C:\Windows\SysWOW64\Bmgjnl32.dll Omfekbdh.exe File created C:\Windows\SysWOW64\Okcajg32.dll Fkbkdkpp.exe File opened for modification C:\Windows\SysWOW64\Ibcjqgnm.exe Ilibdmgp.exe File created C:\Windows\SysWOW64\Iklgah32.exe Ihnkel32.exe File opened for modification C:\Windows\SysWOW64\Jgcamf32.exe Jhpqaiji.exe File opened for modification C:\Windows\SysWOW64\Nobdbkhf.exe Mldhfpib.exe File opened for modification C:\Windows\SysWOW64\Lenicahg.exe Lmgabcge.exe File created C:\Windows\SysWOW64\Gkgmdnki.dll Dhclmp32.exe File opened for modification C:\Windows\SysWOW64\Iebngial.exe Ibcaknbi.exe File created C:\Windows\SysWOW64\Ebadmmge.dll Fhmigagd.exe File opened for modification C:\Windows\SysWOW64\Ggkiol32.exe Gdmmbq32.exe File created C:\Windows\SysWOW64\Fmplqd32.dll Lgbloglj.exe File opened for modification C:\Windows\SysWOW64\Galoohke.exe Gokbgpeg.exe File created C:\Windows\SysWOW64\Bokehc32.exe Bkoigdom.exe File created C:\Windows\SysWOW64\Kpmmljnd.dll Jpbjfjci.exe File created C:\Windows\SysWOW64\Cclaff32.dll Gnjjfegi.exe File opened for modification C:\Windows\SysWOW64\Aeddnp32.exe Aojlaeei.exe File opened for modification C:\Windows\SysWOW64\Meepdp32.exe Mnkggfkb.exe File created C:\Windows\SysWOW64\Ofonqd32.dll Omjpeo32.exe File created C:\Windows\SysWOW64\Lbopphio.dll Pdkoch32.exe File opened for modification C:\Windows\SysWOW64\Flpmagqi.exe Fiaael32.exe File opened for modification C:\Windows\SysWOW64\Mnegbp32.exe Mfnoqc32.exe File opened for modification C:\Windows\SysWOW64\Dnajppda.exe Ddifgk32.exe File created C:\Windows\SysWOW64\Kiejmi32.exe Kqnbkl32.exe File created C:\Windows\SysWOW64\Mngegmbc.exe Lacdmh32.exe File created C:\Windows\SysWOW64\Lhgkgijg.exe Lckboblp.exe File created C:\Windows\SysWOW64\Fcpjljph.dll Lgpoihnl.exe File created C:\Windows\SysWOW64\Minqeaad.dll Lokdnjkg.exe File created C:\Windows\SysWOW64\Clahmb32.dll Lobjni32.exe File opened for modification C:\Windows\SysWOW64\Afpjel32.exe Qdaniq32.exe File created C:\Windows\SysWOW64\Pghien32.dll Chiblk32.exe File created C:\Windows\SysWOW64\Lkpkgebb.dll Lelchgne.exe File created C:\Windows\SysWOW64\Hbhijepa.exe Hloqml32.exe File created C:\Windows\SysWOW64\Dajkgl32.dll Jqiipljg.exe File created C:\Windows\SysWOW64\Lajagj32.exe Lbgalmej.exe File created C:\Windows\SysWOW64\Ghpldkpc.dll Nlnkmnah.exe File created C:\Windows\SysWOW64\Aonoao32.exe Ahdged32.exe File created C:\Windows\SysWOW64\Cjgjmg32.dll Hibjli32.exe File opened for modification C:\Windows\SysWOW64\Ekcgkb32.exe Eqncnj32.exe File opened for modification C:\Windows\SysWOW64\Filiii32.exe Fkihnmhj.exe File created C:\Windows\SysWOW64\Faenpf32.exe Fineoi32.exe File created C:\Windows\SysWOW64\Efgemb32.exe Ekaapi32.exe File opened for modification C:\Windows\SysWOW64\Iefgbh32.exe Ibhkfm32.exe File created C:\Windows\SysWOW64\Mcoljagj.exe Mhjhmhhd.exe File opened for modification C:\Windows\SysWOW64\Lgkpdcmi.exe Lelchgne.exe File created C:\Windows\SysWOW64\Kqmkae32.exe Kkpbin32.exe File opened for modification C:\Windows\SysWOW64\Glipgf32.exe Geohklaa.exe File opened for modification C:\Windows\SysWOW64\Lepleocn.exe Kadpdp32.exe File opened for modification C:\Windows\SysWOW64\Llflea32.exe Lgkpdcmi.exe File opened for modification C:\Windows\SysWOW64\Plkpcfal.exe Phodcg32.exe File created C:\Windows\SysWOW64\Ekpped32.dll Qklmpalf.exe File created C:\Windows\SysWOW64\Badjai32.dll Fkfcqb32.exe File created C:\Windows\SysWOW64\Bmlilh32.exe Bbgeno32.exe File opened for modification C:\Windows\SysWOW64\Hiiggoaf.exe Hgkkkcbc.exe File created C:\Windows\SysWOW64\Fccfel32.dll Cfqmpl32.exe File created C:\Windows\SysWOW64\Iimcma32.exe Ibcjqgnm.exe File opened for modification C:\Windows\SysWOW64\Pmkofa32.exe Pjlcjf32.exe File created C:\Windows\SysWOW64\Mhafeb32.exe Meamcg32.exe File opened for modification C:\Windows\SysWOW64\Cbgnemjj.exe Cfqmpl32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5680 6356 WerFault.exe Pififb32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Mfnoqc32.exeJjmcnbdm.exeMgeakekd.exeMofmobmo.exeNmcpoedn.exeKcpahpmd.exeIqbbpm32.exeJjdjoane.exeKclgmq32.exeLmgabcge.exeQmgelf32.exeIklgah32.exeKgmcce32.exeAlqjpi32.exeIljpij32.exePmkofa32.exeHhiajmod.exeOqklkbbi.exeCbeapmll.exeNhokljge.exeQkmdkgob.exePhdnngdn.exeIlnbicff.exeDhphmj32.exeOdalmibl.exeMhfppabl.exeHdpbon32.exeGddbcp32.exeFipkjb32.exeFealin32.exeGgbook32.exeOaqbkn32.exeCfnqklgh.exePajeam32.exeKplmliko.exeGeaepk32.exeQjfmkk32.exeOobfob32.exeJqiipljg.exeGnqfcbnj.exeHjjnae32.exeBoenhgdd.exeBomkcm32.exeIqmidndd.exeNognnj32.exeFmqgpgoc.exeQlgpod32.exeIbfnqmpf.exeHnhghcki.exeAmjillkj.exeAgdcpkll.exeJhnojl32.exeKkpbin32.exeKjhcjq32.exeAajohjon.exeCnkkjh32.exeDbbffdlq.exeNopfpgip.exeIahlcaol.exeOjfcdnjc.exeBgkiaj32.exeHidgai32.exeLjdceo32.exeLjobpiql.