Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 02:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe
-
Size
640KB
-
MD5
d6aa77d1a2930a6282309045ed950b38
-
SHA1
749c014d59f1de7f7654c610071bda68b3c260b3
-
SHA256
b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f
-
SHA512
e7309b22a0e560fd0aa76595427a0ad33631b6cf6a833850aaa87215c7b7752291c9bbb8f076e1b530007adf7eb128e5db97325e688e4bfdecdf476efcd7b334
-
SSDEEP
12288:pOibdvV6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lMuk:pOOtaSHFaZRBEYyqmaf2qwiHPKgRC4gI
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gjfgqk32.exeOonldcih.exeOgiaif32.exeAcfdnihk.exeFgnadkic.exeGfhgpg32.exeOhkaco32.exeQinjgbpg.exeBjmbqhif.exeIfffkncm.exePljcllqe.exeDeollamj.exeBaigca32.exeNhdhif32.exeAdcdbl32.exeFajbke32.exeIjehdl32.exeHinqgg32.exeIdfnicfl.exeCmmagpef.exeGnpflj32.exeMpbdnk32.exePhnnho32.exePohfehdi.exeHboddk32.exeGbfiaj32.exeLcaiiejc.exeAodkci32.exeCbepdhgc.exeGfejjgli.exeCmpgpond.exeBleeioil.exeBeackp32.exeMmdjkhdh.exeIipiljgf.exeKdpfadlm.exeEklqcl32.exeOoqpdj32.exeBmbemb32.exeCjmopkla.exeHfpdkl32.exeIoakoq32.exeAfjjed32.exeGmpcgace.exeCaifjn32.exePnopldgn.exeEkjgpm32.exeKpadhg32.exeIhbcmaje.exeAkcldl32.exeHdlkcdog.exeQnghel32.exeBjpaop32.exeJnkakl32.exeLkakicam.exeLkdhoc32.exeCfnoogbo.exeGkglnm32.exeLdpbpgoh.exeJnpkflne.exeElajgpmj.exePgnjde32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjfgqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oonldcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogiaif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfdnihk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnadkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohkaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qinjgbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmbqhif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljcllqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deollamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baigca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajbke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijehdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinqgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfnicfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmmagpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajbke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnpflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbdnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnnho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohfehdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbfiaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcaiiejc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbepdhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfejjgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bleeioil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beackp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipiljgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfadlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eklqcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooqpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbemb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmopkla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpdkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioakoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjjed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpcgace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caifjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnopldgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjgpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akcldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdlkcdog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkakicam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnoogbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkglnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpkflne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baigca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgnjde32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