Analysis
-
max time kernel
94s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:58
Static task
static1
Behavioral task
behavioral1
Sample
b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe
Resource
win10v2004-20241007-en
General
-
Target
b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe
-
Size
5.5MB
-
MD5
cd5166991ae61663ce1f005d55ea41a8
-
SHA1
166b6e7b2dd6fdc4f8651ea6585a45f34fcb58f8
-
SHA256
b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f
-
SHA512
4897b528a00913ff4b62a44d04f0017cc8c58fe620f316324016e507ad19b4ac4ed279d3d09bc57893d12abb623f6c69b100993bc2c9aa6dac4bd13a3af9853c
-
SSDEEP
12288:935jvwm0sKA5p8Wgx+gWVBmLnWrOxNuxC7:9pVoAL8WJm8MoC7
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hhknpmma.exeNkqkhk32.exeGfkbde32.exeJbccge32.exeOjemig32.exeGmeakf32.exeCgqqdeod.exeGikkfqmf.exeOnmfimga.exeCnfkdb32.exeIehmmb32.exeJpmlnjco.exeLbkkgl32.exeAafemk32.exeBaadiiif.exeHpbiip32.exeLcmodajm.exeIgpdfb32.exeCkhecmcf.exeAminee32.exeBgkiaj32.exePbcncibp.exePlejdkmm.exeBihjfnmm.exeHjedffig.exeOboijgbl.exeAodogdmn.exeGhipne32.exeJkaicd32.exeGfodeohd.exeMcpcdg32.exeDoagjc32.exeDglkoeio.exeGndick32.exeDogogcpo.exeMgaokl32.exeCkebcg32.exeGlhimp32.exeIbegfglj.exeGoljqnpd.exeOmnjojpo.exeOgcnmc32.exeCgqlcg32.exeDkfadkgf.exeKqfngd32.exeNapjdpcn.exeAckbmcjl.exeEmbddb32.exeAkccap32.exeIfihif32.exeNjmqnobn.exeFlqdlnde.exeIgajal32.exeDimenegi.exeHbjoeojc.exeJgadgf32.exeCmklglpn.exeDjhpgofm.exeGeoapenf.exeNmcpoedn.exeQddfkd32.exeDijbno32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhknpmma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqkhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbccge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojemig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmeakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgqqdeod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikkfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmfimga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfkdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmlnjco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baadiiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbiip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmodajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpdfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhecmcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aminee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkiaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbcncibp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bihjfnmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjedffig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oboijgbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghipne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihjfnmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkaicd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfodeohd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglkoeio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgaokl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckebcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhimp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibegfglj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goljqnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogcnmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqlcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqfngd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napjdpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ackbmcjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akccap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifihif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmqnobn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqdlnde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbjoeojc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgadgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmklglpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhpgofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfkdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmcpoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qddfkