Analysis
-
max time kernel
91s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 22:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
04cc9b750ef2e04e52f599f8d33734cf0ac8bad819ab2ad903af38ed6527d6bbN.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
04cc9b750ef2e04e52f599f8d33734cf0ac8bad819ab2ad903af38ed6527d6bbN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
04cc9b750ef2e04e52f599f8d33734cf0ac8bad819ab2ad903af38ed6527d6bbN.exe
-
Size
96KB
-
MD5
55cf0fc6016b9fd962c37e966c98b800
-
SHA1
6ed373a9fb74cf0f44db9aef177118cff7ad3375
-
SHA256
04cc9b750ef2e04e52f599f8d33734cf0ac8bad819ab2ad903af38ed6527d6bb
-
SHA512
98c87f3559dd893ba1e122db78c0e3668372616490be75dde8d5fc75ed7e8938459a21a5f6d322654431e3ccfa11397f765a86943a75727873c4e3a62f579479
-
SSDEEP
1536:lAddaQqaSC2BlTj5PTYOXnd62Lv7RZObZUUWaegPYAi:lAdBedbZTYOXdHvClUUWae3
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hnhghcki.exeIjadbdoj.exeJpaleglc.exeEnbjad32.exeFimhjl32.exeLoglacfo.exeDhclmp32.exeHoeieolb.exeFnkfmm32.exeCohkokgj.exeDbnmke32.exeJbagbebm.exeNmjfodne.exeOblhcj32.exeHncmmd32.exeKdigadjo.exeJilfifme.exePnfiplog.exeDdnobj32.exeCjmpkqqj.exeMlmbfqoj.exeNhokljge.exeCfpffeaj.exeOanokhdb.exeCoqncejg.exeEdgbii32.exeBmggingc.exeCaghhk32.exeMhjhmhhd.exeAonoao32.exeOdoogi32.exePehngkcg.exeHalhfe32.exeIhdldn32.exeMbighjdd.exeNognnj32.exeJnhidk32.exeHidgai32.exeBdapehop.exeCpleig32.exeKgflcifg.exeMmkdcm32.exeLojmcdgl.exeNqfbpb32.exeAbhqefpg.exeDgejpd32.exeKjpijpdg.exeMnhkbfme.exeDgjoif32.exeKjffdalb.exePeahgl32.exeDnajppda.exeQpbnhl32.exeMnlnbl32.exeBjaqpbkh.exeCjaifp32.exeOllnhb32.exeCibmlmeb.exeHkicaahi.exePfojdh32.exeCfcqpa32.exeAokcklid.exeFjjnifbl.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnhghcki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijadbdoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enbjad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimhjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loglacfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhclmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoeieolb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkfmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohkokgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbnmke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbagbebm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjfodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oblhcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hncmmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdigadjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfiplog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnobj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmpkqqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmbfqoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhokljge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpffeaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanokhdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coqncejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edgbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmggingc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caghhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjhmhhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aonoao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehngkcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbighjdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nognnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhidk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidgai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdapehop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpleig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgflcifg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkdcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojmcdgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqfbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abhqefpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgejpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjpijpdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhkbfme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjoif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjffdalb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peahgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnajppda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjaqpbkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjaifp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ollnhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibmlmeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkicaahi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfojdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfcqpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokcklid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjjnifbl.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x0007000000023fe5-3036.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Khpgckkb.exeKnippe32.exeKhbdikip.exeKpiljh32.exeKefdbo32.exeLpkiph32.exeLehaho32.exeLblaabdp.exeLejnmncd.exeLppbkgcj.exeLfjjga32.exeLlgcph32.exeLbqklb32.exeLikcilhh.exeLoglacfo.exeMimpolee.exeMbedga32.exeMiomdk32.exeMbhamajc.exeMplafeil.exeMidfokpm.exeMlbbkfoq.exeMfhfhong.exeMhicpg32.exeMockmala.exeNemcjk32.exeNpchgdcd.exeNgmpcn32.exeNiklpj32.exeNohehq32.exeNpgabc32.exeNcfmno32.exeNlnbgddc.exeNgdfdmdi.exeNplkmckj.exeOgfcjm32.exeOoagno32.exeOekpkigo.exeOpadhb32.exeOenlqi32.exeOpcqnb32.exeOileggkb.exeOljaccjf.exeOcdjpmac.exeOllnhb32.exeOcffempp.exePedbahod.exePcicklnn.exePjbkgfej.exePlagcbdn.exePckppl32.exePhhhhc32.exePcmlfl32.exePflibgil.exePleaoa32.exePjjahe32.exeQgnbaj32.exeQhonib32.exeQoifflkg.exeQfbobf32.exeQhakoa32.exeAokcklid.exeAgbkmijg.exeAompak32.exepid Process 4592 Khpgckkb.exe 3640 Knippe32.exe 4348 Khbdikip.exe 2632 Kpiljh32.exe 1108 Kefdbo32.exe 640 Lpkiph32.exe 1852 Lehaho32.exe 2872 Lblaabdp.exe 3076 Lejnmncd.exe 5060 Lppbkgcj.exe 2652 Lfjjga32.exe 2296 Llgcph32.exe 2468 Lbqklb32.exe 4796 Likcilhh.exe 2220 Loglacfo.exe 4596 Mimpolee.exe 2572 Mbedga32.exe 5024 Miomdk32.exe 1272 Mbhamajc.exe 1704 Mplafeil.exe 3712 Midfokpm.exe 4800 Mlbbkfoq.exe 4512 Mfhfhong.exe 1124 Mhicpg32.exe 2792 Mockmala.exe 1924 Nemcjk32.exe 2328 Npchgdcd.exe 1736 Ngmpcn32.exe 3468 Niklpj32.exe 4716 Nohehq32.exe 4148 Npgabc32.exe 1612 Ncfmno32.exe 4556 Nlnbgddc.exe 4416 Ngdfdmdi.exe 4936 Nplkmckj.exe 2412 Ogfcjm32.exe 4360 Ooagno32.exe 3880 Oekpkigo.exe 3724 Opadhb32.exe 3752 Oenlqi32.exe 3240 Opcqnb32.exe 740 Oileggkb.exe 5028 Oljaccjf.exe 3744 Ocdjpmac.exe 1816 Ollnhb32.exe 3156 Ocffempp.exe 4432 Pedbahod.exe 4588 Pcicklnn.exe 2564 Pjbkgfej.exe 4500 Plagcbdn.exe 1496 Pckppl32.exe 1292 Phhhhc32.exe 552 Pcmlfl32.exe 3568 Pflibgil.exe 852 Pleaoa32.exe 2612 Pjjahe32.exe 4508 Qgnbaj32.exe 1056 Qhonib32.exe 2100 Qoifflkg.exe 5052 Qfbobf32.exe 1028 Qhakoa32.exe 4232 Aokcklid.exe 3508 Agbkmijg.exe 4220 Aompak32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mmkdcm32.exePdjgha32.exeOckdmmoj.exeAjohfcpj.exeAkamff32.exeAfinioip.exeKnhakh32.exeNgdfdmdi.exeAnclbkbp.exeDnmhpg32.exeFjadje32.exeBgpcliao.exeEkjded32.exeJhkbdmbg.exeKidben32.exeMimpolee.exeGhhhcomg.exeBmlilh32.exeAmnebo32.exeCancekeo.exeCkpbnb32.exeBgkiaj32.exeHehdfdek.exeFmqgpgoc.exeNimbkc32.exeAdkgje32.exeFnbcgn32.exeHbldphde.exeGkiaej32.exeMkadfj32.exeCoqncejg.exeJcphab32.exeFmfgek32.exePhcgcqab.exeLpjjmg32.exeQpbnhl32.exeCpljehpo.exeBihjfnmm.exeLqhdbm32.exeDafppp32.exeDmlkhofd.exeKefdbo32.exeOekpkigo.exeAdndoe32.exeDkbocbog.exeCocacl32.exeJlgepanl.exeOanokhdb.exeBdojjo32.exeBcddcbab.exeDjelgied.exeDmfeidbe.exePmhbqbae.exeIlnbicff.exeBkphhgfc.exeLchfib32.exeBaadiiif.exeKcpjnjii.exeDpdaepai.exeBjlpjm32.exeEfhcbodf.exedescription ioc Process File created C:\Windows\SysWOW64\Gpkpbaea.dll Mmkdcm32.exe File created C:\Windows\SysWOW64\Pmblagmf.exe Pdjgha32.exe File created C:\Windows\SysWOW64\Klhhpb32.dll Ockdmmoj.exe File created C:\Windows\SysWOW64\Lcckiibj.dll Ajohfcpj.exe File opened for modification C:\Windows\SysWOW64\Achegd32.exe Akamff32.exe File opened for modification C:\Windows\SysWOW64\Abponp32.exe Afinioip.exe File created C:\Windows\SysWOW64\Lafnnj32.dll Knhakh32.exe File opened for modification C:\Windows\SysWOW64\Nplkmckj.exe Ngdfdmdi.exe File opened for modification C:\Windows\SysWOW64\Adndoe32.exe Anclbkbp.exe File opened for modification C:\Windows\SysWOW64\Dhclmp32.exe Dnmhpg32.exe File opened for modification C:\Windows\SysWOW64\Gmbmkpie.exe Fjadje32.exe File created C:\Windows\SysWOW64\Ebggoi32.dll Bgpcliao.exe File opened for modification C:\Windows\SysWOW64\Enhpao32.exe Ekjded32.exe File created C:\Windows\SysWOW64\Kpmmljnd.dll Jhkbdmbg.exe File opened for modification