Jgqpkc32.exeJjomgo32.exeJpiedieo.exeJajala32.exeKklikejc.exeKnjegqif.exeKqknil32.exeLbackc32.exeLiklhmom.exeLjabkeaf.exeMeffhnal.exeMpbdnk32.exeMikhgqbi.exeNhdocl32.exeNblpfepo.exeNdpicm32.exeNkjapglg.exeOlpgconp.exeOdgodl32.exeOpnpimdf.exeOoqpdj32.exeOghhfg32.exeOldpnn32.exeOemegc32.exeOhkaco32.exePhnnho32.exePohfehdi.exePgckjk32.exePojbkh32.exePkacpihj.exePnopldgn.exePjfpafmb.exePmdmmalf.exeQmgibqjc.exeQinjgbpg.exeQmifhq32.exeAfajafoa.exeAfdgfelo.exeAibcba32.exeAkcldl32.exeAnahqh32.exeAekqmbod.exeAkeijlfq.exeAcqnnndl.exeAkhfoldn.exeBnfblgca.exeBjmbqhif.exeBagkmb32.exeBgqcjlhp.exeBaigca32.exeBcgdom32.exeBjallg32.exeBpnddn32.exeBfhmqhkd.exeBmbemb32.exeBleeioil.exeBfkifhib.exeClgbno32.exeCofnjj32.exeCadjgf32.exeCjmopkla.exeCohkpj32.exeCafgle32.exeCdecha32.exepid Process 2740 Jgqpkc32.exe 2772 Jjomgo32.exe 2568 Jpiedieo.exe 2828 Jajala32.exe 2556 Kklikejc.exe 2604 Knjegqif.exe 2996 Kqknil32.exe 2164 Lbackc32.exe 2056 Liklhmom.exe 1760 Ljabkeaf.exe 664 Meffhnal.exe 1440 Mpbdnk32.exe 1484 Mikhgqbi.exe 2544 Nhdocl32.exe 1508 Nblpfepo.exe 376 Ndpicm32.exe 2224 Nkjapglg.exe 1352 Olpgconp.exe 1812 Odgodl32.exe 1724 Opnpimdf.exe 900 Ooqpdj32.exe 2908 Oghhfg32.exe 2484 Oldpnn32.exe 616 Oemegc32.exe 884 Ohkaco32.exe 2096 Phnnho32.exe 2796 Pohfehdi.exe 2664 Pgckjk32.exe 2840 Pojbkh32.exe 2752 Pkacpihj.exe 2820 Pnopldgn.exe 1748 Pjfpafmb.exe 2580 Pmdmmalf.exe 2656 Qmgibqjc.exe 2196 Qinjgbpg.exe 2472 Qmifhq32.exe 1228 Afajafoa.exe 840 Afdgfelo.exe 1280 Aibcba32.exe 2500 Akcldl32.exe 2264 Anahqh32.exe 2208 Aekqmbod.exe 1476 Akeijlfq.exe 1704 Acqnnndl.exe 1632 Akhfoldn.exe 1384 Bnfblgca.exe 1708 Bjmbqhif.exe 2892 Bagkmb32.exe 696 Bgqcjlhp.exe 2876 Baigca32.exe 1616 Bcgdom32.exe 1620 Bjallg32.exe 2448 Bpnddn32.exe 2672 Bfhmqhkd.exe 2080 Bmbemb32.exe 2732 Bleeioil.exe 2168 Bfkifhib.exe 2116 Clgbno32.exe 1972 Cofnjj32.exe 1316 Cadjgf32.exe 1140 Cjmopkla.exe 2452 Cohkpj32.exe 1672 Cafgle32.exe 1324 Cdecha32.exe -
Loads dropped DLL 64 IoCs
Processes:
b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exeJgqpkc32.exeJjomgo32.exeJpiedieo.exeJajala32.exeKklikejc.exeKnjegqif.exeKqknil32.exeLbackc32.exeLiklhmom.exeLjabkeaf.exeMeffhnal.exeMpbdnk32.exeMikhgqbi.exeNhdocl32.exeNblpfepo.exeNdpicm32.exeNkjapglg.exeOlpgconp.exeOdgodl32.exeOpnpimdf.exeOoqpdj32.exeOghhfg32.exeOldpnn32.exeOemegc32.exeOhkaco32.exePhnnho32.exePohfehdi.exePgckjk32.exePojbkh32.exePkacpihj.exePnopldgn.exepid Process 3036 b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe 3036 b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe 2740 Jgqpkc32.exe 2740 Jgqpkc32.exe 2772 Jjomgo32.exe 2772 Jjomgo32.exe 2568 Jpiedieo.exe 2568 Jpiedieo.exe 2828 Jajala32.exe 2828 Jajala32.exe 2556 Kklikejc.exe 2556 Kklikejc.exe 2604 Knjegqif.exe 2604 Knjegqif.exe 2996 Kqknil32.exe 2996 Kqknil32.exe 2164 Lbackc32.exe 2164 Lbackc32.exe 2056 Liklhmom.exe 2056 Liklhmom.exe 1760 Ljabkeaf.exe 1760 Ljabkeaf.exe 664 Meffhnal.exe 664 Meffhnal.exe 1440 Mpbdnk32.exe 1440 Mpbdnk32.exe 1484 Mikhgqbi.exe 1484 Mikhgqbi.exe 2544 Nhdocl32.exe 2544 Nhdocl32.exe 1508 Nblpfepo.exe 1508 Nblpfepo.exe 376 Ndpicm32.exe 376 Ndpicm32.exe 2224 Nkjapglg.exe 2224 Nkjapglg.exe 1352 Olpgconp.exe 1352 Olpgconp.exe 1812 Odgodl32.exe 1812 Odgodl32.exe 1724 Opnpimdf.exe 1724 Opnpimdf.exe 900 Ooqpdj32.exe 900 Ooqpdj32.exe 2908 Oghhfg32.exe 2908 Oghhfg32.exe 2484 Oldpnn32.exe 2484 Oldpnn32.exe 616 Oemegc32.exe 616 Oemegc32.exe 884 Ohkaco32.exe 884 Ohkaco32.exe 2096 Phnnho32.exe 2096 Phnnho32.exe 2796 Pohfehdi.exe 2796 Pohfehdi.exe 2664 Pgckjk32.exe 2664 Pgckjk32.exe 2840 Pojbkh32.exe 2840 Pojbkh32.exe 2752 Pkacpihj.exe 2752 Pkacpihj.exe 2820 Pnopldgn.exe 2820 Pnopldgn.