Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:57
Static task
static1
Behavioral task
behavioral1
Sample
1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe
Resource
win10v2004-20241007-en
General
-
Target
1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe
-
Size
80KB
-
MD5
ed5a7666c1dd8ff4b8367a45db9bd300
-
SHA1
b55c00580d4d704384a0d515f9a4da99cbf0a1d6
-
SHA256
1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cd
-
SHA512
b7c89d74539534b6ff5775b4556fea9f0d7de8089bbe91901c24e18376192be7497f5fb74c48f2ce8e8357928b12d337087792691669f4d3fcc199993d79dd04
-
SSDEEP
1536:OC2FqA2dMiA0OiNDrhllQj1B2LHFS5DUHRbPa9b6i+sIk:OC2o/GiGilrhllQjQlS5DSCopsIk
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Cflkpblf.exeLgkpdcmi.exeBmlilh32.exeFmnkkg32.exeIdkbkl32.exeGdaociml.exeEmmdom32.exeKhbdikip.exeAkhcfe32.exeAcmobchj.exeGdlfhj32.exeNhmofj32.exeBhhdil32.exeEecdjmfi.exeEaakpm32.exeMplafeil.exeHjhalefe.exePdfehh32.exeAdkgje32.exeGimqajgh.exeMfeeabda.exeOffnhpfo.exeEfeihb32.exeNcchae32.exeDkkcge32.exeEglgbdep.exeIfihif32.exeLjkifn32.exeQlggjk32.exeGfokoelp.exePpamophb.exeEhailbaa.exeIqklon32.exeNhmeapmd.exeNeccpd32.exeGdgfce32.exePloknb32.exeMjpbam32.exeBkafmd32.exeDflmlj32.exeOmegjomb.exeDmdonkgc.exeMalgcg32.exeNiooqcad.exeGinnfgop.exeCkpbnb32.exeDfgcakon.exeOdhifjkg.exeJcdjbk32.exeMgeakekd.exeNfohgqlg.exeHbhboolf.exeMgnlkfal.exeBohibc32.exeElnoopdj.exeIciaqc32.exeBfkedibe.exeAcnemi32.exeIggaah32.exeMicoed32.exePoomegpf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cflkpblf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkpdcmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmnkkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkbkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdaociml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbdikip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecdjmfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaakpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mplafeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhalefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adkgje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimqajgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfeeabda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offnhpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncchae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkcge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eglgbdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifihif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljkifn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfokoelp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamophb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehailbaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmeapmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neccpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgfce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ploknb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpbam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkafmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malgcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niooqcad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ginnfgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimqajgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgcakon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhifjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfohgqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhboolf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnlkfal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkedibe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnemi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggaah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micoed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poomegpf.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Beihma32.exeBhhdil32.exeBfkedibe.exeBmemac32.exeBelebq32.exeCfmajipb.exeCmgjgcgo.exeCenahpha.exeCfpnph32.exeCnffqf32.exeCaebma32.exeCdcoim32.exeChokikeb.exeCjmgfgdf.exeCmlcbbcj.exeCeckcp32.exeCfdhkhjj.exeCmnpgb32.exeCajlhqjp.exeCdhhdlid.exeCjbpaf32.exeCnnlaehj.exeDdjejl32.exeDjdmffnn.exeDanecp32.exeDdmaok32.exeDfknkg32.exeDmefhako.exeDelnin32.exeDdonekbl.exeDodbbdbb.exeDaconoae.exeDdakjkqi.exeDkkcge32.exeDmjocp32.exeDeagdn32.exeDgbdlf32.exeDoilmc32.exeDahhio32.exeEecdjmfi.exeEhapfiem.exeEkpmbddq.exeEmoinpcd.exeEefaomcg.exeEhdmlhcj.exeEkbihd32.exeEaladnik.exeEdknqiho.exeEgijmegb.exeEopbnbhd.exeEaonjngh.exeEdmjfifl.exeEglgbdep.exeEobocb32.exeEaakpm32.exeEdpgli32.exeEgnchd32.exeEoekia32.exeFeocelll.exeFgppmd32.exeFkllnbjc.exeFafdkmap.exeFddqghpd.exeFgbmccpg.exepid