Analysis
-
max time kernel
44s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:57
Static task
static1
Behavioral task
behavioral1
Sample
1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe
Resource
win10v2004-20241007-en
General
-
Target
1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe
-
Size
80KB
-
MD5
ed5a7666c1dd8ff4b8367a45db9bd300
-
SHA1
b55c00580d4d704384a0d515f9a4da99cbf0a1d6
-
SHA256
1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cd
-
SHA512
b7c89d74539534b6ff5775b4556fea9f0d7de8089bbe91901c24e18376192be7497f5fb74c48f2ce8e8357928b12d337087792691669f4d3fcc199993d79dd04
-
SSDEEP
1536:OC2FqA2dMiA0OiNDrhllQj1B2LHFS5DUHRbPa9b6i+sIk:OC2o/GiGilrhllQjQlS5DSCopsIk
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kgclio32.exeNplimbka.exeEegkpo32.exeKdjccf32.exeKlehgh32.exeKfpifm32.exePlgolf32.exeBadnhbce.exeIfdjeoep.exeNgealejo.exeKhoebi32.exeCcbphk32.exeAhpifj32.exeIlcoce32.exeQdojgmfe.exeBcpgdhpp.exeBejfao32.exeLhiakf32.exePclhdl32.exeCadjgf32.exeNenkqi32.exePcljmdmj.exeDldkmlhl.exeFhomkcoa.exeGmpcgace.exeHalbai32.exeHjfcpo32.exeLkgngb32.exeCileqlmg.exeJaijak32.exeLcofio32.exeKhlili32.exeMeabakda.exeApedah32.exeGghkdp32.exeGdmdacnn.exeNpjlhcmd.exeBgaebe32.exeGagkjbaf.exeGgcaiqhj.exeAflfjc32.exeKocmim32.exeLfmbek32.exeGhlfjq32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgclio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplimbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eegkpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdjccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klehgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Badnhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifdjeoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khoebi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbphk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifdjeoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdojgmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpgdhpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejfao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiakf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclhdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcljmdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpcgace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfcpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cileqlmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaijak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcofio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khlili32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apedah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghkdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmdacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjlhcmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gagkjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggcaiqhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflfjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocmim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmbek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlfjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Nidkmojn.exeNoacef32.exeNkhdkgnj.exeNmfqgbmm.exeNhlddkmc.exeNoemqe32.exeNpgihn32.exeOgqaehak.exeOmkjbb32.exeOdebolpe.exeOkojkf32.exeOlpgconp.exeOcjophem.exeOidglb32.exeOpnpimdf.exeOghhfg32.exeOhidmoaa.exeOpplolac.exeOemegc32.exeOhkaco32.exePoeipifl.exePadeldeo.exePkljdj32.exePnjfae32.exePgckjk32.exePnmcfeia.exePhbgcnig.exePjcckf32.exePdihiook.exePclhdl32.exePmdmmalf.exeQndigd32.exeQqbecp32.exeQcqaok32.exeQjkjle32.exeQogbdl32.exeAbfnpg32.exeAkncimmh.exeAbhkfg32.exeAibcba32.exeAidphq32.exeAnahqh32.exeAapemc32.exeAncefgfd.exeAababceh.exeAgljom32.exeAkhfoldn.exeAjjfkh32.exeBadnhbce.exeBepjha32.exeBfagpiam.exeBjmbqhif.exeBagkmb32.exeBpjkiogm.exeBcegin32.exeBgqcjlhp.exeBfccei32.exeBibpad32.exeBaigca32.exeBffpki32.exeBjallg32.exeBidlgdlk.exeBmphhc32.exeBpnddn32.exepid