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijbno32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Qddfkd32.exeAdgbpc32.exeAminee32.exeBnhjohkb.exeBjagjhnc.exeBeihma32.exeBapiabak.exeDaconoae.exeDogogcpo.exeDddhpjof.exeEdknqiho.exeFdbdah32.exeFafdkmap.exeFahaplon.exeGhipne32.exeGgnlobej.exeGoljqnpd.exeHhgloc32.exeHhihdcbp.exeIickkbje.exeIiehpahb.exeIfihif32.exeJpmlnjco.exeJghabl32.exeKngcje32.exeKnlleepl.exeLhdqnj32.exeLidmhmnp.exeLfodbqfa.exeMlnipg32.exeMffjcopi.exeNipekiep.exeNplkmckj.exeOghppm32.exeOgklelna.exeOgmijllo.exeOljaccjf.exeOllnhb32.exePgbbek32.exePomgjn32.exePlagcbdn.exePhhhhc32.exePcmlfl32.exePodmkm32.exePhlacbfm.exeQhonib32.exeQfbobf32.exeQlmgopjq.exeAjqgidij.exeAcilajpk.exeAmaqjp32.exeAihaoqlp.exeAgiamhdo.exeAmfjeobf.exeAcpbbi32.exeBqdblmhl.exeBfqkddfd.exeBqfoamfj.exeBfchidda.exeBqilgmdg.exeBfedoc32.exeBpnihiio.exeBjcmebie.exeBclang32.exepid process 2280 Qddfkd32.exe 2984 Adgbpc32.exe 4892 Aminee32.exe 1068 Bnhjohkb.exe 2912 Bjagjhnc.exe 4780 Beihma32.exe 3472 Bapiabak.exe 3188 Daconoae.exe 4684 Dogogcpo.exe 1920 Dddhpjof.exe 3268 Edknqiho.exe 4652 Fdbdah32.exe 4196 Fafdkmap.exe 4924 Fahaplon.exe 972 Ghipne32.exe 932 Ggnlobej.exe 4128 Goljqnpd.exe 3040 Hhgloc32.exe 3540 Hhihdcbp.exe 3292 Iickkbje.exe 2120 Iiehpahb.exe 1576 Ifihif32.exe 4556 Jpmlnjco.exe 4420 Jghabl32.exe 1508 Kngcje32.exe 3964 Knlleepl.exe 4792 Lhdqnj32.exe 1096 Lidmhmnp.exe 4292 Lfodbqfa.exe 1208 Mlnipg32.exe 4668 Mffjcopi.exe 4968 Nipekiep.exe 508 Nplkmckj.exe 4020 Oghppm32.exe 4308 Ogklelna.exe 428 Ogmijllo.exe 3692 Oljaccjf.exe 4800 Ollnhb32.exe 1948 Pgbbek32.exe 4428 Pomgjn32.exe 3648 Plagcbdn.exe 1456 Phhhhc32.exe 1108 Pcmlfl32.exe 4188 Podmkm32.exe 4768 Phlacbfm.exe 3032 Qhonib32.exe 2736 Qfbobf32.exe 4076 Qlmgopjq.exe 1680 Ajqgidij.exe 3708 Acilajpk.exe 1092 Amaqjp32.exe 4896 Aihaoqlp.exe 4884 Agiamhdo.exe 3644 Amfjeobf.exe 2240 Acpbbi32.exe 4496 Bqdblmhl.exe 860 Bfqkddfd.exe 568 Bqfoamfj.exe 2824 Bfchidda.exe 1140 Bqilgmdg.exe 4336 Bfedoc32.exe 4384 Bpnihiio.exe 4796 Bjcmebie.exe 1080 Bclang32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cikglnkj.exeFagjfflb.exeMmbanbmg.exeOfhknodl.exeAminee32.exeKlfaapbl.exeEnfckp32.exeIklgah32.exeNjmqnobn.exeGnpphljo.exeIpdndloi.exeFkkeclfh.exeQljcoj32.exeBnoknihb.exeMfchlbfd.exeGejhef32.exeBmeandma.exeCglgjeci.exeHmlpaoaj.exeMkadfj32.exeAnmfbl32.exeAolblopj.exeDjhpgofm.exeHdilnojp.exeQobhkjdi.exeAagkhd32.exeJpgdai32.exeNgndaccj.exeOghghb32.exeFcniglmb.exeFfaong32.exeNjkkbehl.exeFfnknafg.exeHefnkkkj.exeFlngfn32.exeNjgqhicg.exeMfhbga32.exeNmfcok32.exeAjqgidij.exeOeaoab32.exeDbicpfdk.exeHmkigh32.exeInomhbeq.exeCiafbg32.exeEkdnei32.exeOmbcji32.exeBgelgi32.exeJdfjld32.exeCkhecmcf.exeIiopca32.exeMledmg32.exeAdfnofpd.exeJocnlg32.exeBapiabak.exeJnlbojee.exeDooaoj32.exePlejdkmm.exeBpnihiio.exeMhfppabl.exedescription ioc process File created C:\Windows\SysWOW64\Iipejo32.dll Cikglnkj.exe File opened for modification C:\Windows\SysWOW64\Fajgkfio.exe Fagjfflb.exe File opened for modification C:\Windows\SysWOW64\Nghekkmn.exe Mmbanbmg.exe File opened for modification C:\Windows\SysWOW64\Ombcji32.exe Ofhknodl.exe File created C:\Windows\SysWOW64\Bnhjohkb.exe Aminee32.exe File opened for modification C:\Windows\SysWOW64\Kcpjnjii.exe Klfaapbl.exe File created C:\Windows\SysWOW64\Ehlhih32.exe Enfckp32.exe File created C:\Windows\SysWOW64\Emmoafdl.dll Iklgah32.exe File created C:\Windows\SysWOW64\Npiiffqe.exe Njmqnobn.exe File opened for modification C:\Windows\SysWOW64\Gejhef32.exe Gnpphljo.exe File opened for modification C:\Windows\SysWOW64\Ieagmcmq.exe Ipdndloi.exe File opened for modification C:\Windows\SysWOW64\Fagjfflb.exe Fkkeclfh.exe File created C:\Windows\SysWOW64\Qaflgago.exe Qljcoj32.exe File opened for modification C:\Windows\SysWOW64\Bdickcpo.exe Bnoknihb.exe File created C:\Windows\SysWOW64\Iknmmg32.dll Mfchlbfd.exe File created C:\Windows\SysWOW64\Gkdpbpih.exe Gejhef32.exe File opened for modification C:\Windows\SysWOW64\Bdojjo32.exe Bmeandma.exe File opened for modification C:\Windows\SysWOW64\Cadlbk32.exe Cglgjeci.exe File created C:\Windows\SysWOW64\Ladfllde.dll Hmlpaoaj.exe File created C:\Windows\SysWOW64\Mmbanbmg.exe Mkadfj32.exe File opened for modification C:\Windows\SysWOW64\Adfnofpd.exe Anmfbl32.exe File