process 1636 Beihma32.exe 3920 Bhhdil32.exe 368 Bfkedibe.exe 1912 Bmemac32.exe 4968 Belebq32.exe 2364 Cfmajipb.exe 584 Cmgjgcgo.exe 3008 Cenahpha.exe 864 Cfpnph32.exe 3980 Cnffqf32.exe 712 Caebma32.exe 3328 Cdcoim32.exe 4424 Chokikeb.exe 5096 Cjmgfgdf.exe 2348 Cmlcbbcj.exe 4156 Ceckcp32.exe 3244 Cfdhkhjj.exe 1416 Cmnpgb32.exe 4092 Cajlhqjp.exe 408 Cdhhdlid.exe 4400 Cjbpaf32.exe 3876 Cnnlaehj.exe 1348 Ddjejl32.exe 3504 Djdmffnn.exe 4932 Danecp32.exe 1484 Ddmaok32.exe 3688 Dfknkg32.exe 2008 Dmefhako.exe 4336 Delnin32.exe 1000 Ddonekbl.exe 1828 Dodbbdbb.exe 2872 Daconoae.exe 3568 Ddakjkqi.exe 3220 Dkkcge32.exe 3596 Dmjocp32.exe 2368 Deagdn32.exe 216 Dgbdlf32.exe 2344 Doilmc32.exe 4004 Dahhio32.exe 4636 Eecdjmfi.exe 2432 Ehapfiem.exe 1420 Ekpmbddq.exe 1716 Emoinpcd.exe 428 Eefaomcg.exe 1824 Ehdmlhcj.exe 5044 Ekbihd32.exe 1980 Ealadnik.exe 3040 Edknqiho.exe 2956 Egijmegb.exe 4548 Eopbnbhd.exe 5116 Eaonjngh.exe 552 Edmjfifl.exe 3096 Eglgbdep.exe 4372 Eobocb32.exe 1948 Eaakpm32.exe 1460 Edpgli32.exe 60 Egnchd32.exe 4896 Eoekia32.exe 4380 Feocelll.exe 1100 Fgppmd32.exe 4580 Fkllnbjc.exe 1868 Fafdkmap.exe 1200 Fddqghpd.exe 3908 Fgbmccpg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fhabbp32.exeIepaaico.exeGkjhoq32.exeOmegjomb.exeKckqbj32.exeEefaomcg.exeHacbhb32.exeObjpoh32.exeEmmdom32.exeDdonekbl.exeDpnbog32.exeLlodgnja.exeNopfpgip.exeEbommi32.exePefabkej.exeNcjginjn.exeHpjmnjqn.exePdmkhgho.exeBohbhmfm.exeJbiejoaj.exeNoeahkfc.exeGpaqbbld.exeEobocb32.exeBkafmd32.exeEjchhgid.exeFfaong32.exeDmjocp32.exeQoifflkg.exeHdpbon32.exeKmdlffhj.exeJkjcbe32.exeEmoinpcd.exeKoaagkcb.exeKhpgckkb.exeDjfcaohp.exeIciaqc32.exeLnoaaaad.exeKbpbed32.exeJgakbm32.exeIbicnh32.exeIcdheded.exeBfjnjcni.exeFbjmhh32.exeDkceokii.exeCdhhdlid.exeFolaiqng.exeAjcdnd32.exeNnojho32.exeFafdkmap.exeKgmcce32.exeIloidijb.exeLclpdncg.exeFkeodaai.exeEgijmegb.exeLihfcm32.exeFbelcblk.exeMcjmel32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Fkpool32.exe Fhabbp32.exe File created C:\Windows\SysWOW64\Aqmiic32.dll Iepaaico.exe File created C:\Windows\SysWOW64\Hiagomkq.dll Gkjhoq32.exe File opened for modification C:\Windows\SysWOW64\Opclldhj.exe File opened for modification C:\Windows\SysWOW64\Odoogi32.exe Omegjomb.exe File created C:\Windows\SysWOW64\Kjeiodek.exe Kckqbj32.exe File opened for modification C:\Windows\SysWOW64\Ehdmlhcj.exe Eefaomcg.exe File created C:\Windows\SysWOW64\Hpfcdojl.exe Hacbhb32.exe File created C:\Windows\SysWOW64\Fijgdejm.dll Objpoh32.exe File created C:\Windows\SysWOW64\Abdkep32.dll Emmdom32.exe File created C:\Windows\SysWOW64\Fnmnbf32.dll Ddonekbl.exe File created C:\Windows\SysWOW64\Oeabgdnp.dll Dpnbog32.exe File opened for modification C:\Windows\SysWOW64\Lcimdh32.exe Llodgnja.exe File created C:\Windows\SysWOW64\Nggnadib.exe Nopfpgip.exe File created C:\Windows\SysWOW64\Cggkemhh.dll File opened for modification C:\Windows\SysWOW64\Ejfeng32.exe Ebommi32.exe File opened for modification C:\Windows\SysWOW64\Phdnngdn.exe Pefabkej.exe File created C:\Windows\SysWOW64\Oeicejia.exe Ncjginjn.exe File created C:\Windows\SysWOW64\Hgdejd32.exe Hpjmnjqn.exe File created C:\Windows\SysWOW64\Ihbjebjh.dll Pdmkhgho.exe File opened for modification C:\Windows\SysWOW64\Bafndi32.exe Bohbhmfm.exe File opened for modification C:\Windows\SysWOW64\Jdgafjpn.exe Jbiejoaj.exe File created C:\Windows\SysWOW64\Pbbigf32.dll Noeahkfc.exe File created C:\Windows\SysWOW64\Opjghl32.dll File opened for modification C:\Windows\SysWOW64\Ghhhcomg.exe Gpaqbbld.exe File opened for modification C:\Windows\SysWOW64\Eaakpm32.exe Eobocb32.exe File opened for modification C:\Windows\SysWOW64\Bcinna32.exe Bkafmd32.exe File created C:\Windows\SysWOW64\Embddb32.exe Ejchhgid.exe File opened for modification C:\Windows\SysWOW64\Fipkjb32.exe Ffaong32.exe File created C:\Windows\SysWOW64\Kahdohfm.dll Dmjocp32.exe File created C:\Windows\SysWOW64\Qfbobf32.exe Qoifflkg.exe File opened for modification C:\Windows\SysWOW64\Hkjjlhle.exe Hdpbon32.exe File created C:\Windows\SysWOW64\Kdkdgchl.exe Kmdlffhj.exe File created C:\Windows\SysWOW64\Bpajnp32.dll Jkjcbe32.exe File created C:\Windows\SysWOW64\Eefaomcg.exe Emoinpcd.exe File created C:\Windows\SysWOW64\Kcmmhj32.exe Koaagkcb.exe File created C:\Windows\SysWOW64\Knippe32.exe Khpgckkb.exe File opened for modification C:\Windows\SysWOW64\Dmdonkgc.exe Djfcaohp.exe File created C:\Windows\SysWOW64\Pfejnf32.dll Iciaqc32.exe File created C:\Windows\SysWOW64\Lmaamn32.exe Lnoaaaad.exe File created C:\Windows\SysWOW64\Kflnfcgg.exe Kbpbed32.exe File created C:\Windows\SysWOW64\Jhijep32.dll File opened