Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:11
Static task
static1
Behavioral task
behavioral1
Sample
72a2b9f103447dfde42f17fc09137d00d5ef462aed90c4875207077b0c607757N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
72a2b9f103447dfde42f17fc09137d00d5ef462aed90c4875207077b0c607757N.exe
Resource
win10v2004-20241007-en
General
-
Target
72a2b9f103447dfde42f17fc09137d00d5ef462aed90c4875207077b0c607757N.exe
-
Size
64KB
-
MD5
8a7c19278db864ca2d928c2bb10ac710
-
SHA1
9f215df79da5be597bdaf290cf90b10d867e6ad2
-
SHA256
72a2b9f103447dfde42f17fc09137d00d5ef462aed90c4875207077b0c607757
-
SHA512
dd2c1d659b85ddf05163651efa989d03daff0b2c4a0f97fcb9d6d31dadab4ccd25fae17e3d5f55e368fde4256b3219bd10e6f6445a036e34f0aafc5c60315854
-
SSDEEP
768:bOYnrV+qo2T3fc5E+KX8mTjPDKbRH+txu4+/1H54FYmGKA2kms8Y/ts/9d2NzYVp:aYrV+n2fc5E+K1zD2WyfrPFW2iwTbWv
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fphnlcdo.exeKijchhbo.exeBddjpd32.exeOhqbhdpj.exeOanfen32.exePmcclm32.exeCbdjeg32.exeMockmala.exeEdhjqc32.exeFmfnpa32.exeKpanan32.exeBajqda32.exeOphjiaql.exeHglaej32.exeJhijqj32.exeMngegmbc.exePeahgl32.exeAajhndkb.exePakllc32.exePjbcplpe.exeQjfmkk32.exeFkkeclfh.exeCcpdoqgd.exeCmjemflb.exeEkdnei32.exePhfcipoo.exeLjhefhha.exeJpaekqhh.exeOclkgccf.exeGpcmga32.exeJcdala32.exePldcjeia.exeIfomll32.exeAijnep32.exePhodcg32.exePlmmif32.exeHfcnpn32.exeDjmibn32.exeJnkldqkc.exeIkdcmpnl.exeKqmkae32.exeCdlqqcnl.exeOgmijllo.exeJqdoem32.exeGfheof32.exeChlflabp.exeIdahjg32.exeDomdjj32.exeCkjknfnh.exeQeodhjmo.exeEjflhm32.exeOhnohn32.exeBmofagfp.exePpolhcnm.exeAaoaic32.exeJgcamf32.exeNlfelogp.exeOldamm32.exeKcejco32.exeMkmkkjko.exeHiipmhmk.exeBfqkddfd.exeIakiia32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphnlcdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijchhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohqbhdpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdjeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mockmala.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfnpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajqda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophjiaql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglaej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhijqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mngegmbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peahgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajhndkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbcplpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkkeclfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpdoqgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjemflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfcipoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhefhha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaekqhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclkgccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdala32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldcjeia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpaekqhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijnep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phodcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfcnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmibn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkldqkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikdcmpnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqmkae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlqqcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmijllo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckjknfnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejflhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnohn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmofagfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaoaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfelogp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcejco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmkkjko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiipmhmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfqkddfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakiia32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Lfhnaa32.exeLifjnm32.exeLldfjh32.exeLppbkgcj.exeLihfcm32.exeLhkgoiqe