created C:\Windows\SysWOW64\Adikdfna.exe Aolblopj.exe File opened for modification C:\Windows\SysWOW64\Dpehof32.exe Djhpgofm.exe File created C:\Windows\SysWOW64\Hjedffig.exe Hdilnojp.exe File created C:\Windows\SysWOW64\Godcje32.dll Qobhkjdi.exe File opened for modification C:\Windows\SysWOW64\Ahaceo32.exe Aagkhd32.exe File opened for modification C:\Windows\SysWOW64\Kiphjo32.exe Jpgdai32.exe File created C:\Windows\SysWOW64\Baiinofi.dll Ngndaccj.exe File created C:\Windows\SysWOW64\Kibohd32.dll Oghghb32.exe File opened for modification C:\Windows\SysWOW64\Flinkojm.exe Fcniglmb.exe File created C:\Windows\SysWOW64\Flngfn32.exe Ffaong32.exe File created C:\Windows\SysWOW64\Jebiel32.dll Njkkbehl.exe File created C:\Windows\SysWOW64\Fmhdkknd.exe Ffnknafg.exe File created C:\Windows\SysWOW64\Ddipic32.dll Hefnkkkj.exe File created C:\Windows\SysWOW64\Belqaa32.dll Flngfn32.exe File created C:\Windows\SysWOW64\Nodiqp32.exe Njgqhicg.exe File opened for modification C:\Windows\SysWOW64\Nqmfdj32.exe Mfhbga32.exe File created C:\Windows\SysWOW64\Nglhld32.exe Nmfcok32.exe File opened for modification C:\Windows\SysWOW64\Acilajpk.exe Ajqgidij.exe File created C:\Windows\SysWOW64\Pojcjh32.exe Oeaoab32.exe File created C:\Windows\SysWOW64\Ciggeb32.dll Bnoknihb.exe File opened for modification C:\Windows\SysWOW64\Dmohno32.exe Dbicpfdk.exe File opened for modification C:\Windows\SysWOW64\Holfoqcm.exe Hmkigh32.exe File created C:\Windows\SysWOW64\Ikcmbfcj.exe Inomhbeq.exe File created C:\Windows\SysWOW64\Dbjkkl32.exe Ciafbg32.exe File created C:\Windows\SysWOW64\Efjbcakl.exe Ekdnei32.exe File created C:\Windows\SysWOW64\Ojenek32.dll Ombcji32.exe File created C:\Windows\SysWOW64\Lahoec32.dll Bgelgi32.exe File created C:\Windows\SysWOW64\Kjccdkki.exe Jdfjld32.exe File opened for modification C:\Windows\SysWOW64\Cfnjpfcl.exe Ckhecmcf.exe File opened for modification C:\Windows\SysWOW64\Ipihpkkd.exe Iiopca32.exe File created C:\Windows\SysWOW64\Mfnhfm32.exe Mledmg32.exe File created C:\Windows\SysWOW64\Ffclcgfn.exe Flngfn32.exe File created C:\Windows\SysWOW64\Aolblopj.exe Adfnofpd.exe File created C:\Windows\SysWOW64\Ngckdnpn.dll Gnpphljo.exe File created C:\Windows\SysWOW64\Jhkbdmbg.exe Jocnlg32.exe File created C:\Windows\SysWOW64\Daconoae.exe Bapiabak.exe File created C:\Windows\SysWOW64\Jdfjld32.exe Jnlbojee.exe File created C:\Windows\SysWOW64\Dfiildio.exe Dooaoj32.exe File opened for modification C:\Windows\SysWOW64\Bnoddcef.exe Bgelgi32.exe File created C:\Windows\SysWOW64\Kifona32.dll Plejdkmm.exe File created C:\Windows\SysWOW64\Bppgif32.dll Klfaapbl.exe File opened for modification C:\Windows\SysWOW64\Bjcmebie.exe Bpnihiio.exe File created C:\Windows\SysWOW64\Mifljdjo.exe Mhfppabl.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4180 3936 WerFault.exe Pififb32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Lidmhmnp.exeBfchidda.exeKiphjo32.exeGhipne32.exeMffjcopi.exeFfaong32.exeOonlfo32.exeCgndoeag.exeMecjif32.exeHnbeeiji.exeOlgncmim.exeEmkndc32.exeAlelqb32.exeKgdpni32.exeCdpcal32.exeDhgonidg.exeIhdldn32.exeDiicml32.exeFmgejhgn.exeDheibpje.exePdmdnadc.exeHaodle32.exeIkcmbfcj.exeJcoaglhk.exeMnmmboed.exeFeenjgfq.exeMfnhfm32.exeDhomfc32.exeKjhloj32.exeFefedmil.exeJocnlg32.exeCadlbk32.exeJcfggkac.exeGokbgpeg.exeAmfjeobf.exeHmbfbn32.exeLgjijmin.exeAnmfbl32.exeHmpcbhji.exeOeehkn32.exeJlbejloe.exeLancko32.exeDogogcpo.exeGpkchqdj.exeDbjkkl32.exeEmbddb32.exeJdfjld32.exeLmgabcge.exeEfjbcakl.exeOokoaokf.exeCikglnkj.exeQdaniq32.exeGlhimp32.exeAihaoqlp.exeBfgjjm32.exeLggldm32.exeCfkmkf32.exeGgkqgaol.exePciqnk32.exeLqojclne.exeIbegfglj.exeKofdhd32.exeHmpjmn32.exeOboijgbl.