for modification C:\Windows\SysWOW64\Jbgoof32.exe Jgakbm32.exe File created C:\Windows\SysWOW64\Ifdonfka.exe Ibicnh32.exe File created C:\Windows\SysWOW64\Aobbbd32.dll Icdheded.exe File created C:\Windows\SysWOW64\Bjfjka32.exe Bfjnjcni.exe File opened for modification C:\Windows\SysWOW64\Fjadje32.exe Fbjmhh32.exe File created C:\Windows\SysWOW64\Fiboaq32.dll Dkceokii.exe File created C:\Windows\SysWOW64\Jgilhm32.dll Cdhhdlid.exe File opened for modification C:\Windows\SysWOW64\Boldhf32.exe File created C:\Windows\SysWOW64\Pnkbkk32.exe File opened for modification C:\Windows\SysWOW64\Fdijbg32.exe Folaiqng.exe File created C:\Windows\SysWOW64\Oklmii32.dll Khpgckkb.exe File opened for modification C:\Windows\SysWOW64\Aqmlknnd.exe Ajcdnd32.exe File created C:\Windows\SysWOW64\Ghndhd32.dll Nnojho32.exe File created C:\Windows\SysWOW64\Fddqghpd.exe Fafdkmap.exe File opened for modification C:\Windows\SysWOW64\Kjkpoq32.exe Kgmcce32.exe File created C:\Windows\SysWOW64\Abakhdbk.dll Iloidijb.exe File opened for modification C:\Windows\SysWOW64\Lkchelci.exe Lclpdncg.exe File created C:\Windows\SysWOW64\Cbokknag.dll Fkeodaai.exe File opened for modification C:\Windows\SysWOW64\Eopbnbhd.exe Egijmegb.exe File created C:\Windows\SysWOW64\Llgcph32.exe Lihfcm32.exe File created C:\Windows\SysWOW64\Fechomko.exe Fbelcblk.exe File created C:\Windows\SysWOW64\Mjdebfnd.exe Mcjmel32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 17428 7316 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Lflgmqhd.exeMpqkad32.exePcpikkge.exeGnjjfegi.exePeahgl32.exePefabkej.exeBdbnjdfg.exeKgdpni32.exeLfealaol.exeKbmoen32.exeGmdjapgb.exeKmkbfeab.exeKdbjhbbd.exeKjlopc32.exeJjamia32.exeLbkkgl32.exeOoejohhq.exeHcblpdgg.exeIkbfgppo.exeLgbloglj.exeEdopabqn.exeMjmoag32.exeFdkpma32.exeCofnik32.exeHdnldd32.exeQcbfakec.exeBfngdn32.exeBnfihkqm.exeCfpffeaj.exeFgbmccpg.exeAcpbbi32.exeQlggjk32.exeLqndhcdc.exeEbgpad32.exeEfmmmn32.exeKqnbkl32.exeAkffafgg.exeDbndfl32.exeKnfeeimj.exeGnfhfl32.exeBgbdcgld.exeEdhjqc32.exeBjlpjm32.exeAdikdfna.exeGlgcbf32.exeDdjejl32.exeFgppmd32.exeGdoihpbk.exeAhqddk32.exeEmdajb32.exeOkkdic32.exeFmfgek32.exeNflkbanj.exeGpnmbl32.exeHkdjfb32.exeEbnfbcbc.exeOcopdn32.exeGklnjj32.exeNoeahkfc.exeNacmdf32.exeNjkkbehl.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflgmqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqkad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpikkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjjfegi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peahgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefabkej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbnjdfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfealaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmoen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdjapgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkbfeab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbjhbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjamia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooejohhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblpdgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbfgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbloglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edopabqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjmoag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdnldd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcbfakec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfngdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfihkqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpffeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbmccpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqndhcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebgpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmmmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqnbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akffafgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbndfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfeeimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfhfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbdcgld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adikdfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgppmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdoihpbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahqddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfgek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflkbanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnfbcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocopdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noeahkfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacmdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkkbehl.exe -
