Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:12
Static task
static1
Behavioral task
behavioral1
Sample
d6e57436eba74c7c2c210289043e2783b57bbb55887740f398e7f8ede5e36162N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d6e57436eba74c7c2c210289043e2783b57bbb55887740f398e7f8ede5e36162N.exe
Resource
win10v2004-20241007-en
General
-
Target
d6e57436eba74c7c2c210289043e2783b57bbb55887740f398e7f8ede5e36162N.exe
-
Size
377KB
-
MD5
d130fb4a6709d7c8996849bbb7681a90
-
SHA1
1a766c506a6a6761c145d04218437db779bb0fd9
-
SHA256
d6e57436eba74c7c2c210289043e2783b57bbb55887740f398e7f8ede5e36162
-
SHA512
965922e17d333fff5eaaa157afce9ef0abe313aa87829e69b829be9756fc2b15d9b16e2878ff909c4db992db053a4a4a50e33d5915968da6e714bf8a2fe9228e
-
SSDEEP
6144:CIwxa7dWbbOyC78ShvIwxa7dWbb3suLIit+vIwxa7dWbb9XApDnvIwxa7+:CIwAxWDFQIwAxWnsuLIpIwAxWNApTIw5
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jibmgi32.exeLgkpdcmi.exeHmlpaoaj.exeFgdbnmji.exeIkndgg32.exeLenicahg.exeNelfeo32.exeDodjjimm.exeGblbca32.exeHpqldc32.exeJnifigpa.exeMjpbam32.exePhedhmhi.exeJpfepf32.exeLjclki32.exeDdnfmqng.exeKldmckic.exeKelalp32.exeAkqfkp32.exeJphkkpbp.exeJedccfqg.exeJngjch32.exeKfqgab32.exeMaeachag.exeOblmdhdo.exeIjqmhnko.exeNpepkf32.exeGehbjm32.exeMpnnle32.exeQebhhp32.exeBcahmb32.exeFjhacf32.exePlmmif32.exeFlmqlg32.exeMekgdl32.exeIcdheded.exePahilmoc.exeJljbeali.exeHdbfodfa.exeNbadcpbh.exePpolhcnm.exeMidfokpm.exeGphgbafl.exeAlqjpi32.exeGpnfge32.exeMfhbga32.exeBnoddcef.exeCcnncgmc.exeAfinioip.exeFimodc32.exeJkimho32.exeJmbhoeid.exeGgcfja32.exePkadoiip.exeBblnindg.exeCfigpm32.exeDflmlj32.exeAdkgje32.exeKiejmi32.exeAleckinj.exeCimmggfl.exeEjoomhmi.exeNajmjokc.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibmgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkpdcmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlpaoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgdbnmji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikndgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodjjimm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpqldc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnifigpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phedhmhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljclki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddnfmqng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kldmckic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kelalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jphkkpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedccfqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jngjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfqgab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maeachag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oblmdhdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npepkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpnnle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qebhhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plmmif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmqlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekgdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdheded.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdbfodfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbadcpbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppolhcnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midfokpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphgbafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqjpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfhbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnoddcef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnncgmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afinioip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkimho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggcfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkadoiip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblnindg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflmlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aleckinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejoomhmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najmjokc.