.exeLbqklb32.exeLikcilhh.exeLpekef32.exeLoglacfo.exeLeadnm32.exeMhppji32.exeMpghkf32.exeMbedga32.exeMfaqhp32.exeMedqcmki.exeMiomdk32.exeMhbmphjm.exeMplafeil.exeMbjnbqhp.exeMffjcopi.exeMidfokpm.exeMfhfhong.exeMhicpg32.exeMockmala.exeNemcjk32.exeNhlpfgbb.exeNoehba32.exeNbadcpbh.exeNiklpj32.exeNlihle32.exeNbcqiope.exeNebmekoi.exeNiniei32.exeNcfmno32.exeNipekiep.exeNlnbgddc.exeNpjnhc32.exeNchjdo32.exeNeffpj32.exeNplkmckj.exeNookip32.exeOeicejia.exeOidofh32.exeOpogbbig.exeOcmconhk.exeOigllh32.exeOpadhb32.exeOcopdn32.exeOiihahme.exeOpcqnb32.exeOgmijllo.exeOhnebd32.exeOpemca32.exeOgpepl32.exeOhqbhdpj.exeOphjiaql.exeOokjdn32.exePgbbek32.exePloknb32.exePomgjn32.exePgdokkfg.exePhelcc32.exePpmcdq32.exepid process 4900 Lfhnaa32.exe 1796 Lifjnm32.exe 1432 Lldfjh32.exe 224 Lppbkgcj.exe 2864 Lihfcm32.exe 3904 Lhkgoiqe.exe 1568 Lbqklb32.exe 3404 Likcilhh.exe 4232 Lpekef32.exe 5016 Loglacfo.exe 5008 Leadnm32.exe 2528 Mhppji32.exe 2936 Mpghkf32.exe 3348 Mbedga32.exe 3972 Mfaqhp32.exe 708 Medqcmki.exe 632 Miomdk32.exe 4476 Mhbmphjm.exe 4140 Mplafeil.exe 372 Mbjnbqhp.exe 4976 Mffjcopi.exe 3332 Midfokpm.exe 1016 Mfhfhong.exe 4280 Mhicpg32.exe 1792 Mockmala.exe 4276 Nemcjk32.exe 2372 Nhlpfgbb.exe 2780 Noehba32.exe 1584 Nbadcpbh.exe 676 Niklpj32.exe 5048 Nlihle32.exe 2040 Nbcqiope.exe 3120 Nebmekoi.exe 4920 Niniei32.exe 228 Ncfmno32.exe 2704 Nipekiep.exe 5040 Nlnbgddc.exe 4668 Npjnhc32.exe 1500 Nchjdo32.exe 116 Neffpj32.exe 3708 Nplkmckj.exe 1008 Nookip32.exe 2212 Oeicejia.exe 4848 Oidofh32.exe 1856 Opogbbig.exe 1316 Ocmconhk.exe 4052 Oigllh32.exe 2664 Opadhb32.exe 3964 Ocopdn32.exe 5104 Oiihahme.exe 1820 Opcqnb32.exe 2832 Ogmijllo.exe 536 Ohnebd32.exe 3156 Opemca32.exe 2604 Ogpepl32.exe 1080 Ohqbhdpj.exe 212 Ophjiaql.exe 4292 Ookjdn32.exe 3192 Pgbbek32.exe 4248 Ploknb32.exe 1496 Pomgjn32.exe 1404 Pgdokkfg.exe 2268 Phelcc32.exe 1672 Ppmcdq32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jjamia32.exeNlmdbh32.exeDnbakghm.exeAaldccip.exeHajpbckl.exeCmjemflb.exeJdmgfedl.exeOobfob32.exeAgdcpkll.exeDpckjfgg.exeHgghjjid.exeOhnohn32.exeOlijhmgj.exeGfeaopqo.exeIefgbh32.exeMcbpjg32.exeBfjnjcni.exeJkhgmf32.exeDcigeooj.exeMglfplgk.exeOdmbaj32.exeAhaceo32.exeCggimh32.exePgdokkfg.exeBciehh32.exeGkiaej32.exeBjaqpbkh.exeKqpoakco.exeKbbhqn32.exeCobkhb32.exeFffhifdk.exeNqbpojnp.exeLppbkgcj.exeAodogdmn.exeIqklon32.exeJdodkebj.exeJnhidk32.exeLjhefhha.exeDmennnni.exeHplbickp.exeMhicpg32.exeAompak32.exeDmbbhkjf.exeKeqdmihc.exeMjlhgaqp.exeNfjola32.exeDgcihgaj.exeOcmconhk.exeHmbphg32.exeHiipmhmk.exeIgajal32.exePmiikh32.exeAaoaic32.exeAolblopj.exeBiogppeg.exeJpfepf32.exeOeheqm32.exeLgbloglj.exeOeicejia.exeMpghkf32.exeOmpfej32.exeAhfmpnql.exeLldfjh32.exeKkmioc32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Jbiejoaj.exe Jjamia32.exe File opened for modification C:\Windows\SysWOW64\Nnkpnclp.exe Nlmdbh32.exe File created C:\Windows\SysWOW64\Dfiildio.exe Dnbakghm.exe File created C:\Windows\SysWOW64\Hbobhb32.dll Aaldccip.exe File opened for modification C:\Windows\SysWOW64\Hgghjjid.exe Hajpbckl.exe File opened for modification C:\Windows\SysWOW64\Coiaiakf.exe Cmjemflb.exe File created C:\Windows\SysWOW64\Dnbbhnma.dll Jdmgfedl.exe File opened for modification C:\Windows\SysWOW64\Oelolmnd.exe Oobfob32.exe File created C:\Windows\SysWOW64\Ijikdfig.dll Agdcpkll.exe File opened for modification C:\Windows\SysWOW64\Dcogje32.exe Dpckjfgg.exe File created C:\Windows\SysWOW64\Hpomcp32.exe Hgghjjid.exe File opened for modification C:\Windows\SysWOW64\Olijhmgj.exe Ohnohn32.exe File created C:\Windows\SysWOW64\Oohgdhfn.exe Olijhmgj.exe File created C:\Windows\SysWOW64\Gidnkkpc.exe Gfeaopqo.exe File created C:\Windows\SysWOW64\Iibccgep.exe Iefgbh32.exe File created C:\Windows\SysWOW64\Npldbgic.dll Mcbpjg32.exe File created C:\Windows\SysWOW64\Fliabjbh.dll Bfjnjcni.exe File created C:\Windows\SysWOW64\Jnfcia32.exe Jkhgmf32.exe File opened for modification C:\Windows\SysWOW64\Dfgcakon.exe Dcigeooj.exe File created C:\Windows\SysWOW64\Mjkblhfo.exe Mglfplgk.exe File created C:\Windows\SysWOW64\Hkpmpo32.dll Odmbaj32.exe File created C:\Windows\SysWOW64\Agdcpkll.exe Ahaceo32.exe File created C:\Windows\SysWOW64\Conanfli.exe Cggimh32.exe File created C:\Windows\SysWOW64\Phelcc32.exe Pgdokkfg.exe File created C:\Windows\SysWOW64\Bgeaifia.exe Bciehh32.exe File opened for modification C:\Windows\SysWOW64\Gilapgqb.exe