Modifies registry class 64 IoCs
Processes:
Cofecami.exeCkpbnb32.exeBmemac32.exeDahhio32.exeHmbphg32.exeFmgejhgn.exeGahcmd32.exeMebcop32.exePonfka32.exeHdpbon32.exeKkpbin32.exeJecofa32.exeMidfokpm.exeAodogdmn.exeAijnep32.exe1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exeImkbnf32.exeKqbkfkal.exeOloahhki.exeJcfggkac.exeAkhcfe32.exeIlcldb32.exeIgfclkdj.exeHffcmh32.exeEkmhejao.exeAfinioip.exeHkhdqoac.exeJilnqqbj.exeOllnhb32.exeLcimdh32.exeIggaah32.exeOdalmibl.exeMgobel32.exeCkclhn32.exeHbmcbime.exeOigllh32.exeFmcjpl32.exeFalcae32.exeDdonekbl.exeCnfaohbj.exePlndcl32.exeCobkhb32.exeFjadje32.exeDanecp32.exeLjkifn32.exeKcbnnpka.exeChlflabp.exeLlodgnja.exeQadoba32.exeElnoopdj.exeJlkipgpe.exeLqndhcdc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niehpfnk.dll" Cofecami.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckpbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkccmkel.dll" Dahhio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifpcjin.dll" Fmgejhgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gahcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegiklal.dll" Mebcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpmoppk.dll" Ponfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdpbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhqlkph.dll" Kkpbin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nainbl32.dll" Jecofa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Midfokpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbdlk32.dll" Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbiaci32.dll" Aijnep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnefj32.dll" Midfokpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imkbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmbmpbk.dll" Oloahhki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcfggkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkellk32.dll" Akhcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcdpe32.dll" Hffcmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiono32.dll" Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnkapdda.dll" Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhdqoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobfem32.dll" Jilnqqbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ollnhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iggaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mebcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fechok32.dll" Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckclhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbmcbime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdhgbbj.dll" Oigllh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmcjpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Falcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imkbnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhkf32.dll" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plndcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieneofbo.dll" Cobkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljkifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micgbemj.dll" Chlflabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qadoba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfamlc32.dll" Jlkipgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oigllh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exeBeihma32.exeBhhdil32.exeBfkedibe.exeBmemac32.exeBelebq32.exeCfmajipb.exeCmgjgcgo.exeCenahpha.exeCfpnph32.exeCnffqf32.exeCaebma32.exeCdcoim32.exeChokikeb.exeCjmgfgdf.exeCmlcbbcj.exeCeckcp32.exeCfdhkhjj.exeCmnpgb32.exeCajlhqjp.exeCdhhdlid.exeCjbpaf32.exedescription pid process target process PID 4512 wrote to memory of 1636 4512 1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe Beihma32.exe PID 4512 wrote to memory of 1636 4512 1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe Beihma32.exe PID 4512 wrote to memory of 1636 4512 1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe Beihma32.exe PID 1636 wrote to memory of 3920 1636 Beihma32.exe Bhhdil32.exe PID 1636 wrote to memory of 3920 1636 Beihma32.exe Bhhdil32.exe PID 1636 wrote to memory of 3920 1636 Beihma32.exe Bhhdil32.exe PID 3920 wrote to memory of 368 3920 Bhhdil32.exe Bfkedibe.exe PID 3920 wrote to memory of 368 3920 Bhhdil32.exe Bfkedibe.exe PID 3920 wrote to memory of 368 3920 Bhhdil32.exe Bfkedibe.exe PID 368 wrote to memory of 1912 368 Bfkedibe.exe