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidmhmnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfchidda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiphjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghipne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffjcopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonlfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgndoeag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecjif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbeeiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgncmim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alelqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgonidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdldn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diicml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmgejhgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dheibpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmdnadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haodle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcmbfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoaglhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmmboed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feenjgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnhfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhomfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefedmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocnlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadlbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfggkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokbgpeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfjeobf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbfbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjijmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmfbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpcbhji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeehkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lancko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkchqdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjkkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgabcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookoaokf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikglnkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdaniq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glhimp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihaoqlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgjjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkqgaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciqnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqojclne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibegfglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofdhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oboijgbl.exe -
Modifies registry class 64 IoCs
Processes:
Jdfjld32.exeDcjnoece.exeNjmhhefi.exeOobfob32.exeGinnfgop.exeAolblopj.exeDgeenfog.exeJbfheo32.exeGpcfmkff.exeClchbqoo.exeMchppmij.exeLmdemd32.exeKcpjnjii.exeBdojjo32.exeHbhijepa.exeCkhecmcf.exeGaloohke.exeNofefp32.exeNeqopnhb.exeAehgnied.exeBnoknihb.exeKnqepc32.exeAdcjop32.exeDoagjc32.exeNodiqp32.exeKgopidgf.exeBfqkddfd.exeMepfiq32.exePoimpapp.exeCfnjpfcl.exeDnpdegjp.exeNfihbk32.exeAcilajpk.exeCnfkdb32.exeCpfcfmlp.exeKcmfnd32.exeMlhqcgnk.exeOljaccjf.exeNlfnaicd.exeEnnqfenp.exePcmlfl32.exeIkcmbfcj.exeBfgjjm32.exeFfclcgfn.exeNpbceggm.exeNefped32.exeOehlkc32.exeLncjlq32.exeJpmlnjco.exeDmbbhkjf.exeBkmmaeap.exeCofnik32.exeAkdilipp.exeCammjakm.exeNmcpoedn.exeNghekkmn.exeCdpcal32.exeMjlalkmd.exeCidjbmcp.exeEjdocm32.exeLdgccb32.exeAlbpkc32.exeDndnpf32.exeIliinc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdfjld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcjnoece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfookdli.dll" Njmhhefi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oobfob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ginnfgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpmfmao.dll" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgeenfog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfheo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpcfmkff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clchbqoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchppmij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdemd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohgljdl.dll" Kcpjnjii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdojjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhijepa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckhecmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Galoohke