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kqknil32.exeIfdjeoep.exeImahkg32.exeMdghaf32.exeNhlgmd32.exePkaehb32.exeQkfocaki.exeAccqnc32.exeOdgodl32.exeKcdjoaee.exeAqonbm32.exeNdpicm32.exeAkcldl32.exeFcjeon32.exeAcnjnh32.exeGncldi32.exeCbffoabe.exeEamilh32.exeQinjgbpg.exeCohkpj32.exeKghpoa32.exeBgffhkoj.exeDeollamj.exeIhdpbq32.exeJondnnbk.exeNnoiio32.exeBgllgedi.exeOpnpimdf.exeGnpflj32.exeHfmddp32.exeIipiljgf.exeMpbdnk32.exeNhdocl32.exeOpaebkmc.exeAjcipc32.exeJdpjba32.exeBigkel32.exeAkeijlfq.exeBjmbqhif.exeGjfgqk32.exeHnmeen32.exeMeffhnal.exeEheecbia.exeEkjgpm32.exeEcfldoph.exeLmljgj32.exePegqpacp.exeJkchmo32.exeKgqocoin.exeLiklhmom.exeEoajel32.exeCblfdg32.exeCdecha32.exeDebplg32.exeFajbke32.exeHfhcoj32.exeIhbcmaje.exeJimbkh32.exeOoqpdj32.exeFhgnge32.exedescription ioc Process File created C:\Windows\SysWOW64\Lbackc32.exe Kqknil32.exe File opened for modification C:\Windows\SysWOW64\Iibfajdc.exe Ifdjeoep.exe File opened for modification C:\Windows\SysWOW64\Idkpganf.exe Imahkg32.exe File created C:\Windows\SysWOW64\Fffgkhmc.dll Mdghaf32.exe File created C:\Windows\SysWOW64\Oadkej32.exe Nhlgmd32.exe File created C:\Windows\SysWOW64\Pdjjag32.exe Pkaehb32.exe File opened for modification C:\Windows\SysWOW64\Qlgkki32.exe Qkfocaki.exe File created C:\Windows\SysWOW64\Ahpifj32.exe Accqnc32.exe File created C:\Windows\SysWOW64\Kqkfag32.dll Odgodl32.exe File created C:\Windows\SysWOW64\Kdefgj32.exe Kcdjoaee.exe File created C:\Windows\SysWOW64\Acnjnh32.exe Aqonbm32.exe File created C:\Windows\SysWOW64\Nkjapglg.exe Ndpicm32.exe File opened for modification C:\Windows\SysWOW64\Opnpimdf.exe Odgodl32.exe File opened for modification C:\Windows\SysWOW64\Anahqh32.exe Akcldl32.exe File created C:\Windows\SysWOW64\Ffibkj32.exe Fcjeon32.exe File opened for modification C:\Windows\SysWOW64\Aijbfo32.exe Acnjnh32.exe File created C:\Windows\SysWOW64\Apoldh32.dll Gncldi32.exe File created C:\Windows\SysWOW64\Onaiomjo.dll Cbffoabe.exe File created C:\Windows\SysWOW64\Ipfeceln.dll Eamilh32.exe File opened for modification C:\Windows\SysWOW64\Qmifhq32.exe Qinjgbpg.exe File opened for modification C:\Windows\SysWOW64\Cafgle32.exe Cohkpj32.exe File created C:\Windows\SysWOW64\Kpadhg32.exe Kghpoa32.exe File opened for modification C:\Windows\SysWOW64\Bmcnqama.exe Bgffhkoj.exe File created C:\Windows\SysWOW64\Dqlapaeh.dll Deollamj.exe File opened for modification C:\Windows\SysWOW64\Imahkg32.exe Ihdpbq32.exe File created C:\Windows\SysWOW64\Gcighi32.dll Jondnnbk.exe File opened for modification C:\Windows\SysWOW64\Neiaeiii.exe Nnoiio32.exe File opened for modification C:\Windows\SysWOW64\Bbbpenco.exe Bgllgedi.exe File created C:\Windows\SysWOW64\Ooqpdj32.exe Opnpimdf.exe File created C:\Windows\SysWOW64\Cfohbd32.dll Gnpflj32.exe File created C:\Windows\SysWOW64\Hndlem32.exe Hfmddp32.exe File created C:\Windows\SysWOW64\Bnjghm32.dll Iipiljgf.exe File opened for modification C:\Windows\SysWOW64\Mikhgqbi.exe Mpbdnk32.exe File opened for modification C:\Windows\SysWOW64\Nblpfepo.exe Nhdocl32.exe File opened for modification C:\Windows\SysWOW64\Kdefgj32.exe Kcdjoaee.exe File created C:\Windows\SysWOW64\Jjjkclbf.dll Opaebkmc.exe File created C:\Windows\SysWOW64\Dlkmjn32.dll Ajcipc32.exe File created C:\Windows\SysWOW64\Pclmghko.dll Imahkg32.exe File opened for modification C:\Windows\SysWOW64\Jimbkh32.exe Jdpjba32.exe File created C:\Windows\SysWOW64\Cbppnbhm.exe Bigkel32.exe File created C:\Windows\SysWOW64\Flhinpbh.dll Akeijlfq.exe File created C:\Windows\SysWOW64\Bagkmb32.exe Bjmbqhif.exe File created C:\Windows\SysWOW64\Gaqomeke.exe Gjfgqk32.exe File created C:\Windows\SysWOW64\Hegnahjo.exe Hnmeen32.exe File created C:\Windows\SysWOW64\Eqefma32.dll Meffhnal.exe File created C:\Windows\SysWOW64\Eamilh32.exe Eheecbia.exe File created C:\Windows\SysWOW64\Epgphcqd.exe Ekjgpm32.exe File created C:\Windows\SysWOW64\Fidfcc32.dll Ecfldoph.exe File created C:\Windows\SysWOW64\Ccgibpac.dll Lmljgj32.exe File created C:\Windows\SysWOW64\Nbngca32.dll Pegqpacp.exe File opened for modification C:\Windows\SysWOW64\Jondnnbk.exe Jkchmo32.exe File created C:\Windows\SysWOW64\Ghmhnp32.dll Kgqocoin.exe File created C:\Windows\SysWOW64\Ljabkeaf.exe Liklhmom.exe File opened for modification C:\Windows\SysWOW64\Eapfagno.exe Eoajel32.exe File opened for modification C:\Windows\SysWOW64\Dejbqb32.exe Cblfdg32.exe File created C:\Windows\SysWOW64\Eifppipg.dll Nnoiio32.exe File created C:\Windows\SysWOW64\Caidaeak.exe Cdecha32.exe File opened for modification C:\Windows\SysWOW64\Dhplhc32.exe Debplg32.exe File opened for modification C:\Windows\SysWOW64\Fhdjgoha.exe Fajbke32.exe File created