Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:59
Static task
static1
Behavioral task
behavioral1
Sample
b5e173463ff6d956776a8bea4724523f34a92af6f8c75a826d3d31432a385c9a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b5e173463ff6d956776a8bea4724523f34a92af6f8c75a826d3d31432a385c9a.exe
Resource
win10v2004-20241007-en
General
-
Target
b5e173463ff6d956776a8bea4724523f34a92af6f8c75a826d3d31432a385c9a.exe
-
Size
182KB
-
MD5
9e3b35e5c1b9b9ec93cbc8a88e4d663a
-
SHA1
8177c45f3bc2eb1c5b70db7fe54f50c52cbadba2
-
SHA256
b5e173463ff6d956776a8bea4724523f34a92af6f8c75a826d3d31432a385c9a
-
SHA512
cddbdc449a8e57f51b2cecf73842ba8ce1dd724484cd4e990c4e951d662955e8864b64e1dff401f4745f6c7008e6d0f359156d97e27aa9f542970c72dfca9cab
-
SSDEEP
1536:1nXng8WAwvFPENj/HoNk2Lf7nguPw9uVgA53+RrKJs2zjFS3ldkBOLLaVqI2409c:lwvVENjobf7nguPnVgA53+GpOc
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hkeaqi32.exePeieba32.exeDomdjj32.exeCfbkeh32.exeQcbfakec.exeEagaoh32.exeKckqbj32.exeMmmqhl32.exeOcaebc32.exeKbnepe32.exeMblkhq32.exeEfdjgo32.exeCceddf32.exePjkmomfn.exeAfbgkl32.exeNomncpcg.exeFmndpq32.exeNcofplba.exeModgdicm.exeGnfhfl32.exeFmikeaap.exeCocacl32.exeBqdblmhl.exeBfabnjjp.exeFoqkdp32.exeEmeoooml.exeKqfngd32.exeMgobel32.exeEiokinbk.exePlcdiabk.exeHgnoki32.exeBhkmec32.exeLmaamn32.exeCffdpghg.exeBifmqo32.exeEifhdd32.exeOabhfg32.exeEgijmegb.exeDpnkdq32.exeLfbped32.exeJpenfp32.exeIgcoqocb.exeJdgafjpn.exeLnbklm32.exeFngcmcfe.exeIomoenej.exeNjjdho32.exePhajna32.exeFnjhjn32.exeKclgmq32.exeBnhenj32.exeFmkqpkla.exeLqhdbm32.exeLgibpf32.exeAkpoaj32.exeQgpogili.exeMjkblhfo.exePoliea32.exeKpdboimg.exeEfffmo32.exeIbaeen32.exeGddbcp32.exeJgenbfoa.exeMnmmboed.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkeaqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peieba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcbfakec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eagaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmmqhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocaebc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbnepe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mblkhq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdjgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceddf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afbgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nomncpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmndpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modgdicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmikeaap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocacl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqdblmhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foqkdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeoooml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqfngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plcdiabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgnoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmaamn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifmqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifhdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egijmegb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnkdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbped32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpenfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcoqocb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgafjpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnbklm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomoenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njjdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnjhjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclgmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhenj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgibpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgpogili.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poliea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdboimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efffmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibaeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddbcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgenbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmmboed.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Nnneknob.exeNpmagine.exeNjefqo32.exeNnqbanmo.exeOncofm32.exeOcpgod32.exeOneklm32.exeOdocigqg.exeOgnpebpj.exeOqfdnhfk.exeOjoign32.exeOlmeci32.exeOjaelm32.exePgefeajb.exePjcbbmif.exePmannhhj.exePdifoehl.exePggbkagp.exePjeoglgc.exePdkcde32.exePgioqq32.exePflplnlg.exePncgmkmj.exePmfhig32.exePdmpje32.exePcppfaka.exePfolbmje.exePjjhbl32.exePmidog32.exePdpmpdbd.exePcbmka32.exePfaigm32.exePjmehkqk.exeQmkadgpo.exeQdbiedpa.exeQgqeappe.exeQfcfml32.exeQnjnnj32.exeQmmnjfnl.exeQddfkd32.exeQcgffqei.exeQffbbldm.exeAjanck32.exeAmpkof32.exeAqkgpedc.exeAdgbpc32.exeAgeolo32.exeAjckij32.exeAnogiicl.exeAqncedbp.exeAeiofcji.exeAgglboim.exeAqppkd32.exeAcnlgp32.exeAfmhck32.exeAjhddjfn.exeAmgapeea.exeAabmqd32.exeAcqimo32.exeAglemn32.exeAjkaii32.exeAnfmjhmd.exeAadifclh.exeAepefb32.exepid process 3020 Nnneknob.exe 1500 Npmagine.exe 2688 Njefqo32.exe 1892 Nnqbanmo.exe 3184 Oncofm32.exe 2236 Ocpgod32.exe 2640 Oneklm32.exe 1332 Odocigqg.exe 1504 Ognpebpj.exe 4224 Oqfdnhfk.exe 712 Ojoign32.exe 4072 Olmeci32.exe 800 Ojaelm32.exe 4968 Pgefeajb.exe 3264 Pjcbbmif.exe 948 Pmannhhj.exe 4868 Pdifoehl.exe 2452 Pggbkagp.exe 2016 Pjeoglgc.exe 4832 Pdkcde32.exe 996 Pgioqq32.exe 3380 Pflplnlg.exe 1260 Pncgmkmj.exe 5096 Pmfhig32.exe 2936 Pdmpje32.exe 1664 Pcppfaka.exe 2488 Pfolbmje.exe 4328 Pjjhbl32.exe 4360 Pmidog32.exe 4680 Pdpmpdbd.exe 4216 Pcbmka32.exe 4280 Pfaigm32.exe 3592 Pjmehkqk.exe 508 Qmkadgpo.exe 2344 Qdbiedpa.exe 4204 Qgqeappe.exe 4356 Qfcfml32.exe 4372 Qnjnnj32.exe 2284 Qmmnjfnl.exe 3916 Qddfkd32.exe 3060 Qcgffqei.exe 2952 Qffbbldm.exe 3588 Ajanck32.exe 1804 Ampkof32.exe 4908 Aqkgpedc.exe 5056 Adgbpc32.exe 4464 Ageolo32.exe 904 Ajckij32.exe 3700 Anogiicl.exe 2644 Aqncedbp.exe 4796 Aeiofcji.exe 1080 Agglboim.exe 5100 Aqppkd32.exe 4416 Acnlgp32.exe 2912 Afmhck32.exe 2464 Ajhddjfn.exe 4804 Amgapeea.exe 3896 Aabmqd32.exe 1600 Acqimo32.exe 4040 Aglemn32.exe 1688 Ajkaii32.exe 1212 Anfmjhmd.exe 3676 Aadifclh.exe 1888 Aepefb32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fmjaphek.exeJdgafjpn.exePeieba32.exeBhkmec32.exeBnmoijje.exeDfdpad32.exeFmfgek32.exeMffjcopi.exeNopfpgip.exeGidnkkpc.exeEgnchd32.exeCibmlmeb.exeFaenpf32.exeNndjndbh.exePkgcea32.exeIefgbh32.exeCabfga32.exeGfokoelp.exeDmennnni.exeAaenbd32.exeCeehho32.exeBmbplc32.exeGhipne32.exeEaqdegaj.exeJphkkpbp.exeKgdpni32.exeMogcihaj.exeBgcknmop.exeOfmdio32.exeMifljdjo.exePjkmomfn.exeBmkjkd32.exeLifjnm32.exeNpjnhc32.exeBogcgj32.exeCcgajfeh.exeFibojhim.exeKnflpoqf.exeQaalblgi.exeJbdbjf32.exeMfqlfb32.exeBgbpaipl.exeIbaeen32.exeBeglgani.exeGnhdkl32.exeFhflnpoi.exeHnfjbdmk.exeEidlnd32.exeAjhddjfn.exeCqpbglno.exeCpglnhad.exePkadoiip.exeOldjcg32.exeBebjdgmj.exeQcbfakec.exeJecofa32.exeJbbfdfkn.exeCffdpghg.exeLpekef32.exeBfchidda.exeKjeiodek.exedescription ioc process File created C:\Windows\SysWOW64\Bcgpgh32.dll Fmjaphek.exe File opened for modification C:\Windows\SysWOW64\Jgenbfoa.exe Jdgafjpn.exe File opened for modification C:\Windows\SysWOW64\Pkenjh32.exe Peieba32.exe File created C:\Windows\SysWOW64\Mfbhmo32.dll Bhkmec32.exe File opened for modification C:\Windows\SysWOW64\Bdgged32.exe Bnmoijje.exe File created C:\Windows\SysWOW64\Ddgplado.exe Dfdpad32.exe File created C:\Windows\SysWOW64\Fngcmcfe.exe Fmfgek32.exe File created C:\Windows\SysWOW64\Mehjol32.exe Mffjcopi.exe File created C:\Windows\SysWOW64\Njfkmphe.exe Nopfpgip.exe File created C:\Windows\SysWOW64\Glbjggof.exe Gidnkkpc.exe File opened for modification C:\Windows\SysWOW64\Emhldnkj.exe Egnchd32.exe File opened for modification C:\Windows\SysWOW64\Ccgajfeh.exe Cibmlmeb.exe File created C:\Windows\SysWOW64\Fgbfhmll.exe Faenpf32.exe File created C:\Windows\SysWOW64\Nmgjia32.exe Nndjndbh.exe File created C:\Windows\SysWOW64\Qaalblgi.exe Pkgcea32.exe File created C:\Windows\SysWOW64\Ilqoobdd.exe Iefgbh32.exe File created C:\Windows\SysWOW64\Chmndlge.exe Cabfga32.exe File created C:\Windows\SysWOW64\Ackhdo32.dll Gfokoelp.exe File created C:\Windows\SysWOW64\Dodjjimm.exe Dmennnni.exe File opened for modification C:\Windows\SysWOW64\Afbgkl32.exe Aaenbd32.exe File created C:\Windows\SysWOW64\Bilonkon.dll Ceehho32.exe File created C:\Windows\SysWOW64\Gblnkg32.dll Bmbplc32.exe File opened for modification C:\Windows\SysWOW64\Gglpibgm.exe Ghipne32.exe File opened for modification