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Dogogcpo.exeDgbdlf32.exeEhapfiem.exeEmoinpcd.exeEefaomcg.exeEgijmegb.exeEdmjfifl.exeEglgbdep.exeEmhldnkj.exeFgppmd32.exeFnjhjn32.exeFeapkk32.exeFgbmccpg.exeFojedapj.exeFkqeib32.exeFajnfl32.exeFefjfked.exeFdijbg32.exeGempgj32.exeGoedpofl.exeGhniielm.exeGohaeo32.exeGgcfja32.exeGfdfgiid.exeHffcmh32.exeHnagak32.exeHkehkocf.exeHhihdcbp.exeHocqam32.exeHgoeep32.exeHdbfodfa.exeHhnbpb32.exeHkmnln32.exeIbffhhek.exeIfbbig32.exeIdebdcdo.exeIhqoeb32.exeIkokan32.exeIickkbje.exeIkaggmii.exeInpccihl.exeIfgldfio.exeIiehpahb.exeIkcdlmgf.exeInbqhhfj.exeIgjeanmj.exeIndmnh32.exeIijaka32.exeJodjhkkj.exeJngjch32.exeJilnqqbj.exeJkkjmlan.exeJnifigpa.exeJiokfpph.exeJkmgblok.exeJnkcogno.exeJkodhk32.exeJnnpdg32.exeJehhaaci.exeJblijebc.exeJejefqaf.exeKldmckic.exeKnbiofhg.exeKelalp32.exepid process 208 Dogogcpo.exe 2428 Dgbdlf32.exe 1088 Ehapfiem.exe 4756 Emoinpcd.exe 556 Eefaomcg.exe 3132 Egijmegb.exe 2244 Edmjfifl.exe 1160 Eglgbdep.exe 4540 Emhldnkj.exe 1652 Fgppmd32.exe 4816 Fnjhjn32.exe 3468 Feapkk32.exe 3516 Fgbmccpg.exe 5040 Fojedapj.exe 892 Fkqeib32.exe 1844 Fajnfl32.exe 2408 Fefjfked.exe 756 Fdijbg32.exe 2380 Gempgj32.exe 4264 Goedpofl.exe 4648 Ghniielm.exe 2204 Gohaeo32.exe 816 Ggcfja32.exe 1524 Gfdfgiid.exe 3904 Hffcmh32.exe 3436 Hnagak32.exe 1760 Hkehkocf.exe 4396 Hhihdcbp.exe 3968 Hocqam32.exe 4476 Hgoeep32.exe 1920 Hdbfodfa.exe 1840 Hhnbpb32.exe 2164 Hkmnln32.exe 2396 Ibffhhek.exe 772 Ifbbig32.exe 640 Idebdcdo.exe 3956 Ihqoeb32.exe 1008 Ikokan32.exe 2856 Iickkbje.exe 4804 Ikaggmii.exe 4840 Inpccihl.exe 4568 Ifgldfio.exe 432 Iiehpahb.exe 1168 Ikcdlmgf.exe 1384 Inbqhhfj.exe 4884 Igjeanmj.exe 1992 Indmnh32.exe 1004 Iijaka32.exe 4544 Jodjhkkj.exe 4124 Jngjch32.exe 764 Jilnqqbj.exe 840 Jkkjmlan.exe 2636 Jnifigpa.exe 2920 Jiokfpph.exe 1476 Jkmgblok.exe 2928 Jnkcogno.exe 3532 Jkodhk32.exe 1568 Jnnpdg32.exe 3628 Jehhaaci.exe 4524 Jblijebc.exe 1964 Jejefqaf.exe 1092 Kldmckic.exe 2684 Knbiofhg.exe 3180 Kelalp32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lifjnm32.exeFdamgb32.exeGphgbafl.exeKilpmh32.exeKjmmepfj.exeBopocbcq.exeGigaka32.exePaelfmaf.exePefabkej.exeGmojkj32.exeCoqncejg.exeJiokfpph.exeDjhpgofm.exeGacjadad.exeIgqkqiai.exeBgkiaj32.exeHhihdcbp.exePhedhmhi.exeGmbmkpie.exeQodeajbg.exeJilnqqbj.exeKlfjijgq.exeJnelok32.exeBomkcm32.exeLgbloglj.exePfgogh32.exeBjlpjm32.exeFbajbi32.exeJgadgf32.exeAjbmdn32.exeLlhikacp.exeOnapdl32.exeOlckbd32.exeMeepdp32.exeJphkkpbp.exePdenmbkk.exeOhmhmh32.exeCdnmfclj.exeFnlmhc32.exeHlglidlo.exeJlgepanl.exeGoedpofl.exeOpogbbig.exeDmdonkgc.exeLlmhaold.exeHipmfjee.exeHfhgkmpj.exeNfaemp32.exeEglgbdep.exeMlnipg32.exeNemmoe32.exeGbnoiqdq.exeMnmmboed.exeBmeandma.exeFkqeib32.exeEdmclccp.exeHkbdki32.exeBcahmb32.exeJljbeali.exeEefaomcg.exeNomncpcg.exeHcblpdgg.exeJqhafffk.exedescription ioc process File created C:\Windows\SysWOW64\Okahepfa.dll Lifjnm32.exe File created C:\Windows\SysWOW64\Fineoi32.exe Fdamgb32.exe File created C:\Windows\SysWOW64\Ccemjbpf.dll Gphgbafl.exe File created C:\Windows\SysWOW64\Kgopidgf.exe Kilpmh32.exe File created C:\Windows\SysWOW64\Iaejbl32.dll Kjmmepfj.exe File created C:\Windows\SysWOW64\Mhaimehd.dll Bopocbcq.exe File created C:\Windows\SysWOW64\Cjkoqgjn.dll Gigaka32.exe File opened for modification C:\Windows\SysWOW64\Phodcg32.exe Paelfmaf.exe File created C:\Windows\SysWOW64\Plpjoe32.exe Pefabkej.exe File opened for modification C:\Windows\SysWOW64\Gpnfge32.exe Gmojkj32.exe File opened for modification C:\Windows\SysWOW64\Caojpaij.exe Coqncejg.exe File created C:\Windows\SysWOW64\Jkmgblok.exe Jiokfpph.exe File created C:\Windows\SysWOW64\Jgbbpbop.dll Djhpgofm.exe File opened for modification C:\Windows\SysWOW64\Ggpbjkpl.exe Gacjadad.exe File created C:\Windows\SysWOW64\Fjjdgc32.dll Igqkqiai.exe File created C:\Windows\SysWOW64\Qnbidcgp.dll Bgkiaj32.exe File opened for modification C:\Windows\SysWOW64\Hocqam32.exe Hhihdcbp.exe File created C:\Windows\SysWOW64\Pidabppl.exe Phedhmhi.exe File created C:\Windows\SysWOW64\Lejomj32.dll Gmbmkpie.exe File opened for