process 2160 Nidkmojn.exe 3004 Noacef32.exe 2720 Nkhdkgnj.exe 2768 Nmfqgbmm.exe 2632 Nhlddkmc.exe 2180 Noemqe32.exe 1720 Npgihn32.exe 2312 Ogqaehak.exe 1712 Omkjbb32.exe 2784 Odebolpe.exe 1904 Okojkf32.exe 2920 Olpgconp.exe 1440 Ocjophem.exe 1504 Oidglb32.exe 2424 Opnpimdf.exe 3008 Oghhfg32.exe 1480 Ohidmoaa.exe 2476 Opplolac.exe 1232 Oemegc32.exe 1264 Ohkaco32.exe 1756 Poeipifl.exe 880 Padeldeo.exe 3028 Pkljdj32.exe 3032 Pnjfae32.exe 2392 Pgckjk32.exe 2556 Pnmcfeia.exe 2876 Phbgcnig.exe 2824 Pjcckf32.exe 2616 Pdihiook.exe 2472 Pclhdl32.exe 2112 Pmdmmalf.exe 2572 Qndigd32.exe 2032 Qqbecp32.exe 1280 Qcqaok32.exe 1924 Qjkjle32.exe 2908 Qogbdl32.exe 1152 Abfnpg32.exe 544 Akncimmh.exe 1768 Abhkfg32.exe 2792 Aibcba32.exe 1272 Aidphq32.exe 1680 Anahqh32.exe 332 Aapemc32.exe 1664 Ancefgfd.exe 772 Aababceh.exe 692 Agljom32.exe 1844 Akhfoldn.exe 2816 Ajjfkh32.exe 2608 Badnhbce.exe 2648 Bepjha32.exe 2296 Bfagpiam.exe 376 Bjmbqhif.exe 2880 Bagkmb32.exe 2508 Bpjkiogm.exe 1912 Bcegin32.exe 840 Bgqcjlhp.exe 1332 Bfccei32.exe 688 Bibpad32.exe 2436 Baigca32.exe 904 Bffpki32.exe 2496 Bjallg32.exe 1536 Bidlgdlk.exe 2192 Bmphhc32.exe 1532 Bpnddn32.exe -
Loads dropped DLL 64 IoCs
Processes:
1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exeNidkmojn.exeNoacef32.exeNkhdkgnj.exeNmfqgbmm.exeNhlddkmc.exeNoemqe32.exeNpgihn32.exeOgqaehak.exeOmkjbb32.exeOdebolpe.exeOkojkf32.exeOlpgconp.exeOcjophem.exeOidglb32.exeOpnpimdf.exeOghhfg32.exeOhidmoaa.exeOpplolac.exeOemegc32.exeOhkaco32.exePoeipifl.exePadeldeo.exePkljdj32.exePnjfae32.exePgckjk32.exePnmcfeia.exePhbgcnig.exePjcckf32.exePdihiook.exePclhdl32.exePmdmmalf.exepid process 2316 1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe 2316 1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe 2160 Nidkmojn.exe 2160 Nidkmojn.exe 3004 Noacef32.exe 3004 Noacef32.exe 2720 Nkhdkgnj.exe 2720 Nkhdkgnj.exe 2768 Nmfqgbmm.exe 2768 Nmfqgbmm.exe 2632 Nhlddkmc.exe 2632 Nhlddkmc.exe 2180 Noemqe32.exe 2180 Noemqe32.exe 1720 Npgihn32.exe 1720 Npgihn32.exe 2312 Ogqaehak.exe 2312 Ogqaehak.exe 1712 Omkjbb32.exe 1712 Omkjbb32.exe 2784 Odebolpe.exe 2784 Odebolpe.exe 1904 Okojkf32.exe 1904 Okojkf32.exe 2920 Olpgconp.exe 2920 Olpgconp.exe 1440 Ocjophem.exe 1440 Ocjophem.exe 1504 Oidglb32.exe 1504 Oidglb32.exe 2424 Opnpimdf.exe 2424 Opnpimdf.exe 3008 Oghhfg32.exe 3008 Oghhfg32.exe 1480 Ohidmoaa.exe 1480 Ohidmoaa.exe 2476 Opplolac.exe 2476 Opplolac.exe 1232 Oemegc32.exe 1232 Oemegc32.exe 1264 Ohkaco32.exe 1264 Ohkaco32.exe 1756 Poeipifl.exe 1756 Poeipifl.exe 880 Padeldeo.exe 880 Padeldeo.exe 3028 Pkljdj32.exe 3028 Pkljdj32.exe 3032 Pnjfae32.exe 3032 Pnjfae32.exe 2392 Pgckjk32.exe 2392 Pgckjk32.exe 2556 Pnmcfeia.exe 2556 Pnmcfeia.exe 2876 Phbgcnig.exe 2876 Phbgcnig.exe 2824 Pjcckf32.exe 2824 Pjcckf32.exe 2616 Pdihiook.exe 2616 Pdihiook.exe 2472 Pclhdl32.exe 2472 Pclhdl32.exe 2112 Pmdmmalf.exe 2112 Pmdmmalf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dmdnbecj.exeEijdkcgn.exeBbbpenco.exeGckdgjeb.exeBaigca32.exeGpcoib32.exeMchoid32.exeLhnkffeo.exeMklcadfn.exeCdecha32.exeCkolek32.exeOpfbngfb.exeAfjjed32.exeCehfkb32.exeQogbdl32.exeCjjkpe32.exeNplimbka.exeNidmfh32.exeJdcpkp32.exeAababceh.exeEjkkfjkj.exeLnbdko32.exeOokpodkj.exeKnmdeioh.exeGjpqpl32.exeFfaaoh32.exeDpqnhadq.exeIoohokoo.exeDjfdob32.exeGljpncgc.exeHjipenda.exeHakkgc32.exeDpjbgh32.exeJlckbh32.exePdmnam32.exeOkojkf32.exeEfdhpjok.exeHegnahjo.exeKllnhg32.exeLkfddc32.exeCjlheehe.exeBibpad32.exeLgmeid32.exeAkiobk32.exeLjkaeo32.exeBbgqjdce.exeMimgeigj.exeFpjofl32.exedescription ioc process File created C:\Windows\SysWOW64\Bpgcnh32.dll Dmdnbecj.exe File created C:\Windows\SysWOW64\Hicapn32.dll Eijdkcgn.exe File created C:\Windows\SysWOW64\Bdqlajbb.exe Bbbpenco.exe File opened for modification C:\Windows\SysWOW64\Gkalhgfd.exe Gckdgjeb.exe File created C:\Windows\SysWOW64\Cfcqihha.dll