C:\Windows\SysWOW64\Kpnjah32.exe Kidben32.exe File created C:\Windows\SysWOW64\Lqnlgjdd.dll Mimpolee.exe File opened for modification C:\Windows\SysWOW64\Gkgeoklj.exe Ghhhcomg.exe File opened for modification C:\Windows\SysWOW64\Bcfahbpo.exe Bmlilh32.exe File opened for modification C:\Windows\SysWOW64\Adgmoigj.exe Amnebo32.exe File created C:\Windows\SysWOW64\Cpacqg32.exe Cancekeo.exe File opened for modification C:\Windows\SysWOW64\Djqblj32.exe Ckpbnb32.exe File opened for modification C:\Windows\SysWOW64\Mbedga32.exe Mimpolee.exe File created C:\Windows\SysWOW64\Bmeandma.exe Bgkiaj32.exe File created C:\Windows\SysWOW64\Cjehdpem.dll Hehdfdek.exe File created C:\Windows\SysWOW64\Cibncf32.dll Fmqgpgoc.exe File opened for modification C:\Windows\SysWOW64\Nknobkje.exe Nimbkc32.exe File opened for modification C:\Windows\SysWOW64\Anclbkbp.exe Adkgje32.exe File created C:\Windows\SysWOW64\Hgeqca32.dll Fnbcgn32.exe File created C:\Windows\SysWOW64\Hejqldci.exe Hbldphde.exe File opened for modification C:\Windows\SysWOW64\Ggpbjkpl.exe Gkiaej32.exe File created C:\Windows\SysWOW64\Cpdfhgmd.dll Mkadfj32.exe File opened for modification C:\Windows\SysWOW64\Cpbjkn32.exe Coqncejg.exe File opened for modification C:\Windows\SysWOW64\Jjjpnlbd.exe Jcphab32.exe File created C:\Windows\SysWOW64\Nfmifiap.dll Fmfgek32.exe File opened for modification C:\Windows\SysWOW64\Pffgom32.exe Phcgcqab.exe File created C:\Windows\SysWOW64\Ipamlopb.dll Lpjjmg32.exe File opened for modification C:\Windows\SysWOW64\Qfmfefni.exe Qpbnhl32.exe File opened for modification C:\Windows\SysWOW64\Cbkfbcpb.exe Cpljehpo.exe File opened for modification C:\Windows\SysWOW64\Cpbbch32.exe Bihjfnmm.exe File opened for modification C:\Windows\SysWOW64\Lfeljd32.exe Lqhdbm32.exe File created C:\Windows\SysWOW64\Gelfeh32.dll Dafppp32.exe File created C:\Windows\SysWOW64\Dokgdkeh.exe Dmlkhofd.exe File created C:\Windows\SysWOW64\Fbbpmb32.exe Fmfgek32.exe File created C:\Windows\SysWOW64\Lpkiph32.exe Kefdbo32.exe File created C:\Windows\SysWOW64\Hcdikecn.dll Oekpkigo.exe File opened for modification C:\Windows\SysWOW64\Ahippdbe.exe Adndoe32.exe File opened for modification C:\Windows\SysWOW64\Dcigeooj.exe Dkbocbog.exe File created C:\Windows\SysWOW64\Iogkekkb.dll Cocacl32.exe File opened for modification C:\Windows\SysWOW64\Jpcapp32.exe Jlgepanl.exe File created C:\Windows\SysWOW64\Oclkgccf.exe Oanokhdb.exe File opened for modification C:\Windows\SysWOW64\Bkibgh32.exe Bdojjo32.exe File created C:\Windows\SysWOW64\Bfbaonae.exe Bcddcbab.exe File created C:\Windows\SysWOW64\Dlghoa32.exe Djelgied.exe File created C:\Windows\SysWOW64\Dpdaepai.exe Dmfeidbe.exe File opened for modification C:\Windows\SysWOW64\Padnaq32.exe Pmhbqbae.exe File opened for modification C:\Windows\SysWOW64\Ipjoja32.exe Ilnbicff.exe File created C:\Windows\SysWOW64\Ckbemgcp.exe Bkphhgfc.exe File opened for modification C:\Windows\SysWOW64\Llqjbhdc.exe Lchfib32.exe File created C:\Windows\SysWOW64\Bdpaeehj.exe Baadiiif.exe File created C:\Windows\SysWOW64\Knenkbio.exe Kcpjnjii.exe File opened for modification C:\Windows\SysWOW64\Dbcmakpl.exe Dpdaepai.exe File created C:\Windows\SysWOW64\Bljlfh32.exe Bjlpjm32.exe File created C:\Windows\SysWOW64\Ofjqihnn.exe Ockdmmoj.exe File opened for modification C:\Windows\SysWOW64\Edmclccp.exe Efhcbodf.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 7964 7272 WerFault.exe 991 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ncfmno32.exeFdnhih32.exeKifojnol.exeAfockelf.exePedbahod.exeHpofii32.exeObqanjdb.exeIjadbdoj.exeMaeachag.exeGkaclqkk.exeKcoccc32.exeCpacqg32.exeOldjcg32.exeIedjmioj.exeKgflcifg.exeIhdldn32.exeEjpfhnpe.exeNknobkje.exeMegljppl.exeLmaamn32.exeMljmhflh.exeMfhfhong.exeGaefgd32.exeIkejgf32.exeDcigeooj.exeNadleilm.exeGaebef32.exeFipbdikp.exeKqpoakco.exeAlkijdci.exePdjgha32.exeJidinqpb.exeOcffempp.exeBcinna32.exeIdahjg32.exeGejopl32.exePfojdh32.exeIhgnkkbd.exeKjeiodek.exeAjaelc32.exeHdehni32.exeFnipbc32.exeKadpdp32.exeOmalpc32.exeNjhgbp32.exeMiomdk32.exeBlqllqqa.exeClchbqoo.exeDannij32.exeEnbjad32.exeMohidbkl.exe04cc9b750ef2e04e52f599f8d33734cf0ac8bad819ab2ad903af38ed6527d6bbN.exeOekpkigo.exeDkdliame.exeHemmac32.exeCpleig32.exeInjcmc32.exeNbnlaldg.exeCbkfbcpb.exeGkgeoklj.exeHkbdki32.exeNognnj32.exeBfngdn32.exeJnhidk32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfmno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifojnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afockelf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedbahod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obqanjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijadbdoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maeachag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaclqkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcoccc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpacqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedjmioj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgflcifg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdldn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpfhnpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknobkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megljppl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaamn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljmhflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhfhong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaefgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikejgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcigeooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadleilm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaebef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbdikp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqpoakco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkijdci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidinqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocffempp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcinna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idahjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejopl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfojdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgnkkbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajaelc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdehni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnipbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omalpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhgbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miomdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqllqqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clchbqoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dannij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mohidbkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04cc9b750ef2e04e52f599f8d33734cf0ac8bad819ab2ad903af38ed6527d6bbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekpkigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdliame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemmac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpleig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injcmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnlaldg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkfbcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgeoklj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbdki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nognnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfngdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnhidk32.exe -
Modifies registry class 64 IoCs
Processes:
Ehhpla32.exeGaefgd32.exeBcfahbpo.exeOjbacd32.exeEiokinbk.exeNmjfodne.exeHaafcb32.exeCkpbnb32.exeIinqbn32.exeGemkelcd.exeAfpjel32.exeAmfobp32.exeCmgqpkip.exeAhippdbe.exeLfeljd32.exeIlfennic.exeOmopjcjp.exeIhdafkdg.exeNhokljge.exeNlnbgddc.exeHkbdki32.exeLjbfpo32.exeAlqjpi32.exeNqfbpb32.exeFiggdg32.exeDdadpdmn.exeGmcdffmq.exeMalgcg32.exeNeoieenp.exeHfhgkmpj.exeKedlip32.exeMjnnbk32.exeGphphj32.exeMcpcdg32.exeMgeakekd.exePpolhcnm.exeDdifgk32.exeEofgpikj.exeOllnhb32.exeLgcjdd32.exeNbqmiinl.exeOpeiadfg.exeNbnlaldg.exePcjiff32.exeIeidhh32.exeFbbicl32.exeBfolacnc.exeCjmpkqqj.exeQkmdkgob.exeDjhimica.exeOcaebc32.exeEkcgkb32.exeDhclmp32.exeHpfbcn32.exePbekii32.exeMhicpg32.exeAjjjocap.exeCjaifp32.exePkcadhgm.exeCjjlkk32.exeBboffejp.exeBkkple32.exeKjgeedch.