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnoqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmcnbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgeakekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofmobmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcpoedn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpahpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbbpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdjoane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgabcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmgelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iklgah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmcce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhiajmod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqklkbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbeapmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhokljge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkmdkgob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdnngdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnbicff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhphmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odalmibl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfppabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpbon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddbcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fealin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggbook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnqklgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplmliko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaepk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobfob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqiipljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnqfcbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boenhgdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomkcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmidndd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nognnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmqgpgoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgpod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhghcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjillkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdcpkll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhnojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpbin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajohjon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbffdlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopfpgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahlcaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojfcdnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljobpiql.exe -
Modifies registry class 64 IoCs
Processes:
Palklf32.exeMfnhfm32.exeLajagj32.exeBbiado32.exeHdmoohbo.exeAajohjon.exeKfnfjehl.exeLgccinoe.exeOldjcg32.exeDnajppda.exeHgelek32.exeIahlcaol.exeJhpqaiji.exeKbpkkn32.exeAbponp32.exeNnfpinmi.exePhedhmhi.exeIlafiihp.exeGlkmmefl.exeJcmdaljn.exeGojiiafp.exeMmhgmmbf.exeAdhdjpjf.exeCoqncejg.exeNfqnbjfi.exeFineoi32.exeKbddfmgl.exeKcejco32.exeClchbqoo.exeFkfcqb32.exeAgdcpkll.exeEqiibjlj.exeFkjmlaac.exeKkcfid32.exeLnpofnhk.exeCbgnemjj.exeJpcapp32.exeAoioli32.exeGlhimp32.exeJpnakk32.exePciqnk32.exeIinjhh32.exeEnhpao32.exeJnpfop32.exePolppg32.exeKqfngd32.exeLmdemd32.exeHfcnpn32.exeDhjckcgi.exeJilfifme.exeLgibpf32.exeEaqdegaj.exeFjadje32.exeFpimlfke.exeOblhcj32.exeCimmggfl.exeNhokljge.exeEfeihb32.exeJmbhoeid.exeHpfbcn32.exeBbgeno32.exeCoadnlnb.exeIbhkfm32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll" Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faoiogei.dll" Mfnhfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmemlfol.dll" Hdmoohbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkbfh32.dll" Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgccinoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oldjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpmdqpl.dll" Dnajppda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfkblnn.dll" Hgelek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iahlcaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhpqaiji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpkkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnfpinmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Injdmnab.dll" Jhpqaiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilafiihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glkmmefl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcmdaljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmpjlk32.dll" Mmhgmmbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adhdjpjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coqncejg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfqnbjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fineoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbddfmgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcejco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clchbqoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badjai32.dll" Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijikdfig.dll" Agdcpkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnckkha.dll" Eqiibjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkjmlaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnpofnhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpcapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll" Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgpamjnb.dll" Glhimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flinad32.dll" Jpnakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhkafda.dll" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enhpao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbklhm32.dll" Jnpfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Polppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqfngd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdemd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfcnpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhjckcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbqpfg32.dll" Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgibpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaqdegaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpfopn.dll" Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapceeje.dll" Fpimlfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oblhcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoana32.dll" Nhokljge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdimkqnb.dll" Jmbhoeid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpfbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbgeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coadnlnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhkfm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exeDiicml32.exeDhjckcgi.exeDabhdinj.exeDfoplpla.exeDmihij32.exeDfamapjo.exeEmlenj32.exeEpjajeqo.exeEmnbdioi.exeEdhjqc32.exeEfffmo32.exeEidbij32.exeEmpoiimf.exeEpokedmj.exeEdjgfcec.exeEhfcfb32.exeEjdocm32.exeEmbkoi32.exeEpagkd32.exeEhhpla32.exeEjflhm32.exedescription pid process target process PID 2708 wrote to memory of 4500 2708 9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe Diicml32.exe PID 2708 wrote to memory of 4500 2708 9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe Diicml32.exe PID 2708 wrote to memory of 4500 2708 9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe Diicml32.exe PID 4500 wrote to memory of 4532 4500 Diicml32.exe Dhjckcgi.exe PID 4500 wrote to memory of 4532 4500 Diicml32.exe Dhjckcgi.exe PID 4500 wrote to memory of 4532 4500 Diicml32.exe Dhjckcgi.exe PID 4532 wrote to memory of 4792 4532 Dhjckcgi.exe Dabhdinj.exe PID 4532 wrote to memory of 4792 4532 Dhjckcgi.exe Dabhdinj.exe PID 4532 wrote to memory of 4792 4532 Dhjckcgi.exe Dabhdinj.exe PID 4792 wrote to memory of 4972 4792 Dabhdinj.exe Dfoplpla.exe PID 4792 wrote to memory of 4972 4792 Dabhdinj.exe Dfoplpla.exe PID 4792 wrote to memory of 4972 4792 Dabhdinj.exe Dfoplpla.exe PID 4972 wrote to memory of 804 4972 Dfoplpla.exe Dmihij32.exe PID 4972 wrote to memory of 804 4972 Dfoplpla.exe Dmihij32.exe PID 4972 wrote to memory of 804 4972 Dfoplpla.exe Dmihij32.exe PID 804 wrote to memory of 1252 804 Dmihij32.exe Dfamapjo.exe PID 804 wrote to memory of 1252 804 Dmihij32.exe Dfamapjo.exe PID 804 wrote to memory of 1252 804 Dmihij32.exe Dfamapjo.exe PID 1252 wrote to memory of 4712 1252 Dfamapjo.exe Emlenj32.exe PID 1252 wrote to memory of 4712 1252 Dfamapjo.exe Emlenj32.exe PID 1252 wrote to memory of 4712 1252 Dfamapjo.exe Emlenj32.exe PID 