C:\Windows\SysWOW64\Hpphhp32.exe Hfhcoj32.exe File created C:\Windows\SysWOW64\Ijqoilii.exe Ihbcmaje.exe File created C:\Windows\SysWOW64\Jlkngc32.exe Jimbkh32.exe File created C:\Windows\SysWOW64\Oghhfg32.exe Ooqpdj32.exe File created C:\Windows\SysWOW64\Aakepajf.dll Fhgnge32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5160 4996 WerFault.exe 513 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Mgmahg32.exeOoicid32.exeKjmnjkjd.exeBmhkmm32.exeDbncjf32.exeHnheohcl.exeJfliim32.exeFcjeon32.exeIjklknbn.exeOhagbj32.exeEiekpd32.exeKnfndjdp.exeAqbdkk32.exeOaqbln32.exeNnoiio32.exeNlefhcnc.exeHdlkcdog.exeOiljam32.exeAnneqafn.exeCofnjj32.exeQdncmgbj.exeCenljmgq.exeFfibkj32.exeJgfcja32.exeEaheeecg.exeCnfqccna.exeJniefm32.exePlolgk32.exeKglehp32.exeEheecbia.exeHbfepmmn.exeJabdql32.exeEeaepd32.exePkaehb32.exePojbkh32.exeKcdjoaee.exeBefmfpbi.exeDebplg32.exeIfdjeoep.exeNiedqnen.exeBgffhkoj.exeElipgofb.exeNeiaeiii.exeLjieppcb.exePeedka32.exeBgblmk32.exeJlckbh32.exeOffmipej.exeFjjpjgjj.exeBjmeiq32.exeDjdgic32.exeJajala32.exeChfbgn32.exeDmjqpdje.exeHinqgg32.exeKpicle32.exeLfkeokjp.exeCohkpj32.exeCffljlpc.exeNmfbpk32.exeKkmand32.exeBgibnj32.exeCicalakk.exeNgealejo.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmahg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhkmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbncjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfliim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjeon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijklknbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohagbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiekpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqbdkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefhcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdlkcdog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiljam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anneqafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofnjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenljmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffibkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfcja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaheeecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plolgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglehp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheecbia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbfepmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabdql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeaepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdjoaee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Debplg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdjeoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niedqnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffhkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elipgofb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neiaeiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljieppcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peedka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgblmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlckbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offmipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjpjgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmeiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjqpdje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinqgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpicle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohkpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffljlpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgibnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicalakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngealejo.exe -
Modifies registry class 64 IoCs
Processes:
Oemegc32.exeHjfcpo32.exeIibfajdc.exeNapbjjom.exeQlgkki32.exeCblfdg32.exeGceailog.exeNhlgmd32.exeGkephn32.exeBjmbqhif.exeJofejpmc.exeMgmahg32.exeNeqnqofm.exeFnflke32.exeFhomkcoa.exeCifelgmd.exeCfnoogbo.exeFkbgckgd.exeHlgimqhf.exeGmgpbf32.exeMfdopp32.exeHboddk32.exeJbhcim32.exeLnjcomcf.exeFofpoo32.exeBgffhkoj.exeMgjnhaco.exeMfokinhf.exeNbmaon32.exeQkfocaki.exeBpnddn32.exeAfjjed32.exeChfbgn32.exeFqalaa32.exeHfhcoj32.exeKhghgchk.exeAbmgjo32.exeFheabelm.exeIdfnicfl.exeKcamjb32.exeKcecbq32.exeOpqoge32.exeAkcldl32.exeKhlili32.exeOpaebkmc.exeKglehp32.exePgfjhcge.exeKklikejc.exePohfehdi.exeAkeijlfq.exeBcgdom32.exeGbfiaj32.exeMpebmc32.exeJpiedieo.exeDlgnmb32.exeOokpodkj.exeAggiigmn.exeBgibnj32.exeImahkg32.exeMmdjkhdh.exePkacpihj.exeBjallg32.exeEapfagno.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oemegc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjfcpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iibfajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmgmam.dll" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlgkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knjmll32.dll" Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gceailog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goembl32.dll" Nhlgmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmbqhif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jofejpmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgmahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neqnqofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmamfed.dll" Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cifelgmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfnoogbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfmmfimm.dll" Fkbgckgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlgimqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcncbo32.dll" Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hboddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnjcomcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofpoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgjnhaco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfokinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blangfdh.dll" Nbmaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpnddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afjjed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chfbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjjaebl.dll" Fqalaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggfcl32.dll" Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll" Abmgjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fheabelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgbmjc32.dll" Idfnicfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcamjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcecbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opqoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnfkge32.dll" Akcldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddlnn32.dll" Khlili32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opaebkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplncj32.dll" Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakoaln.dll" Pgfjhcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kklikejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pohfehdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhinpbh.dll" Akeijlfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcgdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmkibjgj.dll" Gbfiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpebmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpiedieo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlgnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fofpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camljoch.dll" Ookpodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcdgejhm.dll" Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhmbnfb.dll" Bgibnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pclmghko.dll" Imahkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcelfiph.dll" Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbaocobg.dll" Pkacpihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadgjn32.dll" Bjallg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfdej32.dll" Eapfagno.