Bmemac32.exe PID 368 wrote to memory of 1912 368 Bfkedibe.exe Bmemac32.exe PID 368 wrote to memory of 1912 368 Bfkedibe.exe Bmemac32.exe PID 1912 wrote to memory of 4968 1912 Bmemac32.exe Belebq32.exe PID 1912 wrote to memory of 4968 1912 Bmemac32.exe Belebq32.exe PID 1912 wrote to memory of 4968 1912 Bmemac32.exe Belebq32.exe PID 4968 wrote to memory of 2364 4968 Belebq32.exe Cfmajipb.exe PID 4968 wrote to memory of 2364 4968 Belebq32.exe Cfmajipb.exe PID 4968 wrote to memory of 2364 4968 Belebq32.exe Cfmajipb.exe PID 2364 wrote to memory of 584 2364 Cfmajipb.exe Cmgjgcgo.exe PID 2364 wrote to memory of 584 2364 Cfmajipb.exe Cmgjgcgo.exe PID 2364 wrote to memory of 584 2364 Cfmajipb.exe Cmgjgcgo.exe PID 584 wrote to memory of 3008 584 Cmgjgcgo.exe Cenahpha.exe PID 584 wrote to memory of 3008 584 Cmgjgcgo.exe Cenahpha.exe PID 584 wrote to memory of 3008 584 Cmgjgcgo.exe Cenahpha.exe PID 3008 wrote to memory of 864 3008 Cenahpha.exe Cfpnph32.exe PID 3008 wrote to memory of 864 3008 Cenahpha.exe Cfpnph32.exe PID 3008 wrote to memory of 864 3008 Cenahpha.exe Cfpnph32.exe PID 864 wrote to memory of 3980 864 Cfpnph32.exe Cnffqf32.exe PID 864 wrote to memory of 3980 864 Cfpnph32.exe Cnffqf32.exe PID 864 wrote to memory of 3980 864 Cfpnph32.exe Cnffqf32.exe PID 3980 wrote to memory of 712 3980 Cnffqf32.exe Caebma32.exe PID 3980 wrote to memory of 712 3980 Cnffqf32.exe Caebma32.exe PID 3980 wrote to memory of 712 3980 Cnffqf32.exe Caebma32.exe PID 712 wrote to memory of 3328 712 Caebma32.exe Cdcoim32.exe PID 712 wrote to memory of 3328 712 Caebma32.exe Cdcoim32.exe PID 712 wrote to memory of 3328 712 Caebma32.exe Cdcoim32.exe PID 3328 wrote to memory of 4424 3328 Cdcoim32.exe Chokikeb.exe PID 3328 wrote to memory of 4424 3328 Cdcoim32.exe Chokikeb.exe PID 3328 wrote to memory of 4424 3328 Cdcoim32.exe Chokikeb.exe PID 4424 wrote to memory of 5096 4424 Chokikeb.exe Cjmgfgdf.exe PID 4424 wrote to memory of 5096 4424 Chokikeb.exe Cjmgfgdf.exe PID 4424 wrote to memory of 5096 4424 Chokikeb.exe Cjmgfgdf.exe PID 5096 wrote to memory of 2348 5096 Cjmgfgdf.exe Cmlcbbcj.exe PID 5096 wrote to memory of 2348 5096 Cjmgfgdf.exe Cmlcbbcj.exe PID 5096 wrote to memory of 2348 5096 Cjmgfgdf.exe Cmlcbbcj.exe PID 2348 wrote to memory of 4156 2348 Cmlcbbcj.exe Ceckcp32.exe PID 2348 wrote to memory of 4156 2348 Cmlcbbcj.exe Ceckcp32.exe PID 2348 wrote to memory of 4156 2348 Cmlcbbcj.exe Ceckcp32.exe PID 4156 wrote to memory of 3244 4156 Ceckcp32.exe Cfdhkhjj.exe PID 4156 wrote to memory of 3244 4156 Ceckcp32.exe Cfdhkhjj.exe PID 4156 wrote to memory of 3244 4156 Ceckcp32.exe Cfdhkhjj.exe PID 3244 wrote to memory of 1416 3244 Cfdhkhjj.exe Cmnpgb32.exe PID 3244 wrote to memory of 1416 3244 Cfdhkhjj.exe Cmnpgb32.exe PID 3244 wrote to memory of 1416 3244 Cfdhkhjj.exe Cmnpgb32.exe PID 1416 wrote to memory of 4092 1416 Cmnpgb32.exe Cajlhqjp.exe PID 1416 wrote to memory of 4092 1416 Cmnpgb32.exe Cajlhqjp.exe PID 1416 wrote to memory of 4092 1416 Cmnpgb32.exe Cajlhqjp.exe PID 4092 wrote to memory of 408 4092 Cajlhqjp.exe Cdhhdlid.exe PID 4092 wrote to memory of 408 4092 Cajlhqjp.exe Cdhhdlid.exe PID 4092 wrote to memory of 408 4092 Cajlhqjp.exe Cdhhdlid.exe PID 408 wrote to memory of 4400 408 Cdhhdlid.exe Cjbpaf32.exe PID 408 wrote to memory of 4400 408 Cdhhdlid.exe Cjbpaf32.exe PID 408 wrote to memory of 4400 408 Cdhhdlid.exe Cjbpaf32.exe PID 4400 wrote to memory of 3876 4400 Cjbpaf32.exe Cnnlaehj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe"C:\Users\Admin\AppData\Local\Temp\1142cec0a3a241fe9f0fc7e559290736483f6a91f88cf2bf4883d75192c365cdN.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe23⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe25⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe27⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe28⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe29⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe30⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe32⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe33⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe34⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3596 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe37⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe38⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe39⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4004 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe42⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe43⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:428 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe46⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe47⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe48⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe49⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe51⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe52⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe53⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4372 -