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehhpla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaefgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcfahbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojbacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmgob32.dll" Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkbpmep.dll" Nmjfodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haafcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckpbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinqbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gemkelcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khihgadg.dll" Amfobp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmgqpkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moqkim32.dll" Haafcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmeddp32.dll" Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdihjbp.dll" Ilfennic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omopjcjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihdafkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhokljge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlnbgddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjkhmfa.dll" Hkbdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljbfpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alqjpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqfbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Figgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddadpdmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmcdffmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnfmhaj.dll" Neoieenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohahelb.dll" Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kedlip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll" Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gphphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleqaiga.dll" Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppolhcnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddifgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ollnhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgcjdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipckj32.dll" Nbqmiinl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadiippo.dll" Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgkbp32.dll" Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcpchlo.dll" Ieidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkeml32.dll" Fbbicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmg32.dll" Bfolacnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjmpkqqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkmdkgob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocaebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekcgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcplf32.dll" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpfbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqgeihg.dll" Pbekii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhicpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajjjocap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjaifp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkcadhgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bboffejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkkple32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjgeedch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
04cc9b750ef2e04e52f599f8d33734cf0ac8bad819ab2ad903af38ed6527d6bbN.exeKhpgckkb.exeKnippe32.exeKhbdikip.exeKpiljh32.exeKefdbo32.exeLpkiph32.exeLehaho32.exeLblaabdp.exeLejnmncd.exeLppbkgcj.exeLfjjga32.exeLlgcph32.exeLbqklb32.exeLikcilhh.exeLoglacfo.exeMimpolee.exeMbedga32.exeMiomdk32.exeMbhamajc.exeMplafeil.exeMidfokpm.exedescription pid Process procid_target PID 2016 wrote to memory of 4592 2016 04cc9b750ef2e04e52f599f8d33734cf0ac8bad819ab2ad903af38ed6527d6bbN.exe 83 PID 2016 wrote to memory of 4592 2016 04cc9b750ef2e04e52f599f8d33734cf0ac8bad819ab2ad903af38ed6527d6bbN.exe 83 PID 2016 wrote to memory of 4592 2016 04cc9b750ef2e04e52f599f8d33734cf0ac8bad819ab2ad903af38ed6527d6bbN.exe 83 PID 4592 wrote to memory of 3640 4592 Khpgckkb.exe 84 PID 4592 wrote to memory of 3640 4592 Khpgckkb.exe 84 PID 4592 wrote to memory of 3640 4592 Khpgckkb.exe 84 PID 3640 wrote to memory of 4348 3640 Knippe32.exe 85 PID 3640 wrote to memory of 4348 3640 Knippe32.exe 85 PID 3640 wrote to memory of 4348 3640 Knippe32.exe 85 PID 4348 wrote to memory of 2632 4348 Khbdikip.exe 86 PID 4348 wrote to memory of 2632 4348 Khbdikip.exe 86 PID 4348 wrote to memory of 2632 4348 