modification C:\Windows\SysWOW64\Qpeahb32.exe Qodeajbg.exe File created C:\Windows\SysWOW64\Jkkjmlan.exe Jilnqqbj.exe File created C:\Windows\SysWOW64\Hqbdnnae.dll Klfjijgq.exe File opened for modification C:\Windows\SysWOW64\Jcbdgb32.exe Jnelok32.exe File opened for modification C:\Windows\SysWOW64\Blqllqqa.exe Bomkcm32.exe File created C:\Windows\SysWOW64\Idefqiag.dll Lgbloglj.exe File created C:\Windows\SysWOW64\Poodpmca.exe Pfgogh32.exe File created C:\Windows\SysWOW64\Bkmmaeap.exe Bjlpjm32.exe File created C:\Windows\SysWOW64\Hclnnc32.dll Fbajbi32.exe File opened for modification C:\Windows\SysWOW64\Jklphekp.exe Jgadgf32.exe File created C:\Windows\SysWOW64\Qcanijap.dll Ajbmdn32.exe File created C:\Windows\SysWOW64\Jiooia32.dll Llhikacp.exe File created C:\Windows\SysWOW64\Opclldhj.exe Onapdl32.exe File created C:\Windows\SysWOW64\Opogbbig.exe Olckbd32.exe File created C:\Windows\SysWOW64\Jbkfjo32.dll Meepdp32.exe File opened for modification C:\Windows\SysWOW64\Jcfggkac.exe Jphkkpbp.exe File created C:\Windows\SysWOW64\Pnkbkk32.exe Pdenmbkk.exe File created C:\Windows\SysWOW64\Paelfmaf.exe Ohmhmh32.exe File opened for modification C:\Windows\SysWOW64\Ckhecmcf.exe Cdnmfclj.exe File created C:\Windows\SysWOW64\Bjdlfi32.dll Fnlmhc32.exe File opened for modification C:\Windows\SysWOW64\Iepaaico.exe Hlglidlo.exe File created C:\Windows\SysWOW64\Dnbjkgmg.dll Jlgepanl.exe File created C:\Windows\SysWOW64\Obnkfijp.dll Goedpofl.exe File created C:\Windows\SysWOW64\Ocmconhk.exe Opogbbig.exe File created C:\Windows\SysWOW64\Nagfjh32.dll Dmdonkgc.exe File created C:\Windows\SysWOW64\Minqeaad.dll Llmhaold.exe File created C:\Windows\SysWOW64\Chfhllkp.dll Hipmfjee.exe File created C:\Windows\SysWOW64\Hmbphg32.exe Hfhgkmpj.exe File opened for modification C:\Windows\SysWOW64\Nagiji32.exe Nfaemp32.exe File opened for modification C:\Windows\SysWOW64\Emhldnkj.exe Eglgbdep.exe File created C:\Windows\SysWOW64\Mhdjehhj.exe Mlnipg32.exe File created C:\Windows\SysWOW64\Njiegl32.exe Nemmoe32.exe File opened for modification C:\Windows\SysWOW64\Gmdcfidg.exe Gbnoiqdq.exe File created C:\Windows\SysWOW64\Iocbnhog.dll Mnmmboed.exe File created C:\Windows\SysWOW64\Bhkfkmmg.exe Bmeandma.exe File created C:\Windows\SysWOW64\Fajnfl32.exe Fkqeib32.exe File opened for modification C:\Windows\SysWOW64\Efkphnbd.exe Edmclccp.exe File created C:\Windows\SysWOW64\Hhfedm32.exe Hkbdki32.exe File opened for modification C:\Windows\SysWOW64\Bjlpjm32.exe Bcahmb32.exe File created C:\Windows\SysWOW64\Jgpfbjlo.exe Jljbeali.exe File opened for modification C:\Windows\SysWOW64\Egijmegb.exe Eefaomcg.exe File opened for modification C:\Windows\SysWOW64\Neffpj32.exe Nomncpcg.exe File created C:\Windows\SysWOW64\Nlcagc32.dll Gacjadad.exe File opened for modification C:\Windows\SysWOW64\Hildmn32.exe Hcblpdgg.exe File created C:\Windows\SysWOW64\Jcgnbaeo.exe Jqhafffk.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 13692 13564 WerFault.exe Dkqaoe32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jqhafffk.exeJjafok32.exeMqfpckhm.exeHdbfodfa.exeKbbhqn32.exeGkkgpc32.exeIkpjbq32.exeNpepkf32.exePdenmbkk.exeBgkiaj32.exeKbghfc32.exeCfigpm32.exeGbofcghl.exeFlkdfh32.exeKefdbo32.exeFlmqlg32.exeKjjbjd32.exeOpqofe32.exeJnnpdg32.exeKcejco32.exeOpogbbig.exeIjqmhnko.exeKgninn32.exeOjgjndno.exeFojedapj.exeGacjadad.exeIinqbn32.exeEppqqn32.exeGmbmkpie.exeMfhbga32.exeJnifigpa.exeBgeaifia.exeKilpmh32.exeMhdckaeo.exeDflmlj32.exeEcbjkngo.exeIbfnqmpf.exeIefgbh32.exeAnobgl32.exeBomkcm32.exeKjeiodek.exeAknbkjfh.exeNpedmdab.exeBblnindg.exeGpecbk32.exeMaggnali.exeDbqqkkbo.exeHkfglb32.exeAddaif32.exeDdjmba32.exeOjomcopk.exeApaadpng.exeBfbaonae.exeFdqfll32.exeDbnmke32.exeJinboekc.exeKmieae32.exeFmkqpkla.exeHkmnln32.exeOgmijllo.exePjpobg32.exeIkejgf32.exeJkaicd32.exeNhmofj32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhafffk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjafok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfpckhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbfodfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbhqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikpjbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npepkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdenmbkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbghfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfigpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbofcghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkdfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefdbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmqlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcejco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opogbbig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqmhnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgninn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgjndno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fojedapj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacjadad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinqbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppqqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbmkpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnifigpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgeaifia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdckaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflmlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbjkngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefgbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anobgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomkcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npedmdab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblnindg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpecbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maggnali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqqkkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomcopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apaadpng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbaonae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqfll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbnmke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinboekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmieae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkqpkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmijllo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikejgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkaicd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmofj32.exe -
Modifies registry class 64 IoCs
Processes:
Mepfiq32.exeGoglcahb.exeMnmmboed.exeAdcjop32.exeHkehkocf.exeKiejmi32.exeBfendmoc.exePecellgl.exeDokgdkeh.exeDfdpad32.exeMfjcnold.exeKjmmepfj.exeMjdebfnd.exeCmmbbejp.exeCkmonl32.exeLoighj32.exeIefgbh32.exeOhlqcagj.exeAhfmpnql.exeKpiljh32.exeHhdhon32.exeHfhgkmpj.exeKiodmn32.exeIlcldb32.exeModgdicm.exeNqpcjj32.exeJkkjmlan.exeNlmdbh32.exeJmbhoeid.exeKhmknk32.exeQebhhp32.exeEkodjiol.exeAfinioip.exeJcgnbaeo.exeKdkdgchl.exeGinnfgop.exeNhmofj32.exeFnjhjn32.exeIdebdcdo.exeOpogbbig.exeKnbiofhg.exeHpdfnolo.exeFmndpq32.exeFajnfl32.exeHkbdki32.exeFipkjb32.exeEkmhejao.exeEicedn32.exeLifjnm32.exeOohnonij.exeKqbkfkal.exeKgipcogp.exeDmohno32.exeIickkbje.exeDmihij32.exePllgnl32.exeJbfheo32.exeLnmkfh32.exeQjfmkk32.exeMaggnali.exeDheibpje.exeLhfmdj32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mepfiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnmmboed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkehkocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqboip32.dll" Bfendmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogacbllg.dll" Pecellgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgpahk.dll" Dfdpad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfjcnold.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjdebfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmmbbejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckmonl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loighj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohlqcagj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahfmpnql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpiljh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhdhon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhgkmpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiodmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcldb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Modgdicm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqpcjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkkjmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlmdbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noekdfjb.dll" Khmknk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qebhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjfee32.dll" Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabdjc32.dll" Jcgnbaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfmgg32.dll" Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladnhcdo.dll" Ginnfgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnjhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idebdcdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opogbbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjdcihik.dll" Knbiofhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpdfnolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momkkhch.dll" Fmndpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fajnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkbdki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fipkjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldbpfio.dll" Eicedn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lifjnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plhfdjfl.dll" Oohnonij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbiffko.dll" Kgipcogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeffca32.dll" Iickkbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmqgabec.dll" Dmihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdliee32.dll" Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmpmgdc.dll" Jbfheo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnmkfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegiklal.dll" Maggnali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khblgpag.dll" Dokgdkeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modgdicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhfmdj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d6e57436eba74c7c2c210289043e2783b57bbb55887740f398e7f8ede5e36162N.exeDogogcpo.exeDgbdlf32.exeEhapfiem.exeEmoinpcd.exeEefaomcg.exeEgijmegb.exeEdmjfifl.exeEglgbdep.exeEmhldnkj.exeFgppmd32.exeFnjhjn32.exeFeapkk32.exeFgbmccpg.exeFojedapj.exeFkqeib32.exeFajnfl32.exeFefjfked.exeFdijbg32.exeGempgj32.exeGoedpofl.exeGhniielm.exedescription pid process target process PID 4416 wrote to memory of 208 4416 d6e57436eba74c7c2c210289043e2783b57bbb55887740f398e7f8ede5e36162N.exe Dogogcpo.exe PID 4416 wrote to memory of 208 4416 d6e57436eba74c7c2c210289043e2783b57bbb55887740f398e7f8ede5e36162N.exe Dogogcpo.exe PID 4416 wrote to memory of 208 4416 d6e57436eba74c7c2c210289043e2783b57bbb55887740f398e7f8ede5e36162N.exe Dogogcpo.exe PID 208 wrote to memory of 2428 208 Dogogcpo.exe Dgbdlf32.exe PID 208 wrote to memory of 2428 208 Dogogcpo.exe Dgbdlf32.exe PID 208 wrote to memory of 2428 208 Dogogcpo.exe Dgbdlf32.exe PID 2428 wrote to memory of 1088 2428 Dgbdlf32.exe Ehapfiem.exe PID 2428 wrote to memory of 1088 2428 Dgbdlf32.exe Ehapfiem.exe PID 2428 wrote to memory of 1088 2428 Dgbdlf32.exe Ehapfiem.exe PID 1088 wrote to memory of 4756 1088 Ehapfiem.exe Emoinpcd.exe PID 1088 wrote to memory of 4756 1088 Ehapfiem.exe Emoinpcd.exe PID 1088 wrote to memory of 4756 1088 Ehapfiem.exe Emoinpcd.exe PID 4756 wrote to memory of 556 4756 Emoinpcd.exe Eefaomcg.exe PID 4756 wrote to memory of 556 4756 Emoinpcd.exe Eefaomcg.exe PID 4756 wrote to memory of 556 4756 Emoinpcd.exe Eefaomcg.exe PID 556 wrote to memory of 3132 556 Eefaomcg.exe Egijmegb.exe PID 556 wrote to memory of 3132 556 Eefaomcg.exe Egijmegb.exe PID 556 wrote to memory of 3132 556 Eefaomcg.exe Egijmegb.exe PID 3132 wrote to memory of 2244 3132 Egijmegb.exe Edmjfifl.exe PID 3132 