File opened for modification C:\Windows\SysWOW64\Blfapfpg.exe File created C:\Windows\SysWOW64\Bffpki32.exe Baigca32.exe File created C:\Windows\SysWOW64\Gbaken32.exe Gpcoib32.exe File opened for modification C:\Windows\SysWOW64\Mfglep32.exe Mchoid32.exe File opened for modification C:\Windows\SysWOW64\Obbdml32.exe File opened for modification C:\Windows\SysWOW64\Pmjaohol.exe File opened for modification C:\Windows\SysWOW64\Lklgbadb.exe Lhnkffeo.exe File created C:\Windows\SysWOW64\Mpgobc32.exe Mklcadfn.exe File created C:\Windows\SysWOW64\Fchopn32.dll File opened for modification C:\Windows\SysWOW64\Cllkin32.exe Cdecha32.exe File created C:\Windows\SysWOW64\Cmmhaf32.exe Ckolek32.exe File created C:\Windows\SysWOW64\Obdojcef.exe Opfbngfb.exe File created C:\Windows\SysWOW64\Ejgccq32.dll Afjjed32.exe File created C:\Windows\SysWOW64\Jajjnjlc.dll Cehfkb32.exe File opened for modification C:\Windows\SysWOW64\Ghdiokbq.exe File created C:\Windows\SysWOW64\Abfnpg32.exe Qogbdl32.exe File created C:\Windows\SysWOW64\Cillkbac.exe Cjjkpe32.exe File opened for modification C:\Windows\SysWOW64\Nbjeinje.exe Nplimbka.exe File created C:\Windows\SysWOW64\Icblnd32.dll Nidmfh32.exe File created C:\Windows\SysWOW64\Obgmpo32.dll File created C:\Windows\SysWOW64\Jhoklnkg.exe Jdcpkp32.exe File opened for modification C:\Windows\SysWOW64\Agljom32.exe Aababceh.exe File created C:\Windows\SysWOW64\Gkfcag32.dll Ejkkfjkj.exe File opened for modification C:\Windows\SysWOW64\Lqqpgj32.exe Lnbdko32.exe File created C:\Windows\SysWOW64\Camljoch.dll Ookpodkj.exe File created C:\Windows\SysWOW64\Lgehno32.exe Knmdeioh.exe File opened for modification C:\Windows\SysWOW64\Gbfiaj32.exe Gjpqpl32.exe File created C:\Windows\SysWOW64\Fjlmpfhg.exe Ffaaoh32.exe File created C:\Windows\SysWOW64\Clgipm32.dll Dpqnhadq.exe File opened for modification C:\Windows\SysWOW64\Imahkg32.exe Ioohokoo.exe File created C:\Windows\SysWOW64\Hnppof32.dll Djfdob32.exe File created C:\Windows\SysWOW64\Lkhkagoh.dll File opened for modification C:\Windows\SysWOW64\Gcahoqhf.exe Gljpncgc.exe File opened for modification C:\Windows\SysWOW64\Hmglajcd.exe Hjipenda.exe File created C:\Windows\SysWOW64\Hpnkbpdd.exe Hakkgc32.exe File created C:\Windows\SysWOW64\Eipbmjcc.dll Dpjbgh32.exe File opened for modification C:\Windows\SysWOW64\Kdjccf32.exe Jlckbh32.exe File created C:\Windows\SysWOW64\Nfgjml32.exe File opened for modification C:\Windows\SysWOW64\Kkmmlgik.exe File opened for modification C:\Windows\SysWOW64\Phhjblpa.exe Pdmnam32.exe File created C:\Windows\SysWOW64\Hjpqkajf.dll File opened for modification C:\Windows\SysWOW64\Kdnkdmec.exe File created C:\Windows\SysWOW64\Clhfpifk.dll Okojkf32.exe File created C:\Windows\SysWOW64\Enkpahon.exe Efdhpjok.exe File created C:\Windows\SysWOW64\Hhejnc32.exe Hegnahjo.exe File opened for modification C:\Windows\SysWOW64\Kokjdb32.exe Kllnhg32.exe File created C:\Windows\SysWOW64\Ljieppcb.exe Lkfddc32.exe File opened for modification C:\Windows\SysWOW64\Ciohqa32.exe Cjlheehe.exe File created C:\Windows\SysWOW64\Baigca32.exe Bibpad32.exe File created C:\Windows\SysWOW64\Ljkaeo32.exe Lgmeid32.exe File created C:\Windows\SysWOW64\Bcpgdhpp.exe Akiobk32.exe File created C:\Windows\SysWOW64\Mflgih32.exe File opened for modification C:\Windows\SysWOW64\Cjhabndo.exe File created C:\Windows\SysWOW64\Lngnfnji.exe Ljkaeo32.exe File created C:\Windows\SysWOW64\Befmfpbi.exe Bbgqjdce.exe File created C:\Windows\SysWOW64\Fljiqocb.dll Mimgeigj.exe File created C:\Windows\SysWOW64\Fdekgjno.exe Fpjofl32.exe File opened for modification C:\Windows\SysWOW64\Kenhopmf.exe File created C:\Windows\SysWOW64\Ibnhnc32.dll -
Program crash 1 IoCs
Processes:
pid pid_target process target process 3272 3312 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hnjbeh32.exeBgoime32.exeMhonngce.exeDpkibo32.exeHlgimqhf.exeGckdgjeb.exeGqcnln32.exeGqiimfam.exeHkolakkb.exeDmmmfc32.exeKkjnnn32.exeDhckfkbh.exeQndigd32.exeJniefm32.exeDmijfmfi.exeCllkin32.exeMjcaimgg.exeIbipmiek.exeKhkbbc32.exeNcfoch32.exeOalhqohl.exeCeeieced.exeKdnild32.exeQgjccb32.exeJokqnhpa.exeJenpajfb.exeKfpifm32.exeAgpcihcf.exeQppkfhlc.exeHiqoeplo.exeHebdfind.exeBoidnh32.exeNedhjj32.exeEphbal32.exeJbbccgmp.exeCfhiplmp.exeFamope32.exeCbblda32.exeBbjmpcab.exeEopphehb.exeOplelf32.exeGcjbna32.exeHalbai32.exeOdedge32.exeQjkjle32.exeKfebambf.exeOajlkojn.exeIdgglb32.exeLcofio32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgoime32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhonngce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkibo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckdgjeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqcnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqiimfam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkolakkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmmfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhckfkbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndigd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmijfmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcaimgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibipmiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkbbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfoch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalhqohl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeieced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnild32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokqnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenpajfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpcihcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiqoeplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebdfind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boidnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephbal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbccgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhiplmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjmpcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopphehb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odedge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjkjle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfebambf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajlkojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcofio32.exe -
Modifies registry class 64 IoCs
Processes:
Ihhcbf32.exeLomgjb32.exeNdmecgba.exeOdmabj32.exeFgldnkkf.exeHcojam32.exeAbfnpg32.exeHfhcoj32.exeOlebgfao.exeKokjdb32.exeObdojcef.exeOdjdmjgo.exeOopijc32.exeBmnnkl32.exeHgflflqg.exeFcjeon32.exeIgmbgk32.exeMjkndb32.exeClbnhmjo.exeEclbcj32.exeLdpbpgoh.exeHhejnc32.exeDmojkc32.exeEgajnfoe.exeCdecha32.exeFnfcel32.exeLnbdko32.exeIdkpganf.exeCfkloq32.exeIbejdjln.exeNidkmojn.exeAbpjjeim.exeNncbdomg.exeGjdldd32.exeGdjqamme.exeHebdfind.exeEgjbdo32.exeEdnbncmb.exeImokehhl.exeMndmoaog.exeQngopb32.exeIacjjacb.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimagi32.dll" Ihhcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epilaieh.dll" Ndmecgba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odmabj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcojam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbiooq32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abfnpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodahqi.dll" Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npneccok.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kokjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjpmh32.dll" Obdojcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohniib32.dll" Odjdmjgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oopijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgflflqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokhie32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nncojg32.dll" Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdmobkp.dll" Mjkndb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdaaomdi.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clbnhmjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eclbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljlmgnqj.dll" Ldpbpgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpejiad.dll" Hhejnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojijh32.dll" Dmojkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdqap32.dll" Egajnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdecha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnfcel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjcbk32.dll" Lnbdko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll" Cfkloq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibejdjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nidkmojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncbdomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjdldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdjqamme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heloek32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfhdddb.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egjbdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ednbncmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobgmfjh.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgokeion.dll" Imokehhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplbqgdb.dll" Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qngopb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iacjjacb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipalg32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egjbdo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exeNidkmojn.exeNoacef32.exeNkhdkgnj.exeNmfqgbmm.exeNhlddkmc.exeNoemqe32.exeNpgihn32.exeOgqaehak.exeOmkjbb32.exeOdebolpe.exeOkojkf32.exeOlpgconp.exeOcjophem.exeOidglb32.exeOpnpimdf.exedescription pid process target process PID 2316 wrote to memory of 2160 2316 1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe Nidkmojn.exe PID 2316 wrote to memory of 2160 2316 1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe Nidkmojn.exe PID 2316 wrote to memory of 2160 2316 1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe Nidkmojn.exe PID 2316 wrote to memory of 2160 2316 1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe Nidkmojn.exe PID 2160 wrote to memory of 3004 2160 Nidkmojn.exe Noacef32.exe PID 2160 wrote to memory of 3004 2160 Nidkmojn.exe Noacef32.exe PID 2160 wrote to memory of 3004 2160 Nidkmojn.exe Noacef32.exe PID 2160 wrote to memory of 3004 2160 Nidkmojn.exe Noacef32.exe PID 3004 wrote to memory of 2720 3004 Noacef32.exe Nkhdkgnj.exe PID 3004 wrote to memory of 2720 3004 Noacef32.exe Nkhdkgnj.exe PID 3004 wrote to memory of 2720 3004 Noacef32.exe Nkhdkgnj.exe PID 3004 wrote to memory of 2720 3004 Noacef32.exe Nkhdkgnj.exe PID 2720 wrote to memory of 2768 2720 Nkhdkgnj.exe Nmfqgbmm.exe PID 2720 wrote to memory of 2768 2720 Nkhdkgnj.exe Nmfqgbmm.exe PID 2720 wrote to memory of 2768 2720 Nkhdkgnj.exe Nmfqgbmm.exe PID 2720 wrote to memory of 2768 2720 Nkhdkgnj.exe Nmfqgbmm.exe PID 2768 wrote to memory of 2632 2768 Nmfqgbmm.exe Nhlddkmc.exe PID 2768 wrote to memory of 2632 2768 Nmfqgbmm.exe Nhlddkmc.exe PID 2768 wrote to memory of 2632 2768 Nmfqgbmm.exe Nhlddkmc.exe PID 2768 wrote to memory of 2632 2768 Nmfqgbmm.exe Nhlddkmc.exe PID 2632 wrote to memory of 2180 2632 Nhlddkmc.exe Noemqe32.exe PID 2632 wrote to memory of 2180 2632 Nhlddkmc.exe Noemqe32.exe PID 2632 wrote to memory of 2180 2632 Nhlddkmc.exe Noemqe32.exe PID 2632 wrote to memory of 2180 2632 Nhlddkmc.exe Noemqe32.exe PID 2180 wrote to memory of 1720 