4712 wrote to memory of 920 4712 Emlenj32.exe Epjajeqo.exe PID 4712 wrote to memory of 920 4712 Emlenj32.exe Epjajeqo.exe PID 4712 wrote to memory of 920 4712 Emlenj32.exe Epjajeqo.exe PID 920 wrote to memory of 3052 920 Epjajeqo.exe Emnbdioi.exe PID 920 wrote to memory of 3052 920 Epjajeqo.exe Emnbdioi.exe PID 920 wrote to memory of 3052 920 Epjajeqo.exe Emnbdioi.exe PID 3052 wrote to memory of 3856 3052 Emnbdioi.exe Edhjqc32.exe PID 3052 wrote to memory of 3856 3052 Emnbdioi.exe Edhjqc32.exe PID 3052 wrote to memory of 3856 3052 Emnbdioi.exe Edhjqc32.exe PID 3856 wrote to memory of 452 3856 Edhjqc32.exe Efffmo32.exe PID 3856 wrote to memory of 452 3856 Edhjqc32.exe Efffmo32.exe PID 3856 wrote to memory of 452 3856 Edhjqc32.exe Efffmo32.exe PID 452 wrote to memory of 4364 452 Efffmo32.exe Eidbij32.exe PID 452 wrote to memory of 4364 452 Efffmo32.exe Eidbij32.exe PID 452 wrote to memory of 4364 452 Efffmo32.exe Eidbij32.exe PID 4364 wrote to memory of 2904 4364 Eidbij32.exe Empoiimf.exe PID 4364 wrote to memory of 2904 4364 Eidbij32.exe Empoiimf.exe PID 4364 wrote to memory of 2904 4364 Eidbij32.exe Empoiimf.exe PID 2904 wrote to memory of 2112 2904 Empoiimf.exe Epokedmj.exe PID 2904 wrote to memory of 2112 2904 Empoiimf.exe Epokedmj.exe PID 2904 wrote to memory of 2112 2904 Empoiimf.exe Epokedmj.exe PID 2112 wrote to memory of 4600 2112 Epokedmj.exe Edjgfcec.exe PID 2112 wrote to memory of 4600 2112 Epokedmj.exe Edjgfcec.exe PID 2112 wrote to memory of 4600 2112 Epokedmj.exe Edjgfcec.exe PID 4600 wrote to memory of 532 4600 Edjgfcec.exe Ehfcfb32.exe PID 4600 wrote to memory of 532 4600 Edjgfcec.exe Ehfcfb32.exe PID 4600 wrote to memory of 532 4600 Edjgfcec.exe Ehfcfb32.exe PID 532 wrote to memory of 1928 532 Ehfcfb32.exe Ejdocm32.exe PID 532 wrote to memory of 1928 532 Ehfcfb32.exe Ejdocm32.exe PID 532 wrote to memory of 1928 532 Ehfcfb32.exe Ejdocm32.exe PID 1928 wrote to memory of 928 1928 Ejdocm32.exe Embkoi32.exe PID 1928 wrote to memory of 928 1928 Ejdocm32.exe Embkoi32.exe PID 1928 wrote to memory of 928 1928 Ejdocm32.exe Embkoi32.exe PID 928 wrote to memory of 5008 928 Embkoi32.exe Epagkd32.exe PID 928 wrote to memory of 5008 928 Embkoi32.exe Epagkd32.exe PID 928 wrote to memory of 5008 928 Embkoi32.exe Epagkd32.exe PID 5008 wrote to memory of 4896 5008 Epagkd32.exe Ehhpla32.exe PID 5008 wrote to memory of 4896 5008 Epagkd32.exe Ehhpla32.exe PID 5008 wrote to memory of 4896 5008 Epagkd32.exe Ehhpla32.exe PID 4896 wrote to memory of 1956 4896 Ehhpla32.exe Ejflhm32.exe PID 4896 wrote to memory of 1956 4896 Ehhpla32.exe Ejflhm32.exe PID 4896 wrote to memory of 1956 4896 Ehhpla32.exe Ejflhm32.exe PID 1956 wrote to memory of 4992 1956 Ejflhm32.exe Emehdh32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe"C:\Users\Admin\AppData\Local\Temp\9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe23⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe26⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4084 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe28⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe29⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe30⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe31⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4232 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe34⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe35⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe36⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe37⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe38⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe39⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe40⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe41⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe42⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe43⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe44⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe45⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe46⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe47⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3728 -