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nofefp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neqopnhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aehgnied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnoknihb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knqepc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnkah32.dll" Nodiqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgopidgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfqkddfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnbpa32.dll" Mepfiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnjpfcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnpdegjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acilajpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnfkdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll" Cpfcfmlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcmfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khlaie32.dll" Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dedaad32.dll" Oljaccjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgobjmp.dll" Nlfnaicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcmlfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkdoago.dll" Ikcmbfcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfgjjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffclcgfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgpnm32.dll" Oehlkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lncjlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpmlnjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbemjj32.dll" Dmbbhkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkmmaeap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll" Akdilipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cammjakm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmcpoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nghekkmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeabgdnp.dll" Cidjbmcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nggmhj32.dll" Ejdocm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldgccb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albpkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaabap32.dll" Iliinc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exeQddfkd32.exeAdgbpc32.exeAminee32.exeBnhjohkb.exeBjagjhnc.exeBeihma32.exeBapiabak.exeDaconoae.exeDogogcpo.exeDddhpjof.exeEdknqiho.exeFdbdah32.exeFafdkmap.exeFahaplon.exeGhipne32.exeGgnlobej.exeGoljqnpd.exeHhgloc32.exeHhihdcbp.exeIickkbje.exeIiehpahb.exedescription pid process target process PID 4900 wrote to memory of 2280 4900 b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe Qddfkd32.exe PID 4900 wrote to memory of 2280 4900 b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe Qddfkd32.exe PID 4900 wrote to memory of 2280 4900 b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe Qddfkd32.exe PID 2280 wrote to memory of 2984 2280 Qddfkd32.exe Adgbpc32.exe PID 2280 wrote to memory of 2984 2280 Qddfkd32.exe Adgbpc32.exe PID 2280 wrote to memory of 2984 2280 Qddfkd32.exe Adgbpc32.exe PID 2984 wrote to memory of 4892 2984 Adgbpc32.exe Aminee32.exe PID 2984 wrote to memory of 4892 2984 Adgbpc32.exe Aminee32.exe PID 2984 wrote to memory of 4892 2984 Adgbpc32.exe Aminee32.exe PID 4892 wrote to memory of 1068 4892 Aminee32.exe Bnhjohkb.exe PID 4892 wrote to memory of 1068 4892 Aminee32.exe Bnhjohkb.exe PID 4892 wrote to memory of 1068 4892 Aminee32.exe Bnhjohkb.exe PID 1068 wrote to memory of 2912 1068 Bnhjohkb.exe Bjagjhnc.exe PID 1068 wrote to memory of 2912 1068 Bnhjohkb.exe Bjagjhnc.exe PID 1068 wrote to memory of 2912 1068 Bnhjohkb.exe Bjagjhnc.exe PID 2912 wrote to memory of 4780 2912 Bjagjhnc.exe Beihma32.exe PID 2912 wrote to memory of 4780 2912 Bjagjhnc.exe Beihma32.exe PID 2912 wrote to memory of 4780 2912 Bjagjhnc.exe Beihma32.exe PID 4780 wrote to memory of 3472 4780 Beihma32.exe Bapiabak.exe PID 4780 wrote to memory of 3472 4780 Beihma32.exe Bapiabak.exe PID 4780 wrote to memory of 3472 4780 Beihma32.exe Bapiabak.exe PID 3472 wrote to memory of 3188 3472 Bapiabak.exe Daconoae.exe PID 3472 wrote to memory of 3188 3472 Bapiabak.exe Daconoae.exe PID 3472 wrote to memory of 3188 