wrote to memory of 2244 3132 Egijmegb.exe Edmjfifl.exe PID 3132 wrote to memory of 2244 3132 Egijmegb.exe Edmjfifl.exe PID 2244 wrote to memory of 1160 2244 Edmjfifl.exe Eglgbdep.exe PID 2244 wrote to memory of 1160 2244 Edmjfifl.exe Eglgbdep.exe PID 2244 wrote to memory of 1160 2244 Edmjfifl.exe Eglgbdep.exe PID 1160 wrote to memory of 4540 1160 Eglgbdep.exe Emhldnkj.exe PID 1160 wrote to memory of 4540 1160 Eglgbdep.exe Emhldnkj.exe PID 1160 wrote to memory of 4540 1160 Eglgbdep.exe Emhldnkj.exe PID 4540 wrote to memory of 1652 4540 Emhldnkj.exe Fgppmd32.exe PID 4540 wrote to memory of 1652 4540 Emhldnkj.exe Fgppmd32.exe PID 4540 wrote to memory of 1652 4540 Emhldnkj.exe Fgppmd32.exe PID 1652 wrote to memory of 4816 1652 Fgppmd32.exe Fnjhjn32.exe PID 1652 wrote to memory of 4816 1652 Fgppmd32.exe Fnjhjn32.exe PID 1652 wrote to memory of 4816 1652 Fgppmd32.exe Fnjhjn32.exe PID 4816 wrote to memory of 3468 4816 Fnjhjn32.exe Feapkk32.exe PID 4816 wrote to memory of 3468 4816 Fnjhjn32.exe Feapkk32.exe PID 4816 wrote to memory of 3468 4816 Fnjhjn32.exe Feapkk32.exe PID 3468 wrote to memory of 3516 3468 Feapkk32.exe Fgbmccpg.exe PID 3468 wrote to memory of 3516 3468 Feapkk32.exe Fgbmccpg.exe PID 3468 wrote to memory of 3516 3468 Feapkk32.exe Fgbmccpg.exe PID 3516 wrote to memory of 5040 3516 Fgbmccpg.exe Fojedapj.exe PID 3516 wrote to memory of 5040 3516 Fgbmccpg.exe Fojedapj.exe PID 3516 wrote to memory of 5040 3516 Fgbmccpg.exe Fojedapj.exe PID 5040 wrote to memory of 892 5040 Fojedapj.exe Fkqeib32.exe PID 5040 wrote to memory of 892 5040 Fojedapj.exe Fkqeib32.exe PID 5040 wrote to memory of 892 5040 Fojedapj.exe Fkqeib32.exe PID 892 wrote to memory of 1844 892 Fkqeib32.exe Fajnfl32.exe PID 892 wrote to memory of 1844 892 Fkqeib32.exe Fajnfl32.exe PID 892 wrote to memory of 1844 892 Fkqeib32.exe Fajnfl32.exe PID 1844 wrote to memory of 2408 1844 Fajnfl32.exe Fefjfked.exe PID 1844 wrote to memory of 2408 1844 Fajnfl32.exe Fefjfked.exe PID 1844 wrote to memory of 2408 1844 Fajnfl32.exe Fefjfked.exe PID 2408 wrote to memory of 756 2408 Fefjfked.exe Fdijbg32.exe PID 2408 wrote to memory of 756 2408 Fefjfked.exe Fdijbg32.exe PID 2408 wrote to memory of 756 2408 Fefjfked.exe Fdijbg32.exe PID 756 wrote to memory of 2380 756 Fdijbg32.exe Gempgj32.exe PID 756 wrote to memory of 2380 756 Fdijbg32.exe Gempgj32.exe PID 756 wrote to memory of 2380 756 Fdijbg32.exe Gempgj32.exe PID 2380 wrote to memory of 4264 2380 Gempgj32.exe Goedpofl.exe PID 2380 wrote to memory of 4264 2380 Gempgj32.exe Goedpofl.exe PID 2380 wrote to memory of 4264 2380 Gempgj32.exe Goedpofl.exe PID 4264 wrote to memory of 4648 4264 Goedpofl.exe Ghniielm.exe PID 4264 wrote to memory of 4648 4264 Goedpofl.exe Ghniielm.exe PID 4264 wrote to memory of 4648 4264 Goedpofl.exe Ghniielm.exe PID 4648 wrote to memory of 2204 4648 Ghniielm.exe Gohaeo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6e57436eba74c7c2c210289043e2783b57bbb55887740f398e7f8ede5e36162N.exe"C:\Users\Admin\AppData\Local\Temp\d6e57436eba74c7c2c210289043e2783b57bbb55887740f398e7f8ede5e36162N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe23⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe25⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe26⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe27⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe30⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe31⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe33⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe35⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe36⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe38⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe39⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe41⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe42⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe43⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe44⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe45⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe46⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe47⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe48⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe49⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe50⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe56⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe57⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe58⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe60⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe61⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe62⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe66⤵