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exeJgqpkc32.exeJjomgo32.exeJpiedieo.exeJajala32.exeKklikejc.exeKnjegqif.exeKqknil32.exeLbackc32.exeLiklhmom.exeLjabkeaf.exeMeffhnal.exeMpbdnk32.exeMikhgqbi.exeNhdocl32.exeNblpfepo.exedescription pid Process procid_target PID 3036 wrote to memory of 2740 3036 b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe 30 PID 3036 wrote to memory of 2740 3036 b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe 30 PID 3036 wrote to memory of 2740 3036 b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe 30 PID 3036 wrote to memory of 2740 3036 b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe 30 PID 2740 wrote to memory of 2772 2740 Jgqpkc32.exe 31 PID 2740 wrote to memory of 2772 2740 Jgqpkc32.exe 31 PID 2740 wrote to memory of 2772 2740 Jgqpkc32.exe 31 PID 2740 wrote to memory of 2772 2740 Jgqpkc32.exe 31 PID 2772 wrote to memory of 2568 2772 Jjomgo32.exe 32 PID 2772 wrote to memory of 2568 2772 Jjomgo32.exe 32 PID 2772 wrote to memory of 2568 2772 Jjomgo32.exe 32 PID 2772 wrote to memory of 2568 2772 Jjomgo32.exe 32 PID 2568 wrote to memory of 2828 2568 Jpiedieo.exe 33 PID 2568 wrote to memory of 2828 2568 Jpiedieo.exe 33 PID 2568 wrote to memory of 2828 2568 Jpiedieo.exe 33 PID 2568 wrote to memory of 2828 2568 Jpiedieo.exe 33 PID 2828 wrote to memory of 2556 2828 Jajala32.exe 34 PID 2828 wrote to memory of 2556 2828 Jajala32.exe 34 PID 2828 wrote to memory of 2556 2828 Jajala32.exe 34 PID 2828 wrote to memory of 2556 2828 Jajala32.exe 34 PID 2556 wrote to memory of 2604 2556 Kklikejc.exe 35 PID 2556 wrote to memory of 2604 2556 Kklikejc.exe 35 PID 2556 wrote to memory of 2604 2556 Kklikejc.exe 35 PID 2556 wrote to memory of 2604 2556 Kklikejc.exe 35 PID 2604 wrote to memory of 2996 2604 Knjegqif.exe 36 PID 2604 wrote to memory of 2996 2604 Knjegqif.exe 36 PID 2604 wrote to memory of 2996 2604 Knjegqif.exe 36 PID 2604 wrote to memory of 2996 2604 Knjegqif.exe 36 PID 2996 wrote to memory of 2164 2996 Kqknil32.exe 37 PID 2996 wrote to memory of 2164 2996 Kqknil32.exe 37 PID 2996 wrote to memory of 2164 2996 Kqknil32.exe 37 PID 2996 wrote to memory of 2164 2996 Kqknil32.exe 37 PID 2164 wrote to memory of 2056 2164 Lbackc32.exe 38 PID 2164 wrote to memory of 2056 2164 Lbackc32.exe 38 PID 2164 wrote to memory of 2056 2164 Lbackc32.exe 38 PID 2164 wrote to memory of 2056 2164 Lbackc32.exe 38 PID 2056 wrote to memory of 1760 2056 Liklhmom.exe 39 PID 2056 wrote to memory of 1760 2056 Liklhmom.exe 39 PID 2056 wrote to memory of 1760 2056 Liklhmom.exe 39 PID 2056 wrote to memory of 1760 2056 Liklhmom.exe 39 PID 1760 wrote to memory of 664 1760 Ljabkeaf.exe 40 PID 1760 wrote to memory of 664 1760 Ljabkeaf.exe 40 PID 1760 wrote to memory of 664 1760 Ljabkeaf.exe 40 PID 1760 wrote to memory of 664 1760 Ljabkeaf.exe 40 PID 664 wrote to memory of 1440 664 Meffhnal.exe 41 PID 664 wrote to memory of 1440 664 Meffhnal.exe 41 PID 664 wrote to memory of 1440 664 Meffhnal.exe 41 PID 664 wrote to memory of 1440 664 Meffhnal.exe 41 PID 1440 wrote to memory of 1484 1440 Mpbdnk32.exe 42 PID 1440 wrote to memory of 1484 1440 Mpbdnk32.exe 42 PID 1440 wrote to memory of 1484 1440 Mpbdnk32.exe 42 PID 1440 wrote to memory of 1484 1440 Mpbdnk32.exe 42 PID 1484 wrote to memory of 2544 1484 Mikhgqbi.exe 43 PID 1484 wrote to memory of 2544 1484 Mikhgqbi.exe 43 PID 1484 wrote to memory of 2544 1484 Mikhgqbi.exe 43 PID 1484 wrote to memory of 2544 1484 Mikhgqbi.exe 43 PID 2544 wrote to memory of 1508 2544 Nhdocl32.exe 44 PID 2544 wrote to memory of 1508 2544 Nhdocl32.exe 44 PID 2544 wrote to memory of 1508 2544 Nhdocl32.exe 44 PID 2544 wrote to memory of 1508 2544 Nhdocl32.exe 44 PID 1508 wrote to memory of 376 1508 Nblpfepo.exe 45 PID 1508 wrote to memory of 376 1508 Nblpfepo.exe 45 PID 1508 wrote to memory of 376 1508 Nblpfepo.exe 45 PID 1508 wrote to memory of 376 1508 Nblpfepo.