C:\Windows\SysWOW64\Ehjlaaig.exe Eaqdegaj.exe File opened for modification C:\Windows\SysWOW64\Dodjjimm.exe Dmennnni.exe File created C:\Windows\SysWOW64\Ignlbcmf.dll Jphkkpbp.exe File created C:\Windows\SysWOW64\Mmacdg32.dll Kgdpni32.exe File created C:\Windows\SysWOW64\Mfqlfb32.exe Mogcihaj.exe File created C:\Windows\SysWOW64\Eflgme32.dll Bgcknmop.exe File opened for modification C:\Windows\SysWOW64\Oabhfg32.exe Ofmdio32.exe File created C:\Windows\SysWOW64\Ngmeal32.dll Mifljdjo.exe File created C:\Windows\SysWOW64\Paeelgnj.exe Pjkmomfn.exe File created C:\Windows\SysWOW64\Bagflcje.exe Bmkjkd32.exe File opened for modification C:\Windows\SysWOW64\Lppbkgcj.exe Lifjnm32.exe File created C:\Windows\SysWOW64\Policp32.dll Npjnhc32.exe File opened for modification C:\Windows\SysWOW64\Bgnkhg32.exe Bogcgj32.exe File created C:\Windows\SysWOW64\Lmhqnncg.dll Ccgajfeh.exe File created C:\Windows\SysWOW64\Oebfih32.dll Fibojhim.exe File opened for modification C:\Windows\SysWOW64\Kgopidgf.exe Knflpoqf.exe File created C:\Windows\SysWOW64\Jdobpkmb.dll Qaalblgi.exe File opened for modification C:\Windows\SysWOW64\Jecofa32.exe Jbdbjf32.exe File created C:\Windows\SysWOW64\Mfjnfknb.dll Mfqlfb32.exe File created C:\Windows\SysWOW64\Bnlhncgi.exe Bgbpaipl.exe File created C:\Windows\SysWOW64\Iikmbh32.exe Ibaeen32.exe File created C:\Windows\SysWOW64\Bgehcmmm.exe Beglgani.exe File opened for modification C:\Windows\SysWOW64\Gepmlimi.exe Gnhdkl32.exe File created C:\Windows\SysWOW64\Bpqhgk32.dll Fhflnpoi.exe File opened for modification C:\Windows\SysWOW64\Hdpbon32.exe Hnfjbdmk.exe File opened for modification C:\Windows\SysWOW64\Eifhdd32.exe Eidlnd32.exe File opened for modification C:\Windows\SysWOW64\Amgapeea.exe Ajhddjfn.exe File created C:\Windows\SysWOW64\Ccnncgmc.exe Cqpbglno.exe File opened for modification C:\Windows\SysWOW64\Cgndoeag.exe Cpglnhad.exe File created C:\Windows\SysWOW64\Ilkibdpe.dll Pkadoiip.exe File created C:\Windows\SysWOW64\Anqlll32.dll Oldjcg32.exe File created C:\Windows\SysWOW64\Bkobmnka.exe Bebjdgmj.exe File created C:\Windows\SysWOW64\Jgkhgb32.dll Qcbfakec.exe File opened for modification C:\Windows\SysWOW64\Jkmgblok.exe Jecofa32.exe File created C:\Windows\SysWOW64\Jilnqqbj.exe Jbbfdfkn.exe File created C:\Windows\SysWOW64\Cnnlaehj.exe Cffdpghg.exe File created C:\Windows\SysWOW64\Jkmgblok.exe Jecofa32.exe File created C:\Windows\SysWOW64\Alncgf32.dll Lpekef32.exe File created C:\Windows\SysWOW64\Bjodjb32.exe Bfchidda.exe File created C:\Windows\SysWOW64\Ehjlaaig.exe Eaqdegaj.exe File created C:\Windows\SysWOW64\Klcekpdo.exe Kjeiodek.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 9048 8268 WerFault.exe Dkqaoe32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Amgapeea.exePodmkm32.exeCcgjopal.exeDbqqkkbo.exeKfpcoefj.exeFmlneg32.exeInainbcn.exeCoegoe32.exeHoaojp32.exeGafmaj32.exeJkmgblok.exeCnindhpg.exeNajceeoo.exeDikihe32.exeIljpij32.exePflplnlg.exeMhdckaeo.exeNbcjnilj.exeEdmclccp.exeFnmepn32.exeHbbmmi32.exePoaqemao.exeOaplqh32.exeBalpgb32.exeCfdhkhjj.exeMfchlbfd.exeLfealaol.exeGgkiol32.exeNlihle32.exeOanokhdb.exeOclkgccf.exeIlcldb32.exeDfpgffpm.exeIbpiogmp.exeDheibpje.exeHpnoncim.exeOneklm32.exeBagflcje.exeNbadcpbh.exeDfiildio.exeNopfpgip.exeNpbceggm.exeBajqda32.exeAjanck32.exeGpqjglii.exeDdgplado.exeLcnmin32.exePqcjepfo.exeMhafeb32.exePocfpf32.exeBfqkddfd.exeAqncedbp.exeBgcknmop.exeDkifae32.exeBcoenmao.exePehngkcg.exePdmpje32.exeAcnlgp32.exeBaicac32.exeOdocigqg.exeIciaqc32.exeIefgbh32.exeChdialdl.exeEmhldnkj.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgapeea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podmkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgjopal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqqkkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpcoefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlneg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inainbcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coegoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoaojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gafmaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkmgblok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnindhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najceeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dikihe