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe50⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe51⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe52⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe53⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe54⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:712 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe56⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe57⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe58⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe59⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe60⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe61⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe63⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe64⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe65⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe66⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe67⤵PID:1540
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe68⤵
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe70⤵PID:4928
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe71⤵
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe72⤵PID:836
-
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe73⤵PID:2132
-
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe74⤵PID:4152
-
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe75⤵PID:3864
-
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe76⤵PID:1968
-
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe77⤵PID:2568
-
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe78⤵PID:3128
-
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe79⤵PID:2964
-
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe80⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe81⤵
- System Location Discovery: System Language Discovery
PID:3348 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe83⤵
- System Location Discovery: System Language Discovery
PID:3672 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe84⤵
- Drops file in System32 directory
PID:4360 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe85⤵
- System Location Discovery: System Language Discovery
PID:4616 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe86⤵PID:2724
-
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe87⤵PID:2404
-
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe88⤵PID:1480
-
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe90⤵PID:4552
-
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe91⤵PID:8
-
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe92⤵
- System Location Discovery: System Language Discovery
PID:4124 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe93⤵PID:548
-
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe94⤵PID:4768
-
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe95⤵PID:1584
-
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe96⤵PID:3952
-
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe97⤵PID:2768
-
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe98⤵PID:4336
-
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe100⤵PID:3160
-
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe101⤵
- System Location Discovery: System Language Discovery
PID:4216 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe102⤵PID:3736
-
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe103⤵PID:408
-
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe104⤵PID:3000
-
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe105⤵PID:5160
-
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe106⤵
- System Location Discovery: System Language Discovery
PID:5200 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe107⤵PID:5240
-
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe108⤵PID:5280
-
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe109⤵PID:5324
-
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5364 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:5404 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe112⤵PID:5444
-
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe113⤵PID:5484
-
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe114⤵PID:5524
-
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe115⤵PID:5556
-
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe116⤵PID:5604
-
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe117⤵
- System Location Discovery: System Language Discovery
PID:5644 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe118⤵
- Modifies registry class
PID:5684 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe119⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe120⤵PID:5768
-
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe121⤵
- Modifies registry class
PID:5808 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe122⤵PID:5848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-