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe"C:\Users\Admin\AppData\Local\Temp\b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:376 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe33⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe34⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe35⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe37⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe38⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe39⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe40⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe42⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe43⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe45⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe46⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe47⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe49⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe50⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe55⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe58⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe59⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe61⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe64⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe66⤵PID:440
-
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe67⤵PID:1712
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe68⤵
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe69⤵PID:1516
-
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe70⤵PID:2764
-
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe71⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe72⤵PID:2588
-
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe73⤵PID:2780
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe74⤵PID:2976
-
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe75⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe76⤵PID:464
-
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe77⤵PID:1232
-
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe79⤵PID:1772
-
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe80⤵PID:480
-
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe81⤵PID:2204
-
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe82⤵PID:2180
-
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe83⤵PID:1716
-
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe85⤵
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe86⤵PID:2028
-
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe87⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe88⤵
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe89⤵PID:2280
-
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe90⤵PID:2696
-
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe91⤵PID:2624
-
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe93⤵PID:1756
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe94⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe95⤵PID:756
-
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe96⤵PID:1820
-
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe97⤵PID:1096
-
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe98⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe100⤵
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe101⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe102⤵PID:1612
-
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe103⤵PID:1928
-
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe104⤵PID:2720
-
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe105⤵PID:3008
-
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe106⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe107⤵PID:2848
-
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe108⤵PID:1108
-
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe109⤵PID:832
-
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe111⤵PID:1044
-
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe112⤵PID:2248
-
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe114⤵PID:1732
-
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe116⤵PID:2036
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe117⤵PID:1020
-
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe118⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1336 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe121⤵
- System Location Discovery: System Language Discovery
PID:1636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-