Gkiaej32.exe File created C:\Windows\SysWOW64\Bidqko32.exe Bjaqpbkh.exe File opened for modification C:\Windows\SysWOW64\Kiggbhda.exe Kqpoakco.exe File created C:\Windows\SysWOW64\Keqdmihc.exe Kbbhqn32.exe File created C:\Windows\SysWOW64\Pnbmqiee.dll Cobkhb32.exe File opened for modification C:\Windows\SysWOW64\Fideeaco.exe Fffhifdk.exe File created C:\Windows\SysWOW64\Ncqlkemc.exe Nqbpojnp.exe File created C:\Windows\SysWOW64\Nboahd32.dll Lppbkgcj.exe File created C:\Windows\SysWOW64\Kemilf32.dll Aodogdmn.exe File created C:\Windows\SysWOW64\Igedlh32.exe Iqklon32.exe File created C:\Windows\SysWOW64\Jkimho32.exe Jdodkebj.exe File opened for modification C:\Windows\SysWOW64\Jpfepf32.exe Jnhidk32.exe File created C:\Windows\SysWOW64\Lqbncb32.exe Ljhefhha.exe File created C:\Windows\SysWOW64\Dejncidp.dll Dmennnni.exe File created C:\Windows\SysWOW64\Hbjoeojc.exe Hplbickp.exe File opened for modification C:\Windows\SysWOW64\Mockmala.exe Mhicpg32.exe File opened for modification C:\Windows\SysWOW64\Ajcdnd32.exe Aompak32.exe File opened for modification C:\Windows\SysWOW64\Dpqodfij.exe Dmbbhkjf.exe File opened for modification C:\Windows\SysWOW64\Kgopidgf.exe Keqdmihc.exe File created C:\Windows\SysWOW64\Bcjfln32.dll Mjlhgaqp.exe File created C:\Windows\SysWOW64\Qimkic32.dll Nfjola32.exe File created C:\Windows\SysWOW64\Dnmaea32.exe Dgcihgaj.exe File created C:\Windows\SysWOW64\Cqjenbhh.dll Ocmconhk.exe File created C:\Windows\SysWOW64\Hoclopne.exe Hmbphg32.exe File created C:\Windows\SysWOW64\Igcnla32.dll Hiipmhmk.exe File opened for modification C:\Windows\SysWOW64\Iipfmggc.exe Igajal32.exe File opened for modification C:\Windows\SysWOW64\Ppgegd32.exe Pmiikh32.exe File created C:\Windows\SysWOW64\Ifaohg32.dll Aaoaic32.exe File opened for modification C:\Windows\SysWOW64\Aajohjon.exe Aolblopj.exe File opened for modification C:\Windows\SysWOW64\Bqfoamfj.exe Biogppeg.exe File opened for modification C:\Windows\SysWOW64\Jcdala32.exe Jpfepf32.exe File created C:\Windows\SysWOW64\Cncijina.dll Oeheqm32.exe File created C:\Windows\SysWOW64\Bfnikd32.dll Lgbloglj.exe File created C:\Windows\SysWOW64\Aieeeflh.dll Oeicejia.exe File created C:\Windows\SysWOW64\Mbedga32.exe Mpghkf32.exe File opened for modification C:\Windows\SysWOW64\Opnbae32.exe Ompfej32.exe File opened for modification C:\Windows\SysWOW64\Aopemh32.exe Ahfmpnql.exe File opened for modification C:\Windows\SysWOW64\Lppbkgcj.exe Lldfjh32.exe File opened for modification C:\Windows\SysWOW64\Knkekn32.exe Kkmioc32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4492 5156 WerFault.exe Dkqaoe32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bqfoamfj.exeLkofdbkj.exeAfelhf32.exeAjeadd32.exeDmdonkgc.exeLelchgne.exeHgdejd32.exeAaoaic32.exeHglaej32.exeJjamia32.exeNgndaccj.exeLjnlecmp.exeEjflhm32.exeAkoqpg32.exeOeheqm32.exeOacoqnci.exePmcclm32.exeDndnpf32.exeOhkkhhmh.exeHoeieolb.exeLoglacfo.exeNeffpj32.exeQfbobf32.exeBlielbfi.exeBnmoijje.exeDoaneiop.exeLifjnm32.exeHmmfmhll.exeHidgai32.exeAgdcpkll.exeCklhcfle.exeNpjnhc32.exeIgedlh32.exeGimqajgh.exeDjhpgofm.exeIakiia32.exeCfldelik.exeGlengm32.exeCdimqm32.exeHkeaqi32.exeIjadbdoj.exeQhngolpo.exeGigaka32.exeHbjoeojc.exeKgopidgf.exeNlnkmnah.exeMkohaj32.exeNgqagcag.exeOnapdl32.exeIllfdc32.exeNmkmjjaa.exeOeicejia.exePolppg32.exeFmfnpa32.exeNjmqnobn.exeOcohmc32.exeCnjdpaki.exeBjcmebie.exeJnhpoamf.exeEfafgifc.exeAknifq32.exeNcnofeof.exeJebfng32.exeOmnjojpo.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqfoamfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkofdbkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afelhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajeadd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdonkgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelchgne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgdejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaoaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjamia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngndaccj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnlecmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejflhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akoqpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeheqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacoqnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndnpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkkhhmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoeieolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loglacfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neffpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbobf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blielbfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmoijje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doaneiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifjnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmfmhll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdcpkll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjnhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igedlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimqajgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhpgofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfldelik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glengm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdimqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkeaqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijadbdoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhngolpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigaka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjoeojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgopidgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnkmnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqagcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onapdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illfdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkmjjaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeicejia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Polppg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfnpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmqnobn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjdpaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjcmebie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnhpoamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efafgifc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknifq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnofeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnjojpo.exe -
Modifies registry class 64 IoCs
Processes:
Cfnjpfcl.exeHlglidlo.exeQaqegecm.exeAijnep32.exeMecjif32.exeLqndhcdc.exeAjbmdn32.exeIibccgep.exeDpiplm32.exeMjellmbp.exeQohpkf32.exeKnalji32.exeLjobpiql.exeJohnamkm.exePflibgil.exeDmglcj32.exeEibfck32.exeLcgpni32.exeNcqlkemc.exeJnkldqkc.exeKniieo32.exeLjgpkonp.exeEjchhgid.exeLklbdm32.exeNookip32.exeCjomap32.exeHnhghcki.exeQeodhjmo.exeOffnhpfo.exePpahmb32.exePakllc32.exeBjicdmmd.exePecellgl.exeCoadnlnb.exeMhppji32.exeInmpcc32.exeJkjcbe32.exeEclmamod.exeNmgjia32.exeBklfgo32.exeBddjpd32.exeDnbakghm.exeOpogbbig.exeBfqkddfd.exeKqpoakco.exeGpelhd32.exeHedafk32.exeKpmdfonj.exeJqglkmlj.exeBcinna32.exeCmjemflb.exeKqbdldnq.exeMkmkkjko.exeLppbkgcj.exeCpihcgoa.exeGmeakf32.exeJcfggkac.exeNncccnol.exeKclgmq32.exeAolblopj.exeHlcjhkdp.exeLgbloglj.exePjbcplpe.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkpophj.dll" Hlglidlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijnep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mecjif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfglbe32.dll" Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajbmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefeek32.dll" Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpiplm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjellmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjebhadm.dll" Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmabofh.dll" Knalji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdmdpjg.dll" Johnamkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pflibgil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmglcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibfck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcgpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll" Ncqlkemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkldqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnecgoki.dll" Kniieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljgpkonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blickdlj.dll" Ejchhgid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjmdflo.dll" Lklbdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nookip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojjhafd.dll" Cjomap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haedpe32.dll" Hnhghcki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll" Offnhpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppahmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pakllc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjicdmmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pecellgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coadnlnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhppji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meickkqm.dll" Inmpcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkjcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkkceedp.dll" Eclmamod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmgjia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bklfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bddjpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnbakghm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opogbbig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfqkddfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqpoakco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpmdfonj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqglkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpcam32.dll" Bcinna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmjemflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicbkkca.dll" Kqbdldnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jheldb32.dll" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lppbkgcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpihcgoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbemad32.dll" Gmeakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Locfbi32.dll" Jcfggkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmcka32.dll" Hlcjhkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnikd32.dll" Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgbloglj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjbcplpe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
72a2b9f103447dfde42f17fc09137d00d5ef462aed90c4875207077b0c607757N.exeLfhnaa32.exeLifjnm32.exeLldfjh32.exeLppbkgcj.exeLihfcm32.exeLhkgoiqe.exeLbqklb32.exeLikcilhh.exeLpekef32.exeLoglacfo.exeLeadnm32.exeMhppji32.exeMpghkf32.exeMbedga32.exeMfaqhp32.exeMedqcmki.exeMiomdk32.exeMhbmphjm.exeMplafeil.exeMbjnbqhp.exeMffjcopi.exedescription pid process target process PID 3444 wrote to memory of 4900 3444 72a2b9f103447dfde42f17fc09137d00d5ef462aed90c4875207077b0c607757N.exe Lfhnaa32.exe PID 3444 wrote to memory of 4900 3444 72a2b9f103447dfde42f17fc09137d00d5ef462aed90c4875207077b0c607757N.exe Lfhnaa32.exe PID 3444 wrote to memory of 4900 3444 72a2b9f103447dfde42f17fc09137d00d5ef462aed90c4875207077b0c607757N.exe Lfhnaa32.exe PID 4900 wrote to memory of 1796 4900 Lfhnaa32.exe Lifjnm32.exe PID 4900 wrote to memory of 1796 4900 Lfhnaa32.exe Lifjnm32.exe PID 4900 wrote to memory of 1796 4900 Lfhnaa32.exe Lifjnm32.exe PID 1796 wrote to memory of 1432 1796 Lifjnm32.exe Lldfjh32.exe PID 1796 wrote to memory of 1432 1796 Lifjnm32.exe Lldfjh32.exe PID 1796 wrote to memory of 1432 1796 Lifjnm32.exe Lldfjh32.exe PID 1432 wrote to memory of 224 1432 Lldfjh32.exe Lppbkgcj.exe PID 1432 wrote to memory of 224 1432 Lldfjh32.exe Lppbkgcj.exe PID 1432 wrote to memory of 224 1432 Lldfjh32.exe Lppbkgcj.exe PID 224 wrote to memory of 2864 224 Lppbkgcj.exe Lihfcm32.exe PID 224 wrote to memory of 2864 224 Lppbkgcj.exe Lihfcm32.exe PID 224 wrote to memory of 2864 224 Lppbkgcj.exe Lihfcm32.exe PID 2864 wrote to memory of 3904 2864 Lihfcm32.exe Lhkgoiqe.exe PID 2864 wrote to memory of 3904 2864 Lihfcm32.exe Lhkgoiqe.exe PID 2864 wrote to memory of 3904 2864 Lihfcm32.exe Lhkgoiqe.exe PID 3904 wrote to memory of 1568 3904 Lhkgoiqe.exe Lbqklb32.exe PID 3904 wrote to memory of 1568 3904 Lhkgoiqe.exe Lbqklb32.exe PID 3904 wrote to memory of 1568 3904 Lhkgoiqe.exe Lbqklb32.exe PID 1568 wrote to memory of 3404 1568 Lbqklb32.exe Likcilhh.exe PID 1568 wrote to memory of 3404 1568 Lbqklb32.exe Likcilhh.exe PID 1568 wrote to memory