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe57⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe58⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe59⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe60⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe62⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe64⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3908 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe66⤵PID:1808
-
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe67⤵PID:4768
-
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe68⤵
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe69⤵PID:2320
-
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe70⤵PID:2388
-
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe71⤵PID:1088
-
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe72⤵PID:3388
-
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe73⤵
- Drops file in System32 directory
PID:3416 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe74⤵PID:3716
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe75⤵PID:2912
-
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe76⤵PID:3224
-
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe78⤵PID:1692
-
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe79⤵PID:4220
-
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe80⤵
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe81⤵PID:2484
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe82⤵PID:1104
-
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe83⤵PID:1172
-
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe84⤵PID:1280
-
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe85⤵PID:1800
-
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe86⤵PID:452
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe87⤵PID:2072
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3484 -
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe89⤵PID:5000
-
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe90⤵PID:2028
-
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe91⤵PID:4948
-
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe92⤵PID:4848
-
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe93⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe94⤵PID:3472
-
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe95⤵PID:1888
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe96⤵PID:5140
-
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe97⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe98⤵PID:5228
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe99⤵PID:5272
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe100⤵PID:5312
-
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe101⤵PID:5356
-
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe102⤵
- System Location Discovery: System Language Discovery
PID:5396 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe103⤵PID:5444
-
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe104⤵
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe105⤵PID:5552
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe106⤵PID:5612
-
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe107⤵PID:5668
-
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe108⤵PID:5724
-
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe109⤵PID:5776
-
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe110⤵PID:5824
-
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe111⤵PID:5872
-
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe112⤵PID:5948
-
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe113⤵PID:6028
-
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe114⤵PID:6084
-
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe115⤵PID:6136
-
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe116⤵PID:5172
-
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe117⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe118⤵PID:5300
-
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe119⤵PID:5392
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe120⤵PID:5476
-
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe121⤵PID:5560
-
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe122⤵PID:5628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-