3472 Bapiabak.exe Daconoae.exe PID 3188 wrote to memory of 4684 3188 Daconoae.exe Dogogcpo.exe PID 3188 wrote to memory of 4684 3188 Daconoae.exe Dogogcpo.exe PID 3188 wrote to memory of 4684 3188 Daconoae.exe Dogogcpo.exe PID 4684 wrote to memory of 1920 4684 Dogogcpo.exe Dddhpjof.exe PID 4684 wrote to memory of 1920 4684 Dogogcpo.exe Dddhpjof.exe PID 4684 wrote to memory of 1920 4684 Dogogcpo.exe Dddhpjof.exe PID 1920 wrote to memory of 3268 1920 Dddhpjof.exe Edknqiho.exe PID 1920 wrote to memory of 3268 1920 Dddhpjof.exe Edknqiho.exe PID 1920 wrote to memory of 3268 1920 Dddhpjof.exe Edknqiho.exe PID 3268 wrote to memory of 4652 3268 Edknqiho.exe Fdbdah32.exe PID 3268 wrote to memory of 4652 3268 Edknqiho.exe Fdbdah32.exe PID 3268 wrote to memory of 4652 3268 Edknqiho.exe Fdbdah32.exe PID 4652 wrote to memory of 4196 4652 Fdbdah32.exe Fafdkmap.exe PID 4652 wrote to memory of 4196 4652 Fdbdah32.exe Fafdkmap.exe PID 4652 wrote to memory of 4196 4652 Fdbdah32.exe Fafdkmap.exe PID 4196 wrote to memory of 4924 4196 Fafdkmap.exe Fahaplon.exe PID 4196 wrote to memory of 4924 4196 Fafdkmap.exe Fahaplon.exe PID 4196 wrote to memory of 4924 4196 Fafdkmap.exe Fahaplon.exe PID 4924 wrote to memory of 972 4924 Fahaplon.exe Ghipne32.exe PID 4924 wrote to memory of 972 4924 Fahaplon.exe Ghipne32.exe PID 4924 wrote to memory of 972 4924 Fahaplon.exe Ghipne32.exe PID 972 wrote to memory of 932 972 Ghipne32.exe Ggnlobej.exe PID 972 wrote to memory of 932 972 Ghipne32.exe Ggnlobej.exe PID 972 wrote to memory of 932 972 Ghipne32.exe Ggnlobej.exe PID 932 wrote to memory of 4128 932 Ggnlobej.exe Goljqnpd.exe PID 932 wrote to memory of 4128 932 Ggnlobej.exe Goljqnpd.exe PID 932 wrote to memory of 4128 932 Ggnlobej.exe Goljqnpd.exe PID 4128 wrote to memory of 3040 4128 Goljqnpd.exe Hhgloc32.exe PID 4128 wrote to memory of 3040 4128 Goljqnpd.exe Hhgloc32.exe PID 4128 wrote to memory of 3040 4128 Goljqnpd.exe Hhgloc32.exe PID 3040 wrote to memory of 3540 3040 Hhgloc32.exe Hhihdcbp.exe PID 3040 wrote to memory of 3540 3040 Hhgloc32.exe Hhihdcbp.exe PID 3040 wrote to memory of 3540 3040 Hhgloc32.exe Hhihdcbp.exe PID 3540 wrote to memory of 3292 3540 Hhihdcbp.exe Iickkbje.exe PID 3540 wrote to memory of 3292 3540 Hhihdcbp.exe Iickkbje.exe PID 3540 wrote to memory of 3292 3540 Hhihdcbp.exe Iickkbje.exe PID 3292 wrote to memory of 2120 3292 Iickkbje.exe Iiehpahb.exe PID 3292 wrote to memory of 2120 3292 Iickkbje.exe Iiehpahb.exe PID 3292 wrote to memory of 2120 3292 Iickkbje.exe Iiehpahb.exe PID 2120 wrote to memory of 1576 2120 Iiehpahb.exe Ifihif32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe"C:\Users\Admin\AppData\Local\Temp\b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4556 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe25⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe26⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe27⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe28⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe30⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe31⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe33⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe34⤵
- Executes dropped EXE
PID:508 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe35⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe36⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe37⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3692 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe39⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe40⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe41⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe42⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe43⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe45⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe46⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe47⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe48⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe49⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe52⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4896 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe54⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3644 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe56⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe57⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe59⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe61⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe62⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe64⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe65⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1564 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe67⤵PID:3872