of 3404 1568 Lbqklb32.exe Likcilhh.exe PID 3404 wrote to memory of 4232 3404 Likcilhh.exe Lpekef32.exe PID 3404 wrote to memory of 4232 3404 Likcilhh.exe Lpekef32.exe PID 3404 wrote to memory of 4232 3404 Likcilhh.exe Lpekef32.exe PID 4232 wrote to memory of 5016 4232 Lpekef32.exe Loglacfo.exe PID 4232 wrote to memory of 5016 4232 Lpekef32.exe Loglacfo.exe PID 4232 wrote to memory of 5016 4232 Lpekef32.exe Loglacfo.exe PID 5016 wrote to memory of 5008 5016 Loglacfo.exe Leadnm32.exe PID 5016 wrote to memory of 5008 5016 Loglacfo.exe Leadnm32.exe PID 5016 wrote to memory of 5008 5016 Loglacfo.exe Leadnm32.exe PID 5008 wrote to memory of 2528 5008 Leadnm32.exe Mhppji32.exe PID 5008 wrote to memory of 2528 5008 Leadnm32.exe Mhppji32.exe PID 5008 wrote to memory of 2528 5008 Leadnm32.exe Mhppji32.exe PID 2528 wrote to memory of 2936 2528 Mhppji32.exe Mpghkf32.exe PID 2528 wrote to memory of 2936 2528 Mhppji32.exe Mpghkf32.exe PID 2528 wrote to memory of 2936 2528 Mhppji32.exe Mpghkf32.exe PID 2936 wrote to memory of 3348 2936 Mpghkf32.exe Mbedga32.exe PID 2936 wrote to memory of 3348 2936 Mpghkf32.exe Mbedga32.exe PID 2936 wrote to memory of 3348 2936 Mpghkf32.exe Mbedga32.exe PID 3348 wrote to memory of 3972 3348 Mbedga32.exe Mfaqhp32.exe PID 3348 wrote to memory of 3972 3348 Mbedga32.exe Mfaqhp32.exe PID 3348 wrote to memory of 3972 3348 Mbedga32.exe Mfaqhp32.exe PID 3972 wrote to memory of 708 3972 Mfaqhp32.exe Medqcmki.exe PID 3972 wrote to memory of 708 3972 Mfaqhp32.exe Medqcmki.exe PID 3972 wrote to memory of 708 3972 Mfaqhp32.exe Medqcmki.exe PID 708 wrote to memory of 632 708 Medqcmki.exe Miomdk32.exe PID 708 wrote to memory of 632 708 Medqcmki.exe Miomdk32.exe PID 708 wrote to memory of 632 708 Medqcmki.exe Miomdk32.exe PID 632 wrote to memory of 4476 632 Miomdk32.exe Mhbmphjm.exe PID 632 wrote to memory of 4476 632 Miomdk32.exe Mhbmphjm.exe PID 632 wrote to memory of 4476 632 Miomdk32.exe Mhbmphjm.exe PID 4476 wrote to memory of 4140 4476 Mhbmphjm.exe Mplafeil.exe PID 4476 wrote to memory of 4140 4476 Mhbmphjm.exe Mplafeil.exe PID 4476 wrote to memory of 4140 4476 Mhbmphjm.exe Mplafeil.exe PID 4140 wrote to memory of 372 4140 Mplafeil.exe Mbjnbqhp.exe PID 4140 wrote to memory of 372 4140 Mplafeil.exe Mbjnbqhp.exe PID 4140 wrote to memory of 372 4140 Mplafeil.exe Mbjnbqhp.exe PID 372 wrote to memory of 4976 372 Mbjnbqhp.exe Mffjcopi.exe PID 372 wrote to memory of 4976 372 Mbjnbqhp.exe Mffjcopi.exe PID 372 wrote to memory of 4976 372 Mbjnbqhp.exe Mffjcopi.exe PID 4976 wrote to memory of 3332 4976 Mffjcopi.exe Midfokpm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\72a2b9f103447dfde42f17fc09137d00d5ef462aed90c4875207077b0c607757N.exe"C:\Users\Admin\AppData\Local\Temp\72a2b9f103447dfde42f17fc09137d00d5ef462aed90c4875207077b0c607757N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe23⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe24⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4280 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe27⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe28⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe29⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe30⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe31⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe32⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe33⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe34⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe35⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe36⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe37⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe38⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe40⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:116 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe42⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe45⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe48⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe49⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe50⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe51⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe52⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe54⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe55⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe56⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe59⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe60⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe61⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe62⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe64⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe65⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe66⤵PID:3144