2180 Noemqe32.exe Npgihn32.exe PID 2180 wrote to memory of 1720 2180 Noemqe32.exe Npgihn32.exe PID 2180 wrote to memory of 1720 2180 Noemqe32.exe Npgihn32.exe PID 2180 wrote to memory of 1720 2180 Noemqe32.exe Npgihn32.exe PID 1720 wrote to memory of 2312 1720 Npgihn32.exe Ogqaehak.exe PID 1720 wrote to memory of 2312 1720 Npgihn32.exe Ogqaehak.exe PID 1720 wrote to memory of 2312 1720 Npgihn32.exe Ogqaehak.exe PID 1720 wrote to memory of 2312 1720 Npgihn32.exe Ogqaehak.exe PID 2312 wrote to memory of 1712 2312 Ogqaehak.exe Omkjbb32.exe PID 2312 wrote to memory of 1712 2312 Ogqaehak.exe Omkjbb32.exe PID 2312 wrote to memory of 1712 2312 Ogqaehak.exe Omkjbb32.exe PID 2312 wrote to memory of 1712 2312 Ogqaehak.exe Omkjbb32.exe PID 1712 wrote to memory of 2784 1712 Omkjbb32.exe Odebolpe.exe PID 1712 wrote to memory of 2784 1712 Omkjbb32.exe Odebolpe.exe PID 1712 wrote to memory of 2784 1712 Omkjbb32.exe Odebolpe.exe PID 1712 wrote to memory of 2784 1712 Omkjbb32.exe Odebolpe.exe PID 2784 wrote to memory of 1904 2784 Odebolpe.exe Okojkf32.exe PID 2784 wrote to memory of 1904 2784 Odebolpe.exe Okojkf32.exe PID 2784 wrote to memory of 1904 2784 Odebolpe.exe Okojkf32.exe PID 2784 wrote to memory of 1904 2784 Odebolpe.exe Okojkf32.exe PID 1904 wrote to memory of 2920 1904 Okojkf32.exe Olpgconp.exe PID 1904 wrote to memory of 2920 1904 Okojkf32.exe Olpgconp.exe PID 1904 wrote to memory of 2920 1904 Okojkf32.exe Olpgconp.exe PID 1904 wrote to memory of 2920 1904 Okojkf32.exe Olpgconp.exe PID 2920 wrote to memory of 1440 2920 Olpgconp.exe Ocjophem.exe PID 2920 wrote to memory of 1440 2920 Olpgconp.exe Ocjophem.exe PID 2920 wrote to memory of 1440 2920 Olpgconp.exe Ocjophem.exe PID 2920 wrote to memory of 1440 2920 Olpgconp.exe Ocjophem.exe PID 1440 wrote to memory of 1504 1440 Ocjophem.exe Oidglb32.exe PID 1440 wrote to memory of 1504 1440 Ocjophem.exe Oidglb32.exe PID 1440 wrote to memory of 1504 1440 Ocjophem.exe Oidglb32.exe PID 1440 wrote to memory of 1504 1440 Ocjophem.exe Oidglb32.exe PID 1504 wrote to memory of 2424 1504 Oidglb32.exe Opnpimdf.exe PID 1504 wrote to memory of 2424 1504 Oidglb32.exe Opnpimdf.exe PID 1504 wrote to memory of 2424 1504 Oidglb32.exe Opnpimdf.exe PID 1504 wrote to memory of 2424 1504 Oidglb32.exe Opnpimdf.exe PID 2424 wrote to memory of 3008 2424 Opnpimdf.exe Oghhfg32.exe PID 2424 wrote to memory of 3008 2424 Opnpimdf.exe Oghhfg32.exe PID 2424 wrote to memory of 3008 2424 Opnpimdf.exe Oghhfg32.exe PID 2424 wrote to memory of 3008 2424 Opnpimdf.exe Oghhfg32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe"C:\Users\Admin\AppData\Local\Temp\1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1232 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe34⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe35⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe39⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe40⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe41⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe42⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe43⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe44⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe45⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe47⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe48⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe49⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe51⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe52⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe53⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe54⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe55⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe56⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe57⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe58⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe61⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe62⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe63⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe64⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe65⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe66⤵PID:1632