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflplnlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdckaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbcjnilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmclccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmepn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbbmmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poaqemao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaplqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfdhkhjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfealaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlihle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanokhdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclkgccf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibpiogmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dheibpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnoncim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oneklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagflcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbadcpbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiildio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopfpgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbceggm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajanck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpqjglii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgplado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqcjepfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhafeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocfpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqkddfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqncedbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcknmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoenmao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehngkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baicac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odocigqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefgbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdialdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhldnkj.exe -
Modifies registry class 64 IoCs
Processes:
Ghbbcd32.exeBfchidda.exeEagaoh32.exeIpgbdbqb.exeFibojhim.exeHglaej32.exeCcgjopal.exePjmjdm32.exeHkjafn32.exeNheble32.exeOiihahme.exeEdjgfcec.exeDomdjj32.exeNpmagine.exeDhhnpjmh.exeEgijmegb.exeLihfcm32.exeHnaqgd32.exeNgndaccj.exeGahjgj32.exeAgdhbi32.exeHdilnojp.exeJnlbojee.exeCnhgjaml.exeHibjli32.exeMfnoqc32.exePdifoehl.exeFajnfl32.exeAcpbbi32.exeOhkkhhmh.exeCohkokgj.exeGmdcfidg.exeFpbflg32.exeBjagjhnc.exeCffdpghg.exeMhdckaeo.exeAlqjpi32.exePaelfmaf.exeBcghch32.exeBgeaifia.exeBmkjkd32.exeBjokdipf.exeEdknqiho.exeFnmepn32.exeHnoklk32.exeHkehkocf.exeBeeoaapl.exeJqdoem32.exeKnbbep32.exePllgnl32.exePeieba32.exePkenjh32.exePjcbbmif.exeDahhio32.exeGaopfe32.exeJinboekc.exeBgbpaipl.exePdmpje32.exeJecofa32.exeBkoigdom.exeKcpahpmd.exeEnbjad32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghbbcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfchidda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eagaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipgbdbqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oebfih32.dll" Fibojhim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hglaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgjopal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdbqm32.dll" Hkjafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blanhfid.dll" Nheble32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiihahme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edjgfcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Domdjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npmagine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhnpjmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egijmegb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmbndpm.dll" Lihfcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnaqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gahjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfbnkdn.dll" Agdhbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiciibmb.dll" Hdilnojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcleml32.dll" Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnhgjaml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hibjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckajh32.dll" Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll" Pdifoehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fajnfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acpbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmddqemj.dll" Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmdcfidg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll" Bjagjhnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmejn32.dll" Gahjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhdckaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojpmg32.dll" Paelfmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfapnkp.dll" Bcghch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjokdipf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edknqiho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnmepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcdpe32.dll" Hnoklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhcbe32.dll" Hkehkocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlonj32.dll" Jqdoem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knbbep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peieba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilcp32.dll" Pkenjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogclbn32.dll" Dahhio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdbgdbg.dll" Gaopfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jinboekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll" Pdmpje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jecofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkoigdom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enbjad32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b5e173463ff6d956776a8bea4724523f34a92af6f8c75a826d3d31432a385c9a.exeNnneknob.exeNpmagine.exeNjefqo32.exeNnqbanmo.exeOncofm32.exeOcpgod32.exeOneklm32.exeOdocigqg.exeOgnpebpj.exeOqfdnhfk.exeOjoign32.exeOlmeci32.exeOjaelm32.exePgefeajb.exePjcbbmif.exePmannhhj.exePdifoehl.exePggbkagp.exePjeoglgc.exePdkcde32.exePgioqq32.exedescription pid process target process PID 2420 wrote to memory of 3020 2420 b5e173463ff6d956776a8bea4724523f34a92af6f8c75a826d3d31432a385c9a.exe Nnneknob.exe PID 2420 wrote to memory of 3020 2420 b5e173463ff6d956776a8bea4724523f34a92af6f8c75a826d3d31432a385c9a.exe Nnneknob.exe PID 2420 wrote to memory of 3020 2420 b5e173463ff6d956776a8bea4724523f34a92af6f8c75a826d3d31432a385c9a.exe Nnneknob.exe PID 3020 wrote to memory of 1500 3020 Nnneknob.exe Npmagine.exe PID 3020 wrote to memory of 1500 3020 Nnneknob.exe Npmagine.exe PID 3020 wrote to memory of 1500 3020 Nnneknob.exe Npmagine.exe PID 1500 wrote to memory of 2688 1500 Npmagine.exe Njefqo32.exe PID 1500 wrote to memory of 2688 1500 Npmagine.exe Njefqo32.exe PID 1500 wrote to memory of 2688 1500 Npmagine.exe Njefqo32.exe PID 2688 wrote to memory of 1892 2688 Njefqo32.exe Nnqbanmo.exe PID 2688 wrote to memory of 1892 2688 Njefqo32.exe Nnqbanmo.exe PID 2688 wrote to memory of 1892 2688 Njefqo32.exe Nnqbanmo.exe PID 1892 wrote to memory of 3184 1892 Nnqbanmo.exe Oncofm32.exe PID 1892 wrote to memory of 3184 1892 Nnqbanmo.exe Oncofm32.exe PID 1892 wrote to memory of 3184 1892 Nnqbanmo.exe Oncofm32.exe PID 3184 wrote to memory of 2236 3184 Oncofm32.exe Ocpgod32.exe PID 3184 wrote to memory of 2236 3184 Oncofm32.exe Ocpgod32.exe PID 3184 wrote to memory of 2236 3184 Oncofm32.exe Ocpgod32.exe PID 2236 wrote to memory of 2640 2236 Ocpgod32.exe Oneklm32.exe PID 2236 wrote to memory of 2640 2236 Ocpgod32.exe Oneklm32.exe PID 2236 wrote to memory of 2640 2236 Ocpgod32.exe Oneklm32.exe PID 2640 wrote to memory of 1332 2640 Oneklm32.exe Odocigqg.exe PID 2640 wrote to memory of 1332 2640 Oneklm32.exe Odocigqg.exe PID 2640 wrote to memory of 1332 2640 Oneklm32.exe Odocigqg.exe PID 1332 wrote to memory of 1504 1332 Odocigqg.exe Ognpebpj.exe PID 1332 wrote to memory of 1504 1332 Odocigqg.exe Ognpebpj.exe PID 1332 wrote to memory of 1504 1332 Odocigqg.exe Ognpebpj.exe PID 1504 wrote to memory of 4224 1504 Ognpebpj.exe Oqfdnhfk.exe PID 1504 wrote to memory of 4224 1504 Ognpebpj.exe Oqfdnhfk.exe PID 1504 wrote to