-
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe67⤵PID:1092
-
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe68⤵PID:1712
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe69⤵PID:4532
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe70⤵PID:384
-
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe71⤵
- Modifies registry class
PID:5052 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe72⤵PID:2944
-
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe73⤵PID:3368
-
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe74⤵PID:2128
-
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe75⤵PID:4244
-
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe76⤵PID:364
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe77⤵PID:3324
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe78⤵PID:4444
-
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe79⤵PID:968
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe80⤵PID:1532
-
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe81⤵PID:4364
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe82⤵PID:2400
-
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe84⤵PID:3936
-
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe85⤵PID:5096
-
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe86⤵PID:4752
-
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe87⤵PID:4924
-
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe88⤵PID:2384
-
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe89⤵
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe90⤵PID:3680
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe91⤵
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe92⤵PID:988
-
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe93⤵PID:1332
-
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe94⤵PID:3508
-
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe95⤵
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe96⤵PID:2608
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe97⤵PID:4600
-
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe98⤵PID:1960
-
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4500 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe100⤵PID:5152
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe101⤵PID:5196
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe102⤵PID:5240
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe104⤵
- Drops file in System32 directory
PID:5328 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe105⤵
- System Location Discovery: System Language Discovery
PID:5388 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe106⤵PID:5432
-
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe107⤵PID:5492
-
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe108⤵PID:5532
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe109⤵PID:5592
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe110⤵PID:5664
-
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe111⤵PID:5712
-
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe112⤵PID:5772
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe113⤵PID:5848
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe114⤵
- Drops file in System32 directory
PID:5904 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe115⤵PID:5952
-
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe116⤵PID:6008
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe117⤵PID:6052
-
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe118⤵
- Drops file in System32 directory
PID:6100 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe119⤵PID:5124
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe120⤵
- System Location Discovery: System Language Discovery
PID:5188 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe121⤵PID:5268
-
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe122⤵
- Drops file in System32 directory
PID:5368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-