Khbdikip.exe 86 PID 2632 wrote to memory of 1108 2632 Kpiljh32.exe 87 PID 2632 wrote to memory of 1108 2632 Kpiljh32.exe 87 PID 2632 wrote to memory of 1108 2632 Kpiljh32.exe 87 PID 1108 wrote to memory of 640 1108 Kefdbo32.exe 88 PID 1108 wrote to memory of 640 1108 Kefdbo32.exe 88 PID 1108 wrote to memory of 640 1108 Kefdbo32.exe 88 PID 640 wrote to memory of 1852 640 Lpkiph32.exe 89 PID 640 wrote to memory of 1852 640 Lpkiph32.exe 89 PID 640 wrote to memory of 1852 640 Lpkiph32.exe 89 PID 1852 wrote to memory of 2872 1852 Lehaho32.exe 90 PID 1852 wrote to memory of 2872 1852 Lehaho32.exe 90 PID 1852 wrote to memory of 2872 1852 Lehaho32.exe 90 PID 2872 wrote to memory of 3076 2872 Lblaabdp.exe 91 PID 2872 wrote to memory of 3076 2872 Lblaabdp.exe 91 PID 2872 wrote to memory of 3076 2872 Lblaabdp.exe 91 PID 3076 wrote to memory of 5060 3076 Lejnmncd.exe 92 PID 3076 wrote to memory of 5060 3076 Lejnmncd.exe 92 PID 3076 wrote to memory of 5060 3076 Lejnmncd.exe 92 PID 5060 wrote to memory of 2652 5060 Lppbkgcj.exe 93 PID 5060 wrote to memory of 2652 5060 Lppbkgcj.exe 93 PID 5060 wrote to memory of 2652 5060 Lppbkgcj.exe 93 PID 2652 wrote to memory of 2296 2652 Lfjjga32.exe 94 PID 2652 wrote to memory of 2296 2652 Lfjjga32.exe 94 PID 2652 wrote to memory of 2296 2652 Lfjjga32.exe 94 PID 2296 wrote to memory of 2468 2296 Llgcph32.exe 95 PID 2296 wrote to memory of 2468 2296 Llgcph32.exe 95 PID 2296 wrote to memory of 2468 2296 Llgcph32.exe 95 PID 2468 wrote to memory of 4796 2468 Lbqklb32.exe 96 PID 2468 wrote to memory of 4796 2468 Lbqklb32.exe 96 PID 2468 wrote to memory of 4796 2468 Lbqklb32.exe 96 PID 4796 wrote to memory of 2220 4796 Likcilhh.exe 97 PID 4796 wrote to memory of 2220 4796 Likcilhh.exe 97 PID 4796 wrote to memory of 2220 4796 Likcilhh.exe 97 PID 2220 wrote to memory of 4596 2220 Loglacfo.exe 98 PID 2220 wrote to memory of 4596 2220 Loglacfo.exe 98 PID 2220 wrote to memory of 4596 2220 Loglacfo.exe 98 PID 4596 wrote to memory of 2572 4596 Mimpolee.exe 99 PID 4596 wrote to memory of 2572 4596 Mimpolee.exe 99 PID 4596 wrote to memory of 2572 4596 Mimpolee.exe 99 PID 2572 wrote to memory of 5024 2572 Mbedga32.exe 100 PID 2572 wrote to memory of 5024 2572 Mbedga32.exe 100 PID 2572 wrote to memory of 5024 2572 Mbedga32.exe 100 PID 5024 wrote to memory of 1272 5024 Miomdk32.exe 101 PID 5024 wrote to memory of 1272 5024 Miomdk32.exe 101 PID 5024 wrote to memory of 1272 5024 Miomdk32.exe 101 PID 1272 wrote to memory of 1704 1272 Mbhamajc.exe 102 PID 1272 wrote to memory of 1704 1272 Mbhamajc.exe 102 PID 1272 wrote to memory of 1704 1272 Mbhamajc.exe 102 PID 1704 wrote to memory of 3712 1704 Mplafeil.exe 103 PID 1704 wrote to memory of 3712 1704 Mplafeil.exe 103 PID 1704 wrote to memory of 3712 1704 Mplafeil.exe 103 PID 3712 wrote to memory of 4800 3712 Midfokpm.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\04cc9b750ef2e04e52f599f8d33734cf0ac8bad819ab2ad903af38ed6527d6bbN.exe"C:\Users\Admin\AppData\Local\Temp\04cc9b750ef2e04e52f599f8d33734cf0ac8bad819ab2ad903af38ed6527d6bbN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe23⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe26⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe27⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe28⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe29⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe30⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe31⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe32⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4556 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4416 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe36⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe37⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe38⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3880 