memory of 4224 1504 Ognpebpj.exe Oqfdnhfk.exe PID 4224 wrote to memory of 712 4224 Oqfdnhfk.exe Ojoign32.exe PID 4224 wrote to memory of 712 4224 Oqfdnhfk.exe Ojoign32.exe PID 4224 wrote to memory of 712 4224 Oqfdnhfk.exe Ojoign32.exe PID 712 wrote to memory of 4072 712 Ojoign32.exe Olmeci32.exe PID 712 wrote to memory of 4072 712 Ojoign32.exe Olmeci32.exe PID 712 wrote to memory of 4072 712 Ojoign32.exe Olmeci32.exe PID 4072 wrote to memory of 800 4072 Olmeci32.exe Ojaelm32.exe PID 4072 wrote to memory of 800 4072 Olmeci32.exe Ojaelm32.exe PID 4072 wrote to memory of 800 4072 Olmeci32.exe Ojaelm32.exe PID 800 wrote to memory of 4968 800 Ojaelm32.exe Pgefeajb.exe PID 800 wrote to memory of 4968 800 Ojaelm32.exe Pgefeajb.exe PID 800 wrote to memory of 4968 800 Ojaelm32.exe Pgefeajb.exe PID 4968 wrote to memory of 3264 4968 Pgefeajb.exe Pjcbbmif.exe PID 4968 wrote to memory of 3264 4968 Pgefeajb.exe Pjcbbmif.exe PID 4968 wrote to memory of 3264 4968 Pgefeajb.exe Pjcbbmif.exe PID 3264 wrote to memory of 948 3264 Pjcbbmif.exe Pmannhhj.exe PID 3264 wrote to memory of 948 3264 Pjcbbmif.exe Pmannhhj.exe PID 3264 wrote to memory of 948 3264 Pjcbbmif.exe Pmannhhj.exe PID 948 wrote to memory of 4868 948 Pmannhhj.exe Pdifoehl.exe PID 948 wrote to memory of 4868 948 Pmannhhj.exe Pdifoehl.exe PID 948 wrote to memory of 4868 948 Pmannhhj.exe Pdifoehl.exe PID 4868 wrote to memory of 2452 4868 Pdifoehl.exe Pggbkagp.exe PID 4868 wrote to memory of 2452 4868 Pdifoehl.exe Pggbkagp.exe PID 4868 wrote to memory of 2452 4868 Pdifoehl.exe Pggbkagp.exe PID 2452 wrote to memory of 2016 2452 Pggbkagp.exe Pjeoglgc.exe PID 2452 wrote to memory of 2016 2452 Pggbkagp.exe Pjeoglgc.exe PID 2452 wrote to memory of 2016 2452 Pggbkagp.exe Pjeoglgc.exe PID 2016 wrote to memory of 4832 2016 Pjeoglgc.exe Pdkcde32.exe PID 2016 wrote to memory of 4832 2016 Pjeoglgc.exe Pdkcde32.exe PID 2016 wrote to memory of 4832 2016 Pjeoglgc.exe Pdkcde32.exe PID 4832 wrote to memory of 996 4832 Pdkcde32.exe Pgioqq32.exe PID 4832 wrote to memory of 996 4832 Pdkcde32.exe Pgioqq32.exe PID 4832 wrote to memory of 996 4832 Pdkcde32.exe Pgioqq32.exe PID 996 wrote to memory of 3380 996 Pgioqq32.exe Pflplnlg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5e173463ff6d956776a8bea4724523f34a92af6f8c75a826d3d31432a385c9a.exe"C:\Users\Admin\AppData\Local\Temp\b5e173463ff6d956776a8bea4724523f34a92af6f8c75a826d3d31432a385c9a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Njefqo32.exeC:\Windows\system32\Njefqo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3380 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe24⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe25⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe27⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe28⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe29⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe30⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe31⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe32⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe33⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe34⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe35⤵
- Executes dropped EXE
PID:508 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe36⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe37⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe38⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe39⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe40⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe41⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe42⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe43⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe45⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe46⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe47⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe48⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe49⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe50⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe52⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe53⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe54⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe56⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4804 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe59⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe60⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe61⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe62⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe63⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe64⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe65⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe66⤵PID:8