-
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3880 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe69⤵
- Drops file in System32 directory
PID:4600 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe70⤵
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe71⤵
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4276 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1216 -
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe74⤵PID:4480
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe75⤵PID:1600
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe76⤵
- Modifies registry class
PID:3152 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe77⤵
- Modifies registry class
PID:4952 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe78⤵
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe79⤵PID:2292
-
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe80⤵
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe81⤵PID:5188
-
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe83⤵PID:5280
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe84⤵PID:5324
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe85⤵
- System Location Discovery: System Language Discovery
PID:5368 -
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe86⤵PID:5412
-
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe87⤵PID:5456
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe88⤵PID:5496
-
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe89⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe90⤵PID:5580
-
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe91⤵PID:5624
-
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe92⤵
- System Location Discovery: System Language Discovery
PID:5668 -
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe93⤵
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe94⤵
- Drops file in System32 directory
PID:5756 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe95⤵PID:5804
-
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe96⤵PID:5848
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe98⤵PID:5940
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe99⤵
- Modifies registry class
PID:5984 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe100⤵
- System Location Discovery: System Language Discovery
PID:6028 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe101⤵
- Drops file in System32 directory
PID:6072 -
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6120 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe103⤵PID:5156
-
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5232 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe105⤵PID:5308
-
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe107⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe108⤵PID:648
-
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe109⤵PID:5544
-
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe110⤵
- Drops file in System32 directory
PID:5608 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe112⤵PID:5744
-
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe113⤵PID:5860
-
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe114⤵PID:5932
-
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe115⤵PID:5996
-
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6052 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe117⤵
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe118⤵PID:1988
-
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe120⤵PID:5316
-
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe121⤵PID:5388
-
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe122⤵PID:5520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-