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe40⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe41⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe42⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe43⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe44⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe45⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe49⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe50⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe51⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe52⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe53⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe54⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe55⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe56⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe57⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe58⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe59⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe60⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe61⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe62⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe64⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe65⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe66⤵PID:1628
-
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe67⤵PID:4788
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe68⤵PID:3316
-
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe69⤵PID:4576
-
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe70⤵PID:3108
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe71⤵
- Modifies registry class
PID:4160 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe72⤵PID:3764
-
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe73⤵PID:936
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe74⤵PID:1620
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:624 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe76⤵PID:2176
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe77⤵PID:4292
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe78⤵PID:3368
-
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe79⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe80⤵PID:2024
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe81⤵PID:3788
-
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe82⤵PID:4600
-
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe83⤵PID:636
-
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe84⤵PID:1968
-
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe85⤵PID:2644
-
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1392 -
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe91⤵PID:3472
-
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe93⤵PID:4836
-
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe95⤵
- System Location Discovery: System Language Discovery
PID:3936 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe96⤵PID:1624
-
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe97⤵PID:3028
-
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe98⤵PID:880
-
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe99⤵PID:5072
-
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe100⤵PID:4804
-
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe101⤵PID:1812
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe102⤵PID:4436
-
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe103⤵
- Modifies registry class
PID:5168 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe104⤵PID:5220
-
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe105⤵PID:5268
-
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe106⤵PID:5312
-
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe107⤵
- System Location Discovery: System Language Discovery
PID:5360 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe108⤵PID:5404
-
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe109⤵
- Drops file in System32 directory
PID:5448 -
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe110⤵PID:5488
-
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe111⤵
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe112⤵PID:5576
-
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe113⤵PID:5620
-
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe114⤵PID:5676
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe115⤵PID:5720
-
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe116⤵PID:5768
-
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe117⤵PID:5812
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe118⤵
- System Location Discovery: System Language Discovery
PID:5856 -
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe119⤵PID:5904
-
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe120⤵PID:5948
-
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe121⤵PID:5992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-