-
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe67⤵PID:2096
-
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe68⤵PID:2264
-
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe69⤵PID:2596
-
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe70⤵PID:1956
-
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe71⤵PID:296
-
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe72⤵PID:2520
-
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe73⤵PID:536
-
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe74⤵PID:1352
-
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe76⤵PID:288
-
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe77⤵PID:2236
-
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe78⤵PID:1604
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe79⤵PID:1624
-
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe82⤵
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe83⤵PID:2156
-
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe84⤵PID:2680
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe85⤵PID:2232
-
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe86⤵PID:1492
-
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe87⤵PID:2896
-
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe88⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe89⤵PID:1260
-
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe90⤵PID:3012
-
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe91⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe92⤵PID:1784
-
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe93⤵PID:1376
-
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe94⤵PID:1684
-
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe95⤵PID:356
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe96⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe97⤵PID:2740
-
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe98⤵PID:2612
-
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe99⤵PID:2224
-
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe100⤵PID:2000
-
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe101⤵PID:1060
-
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe102⤵PID:580
-
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe103⤵PID:2460
-
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe104⤵PID:1760
-
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe105⤵PID:1612
-
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe106⤵PID:2528
-
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe107⤵PID:2068
-
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe108⤵PID:1576
-
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe109⤵PID:2060
-
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe110⤵PID:2100
-
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe111⤵PID:2220
-
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe112⤵PID:2936
-
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe113⤵PID:352
-
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe114⤵PID:600
-
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe115⤵PID:924
-
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe116⤵
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe117⤵PID:2832
-
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe118⤵PID:2512
-
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe119⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe120⤵PID:320
-
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe121⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe122⤵PID:1748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-