- Drops file in System32 directory
PID:4852 -
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe67⤵PID:3616
-
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe68⤵PID:3760
-
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe69⤵
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe70⤵PID:3612
-
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe71⤵PID:4208
-
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe72⤵PID:4556
-
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe73⤵PID:2652
-
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4204 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe75⤵
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe76⤵
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe78⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe79⤵PID:1984
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe80⤵PID:4744
-
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe81⤵PID:4500
-
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe82⤵PID:4620
-
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe83⤵
- Modifies registry class
PID:3648 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe84⤵PID:4656
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe86⤵PID:2792
-
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe87⤵PID:3064
-
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe88⤵PID:4052
-
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe89⤵PID:60
-
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe90⤵PID:2336
-
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe91⤵PID:3344
-
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe92⤵PID:2956
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe93⤵
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe94⤵PID:5132
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe95⤵PID:5176
-
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe96⤵PID:5220
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5260 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe100⤵PID:5380
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe101⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe102⤵PID:5472
-
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5516 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe104⤵PID:5560
-
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe105⤵
- System Location Discovery: System Language Discovery
PID:5604 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe106⤵PID:5648
-
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe107⤵PID:5692
-
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe108⤵PID:5736
-
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe109⤵PID:5780
-
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe110⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe111⤵PID:5868
-
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe112⤵PID:5912
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe113⤵PID:5956
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe114⤵PID:6000
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe115⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe117⤵PID:6132
-
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe118⤵PID:5160
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe119⤵PID:5228
-
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe120⤵PID:5308
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe121⤵PID:5372
-
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe122⤵
- System Location Discovery: System Language Discovery
PID:5468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-