-
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe68⤵PID:1652
-
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe70⤵
- System Location Discovery: System Language Discovery
PID:4116 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe71⤵PID:4548
-
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe72⤵PID:2528
-
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe73⤵
- Modifies registry class
PID:3776 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe74⤵PID:3544
-
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe75⤵
- System Location Discovery: System Language Discovery
PID:3148 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe76⤵
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe77⤵PID:2064
-
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4988 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe79⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe80⤵PID:4760
-
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe81⤵
- System Location Discovery: System Language Discovery
PID:116 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe82⤵
- Drops file in System32 directory
PID:5156 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe83⤵PID:5204
-
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe84⤵PID:5236
-
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe85⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe86⤵PID:5336
-
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe87⤵PID:5376
-
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe88⤵PID:5416
-
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe89⤵
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe90⤵PID:5496
-
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe91⤵PID:5536
-
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe92⤵
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe93⤵PID:5620
-
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe94⤵PID:5656
-
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe95⤵PID:5700
-
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe96⤵PID:5744
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe97⤵PID:5788
-
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe98⤵PID:5820
-
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5864 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe100⤵PID:5920
-
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe101⤵PID:5964
-
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe102⤵PID:6008
-
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe103⤵PID:6040
-
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe104⤵
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe105⤵PID:6140
-
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe106⤵
- Drops file in System32 directory
PID:4120 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe107⤵PID:2608
-
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4704 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe109⤵PID:5144
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe110⤵PID:1352
-
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe111⤵PID:5268
-
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe112⤵PID:3512
-
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe113⤵PID:5360
-
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe114⤵PID:5440
-
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe115⤵PID:5508
-
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe116⤵
- Modifies registry class
PID:5592 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe117⤵PID:5648
-
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe118⤵PID:5756
-
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe119⤵PID:5812
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe120⤵PID:5908
-
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe122⤵PID:6048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-