Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 04:22
Static task
static1
Behavioral task
behavioral1
Sample
e939220dfc86af9db587cbc9f6389e7637b1188688b373321f90cecfc7c57544N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e939220dfc86af9db587cbc9f6389e7637b1188688b373321f90cecfc7c57544N.exe
Resource
win10v2004-20241007-en
General
-
Target
e939220dfc86af9db587cbc9f6389e7637b1188688b373321f90cecfc7c57544N.exe
-
Size
115KB
-
MD5
facaf8f34c38789e31c781f6accb0680
-
SHA1
22fb2a0ceb3b38543c72856ec582fa017d564a71
-
SHA256
e939220dfc86af9db587cbc9f6389e7637b1188688b373321f90cecfc7c57544
-
SHA512
7177dedcb21fa78dfaa9180620a361451fa63b50804d99d8e0ba759ffae84640882370917c171606daf20123d4cc3067d433c4df8f72443779cee6bb304469d9
-
SSDEEP
3072:PegvmhEWPzuAXKmrr4rrrrrrrrrrrrrrrRrrrrrrrArrrrrpFe/vlhAVDrB86f4P:P+ECzuPmrr4rrrrrrrrrrrrrrrRrrrrR
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gdobnj32.exeMgaokl32.exeJgkmgk32.exeKflide32.exeNajceeoo.exeDpdaepai.exePnmopk32.exeNiipjj32.exeAcgolj32.exePiijno32.exeDkhnjk32.exeOgmijllo.exeKkconn32.exeDijbno32.exeMejpje32.exeAjggomog.exeKjlopc32.exeFlinkojm.exeHjchaf32.exeIbobdqid.exeBfgjjm32.exeBkobmnka.exeNlphbnoe.exeOmbcji32.exeAkpoaj32.exeBnfihkqm.exeNclbpf32.exePmiikh32.exeJbfheo32.exeFmpqfq32.exeKdkdgchl.exeJkomneim.exeKjhcjq32.exeAakebqbj.exeKpoalo32.exeBmbiamhi.exeDannij32.exeQcaofebg.exeFpggamqc.exeGpbpbecj.exeJcmdaljn.exeCnfaohbj.exeLacdmh32.exePffgom32.exeMecjif32.exeBombmcec.exeMegljppl.exeGikdkj32.exeDabhdinj.exeAchegd32.exeKqbdldnq.exeChglab32.exeAaenbd32.exeLaqhhi32.exeEjoomhmi.exeNcnofeof.exeOhlqcagj.exeHcpojd32.exeIpjedh32.exePhelcc32.exeIqbbpm32.exeEifhdd32.exeGkmdecbg.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgaokl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niipjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acgolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piijno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmijllo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkconn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijbno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejpje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajggomog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlopc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjchaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibobdqid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgjjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkobmnka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlphbnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfihkqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhnjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmiikh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfheo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpqfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkomneim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhcjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aakebqbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpoalo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbiamhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dannij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcaofebg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpggamqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpbpbecj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmdaljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfaohbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mecjif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bombmcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Megljppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikdkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabhdinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqbdldnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chglab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laqhhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejoomhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohlqcagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phelcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqbbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmdecbg.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Mekgdl32.exeMpqkad32.exeNiipjj32.exeNoehba32.exeNeppokal.exeNpedmdab.exeNgomin32.exeNlleaeff.exeNgaionfl.exeNipekiep.exeNpjnhc32.exeNeffpj32.exeNheble32.exeNookip32.exeOgfcjm32.exeOhgoaehe.exeOlckbd32.exeOpogbbig.exeOcmconhk.exeOigllh32.exeOlehhc32.exeOocddono.exeOcopdn32.exeOofaiokl.exeOgmijllo.exeOileggkb.exeOljaccjf.exeOcdjpmac.exeOhqbhdpj.exeOcffempp.exePjpobg32.exePpjgoaoj.exePfgogh32.exePhelcc32.exePoodpmca.exePjehmfch.exePpopjp32.exePflibgil.exePpamophb.exePfnegggi.exePofjpl32.exeQgnbaj32.exeQhonib32.exeQcdbfk32.exeQjnkcekm.exeQlmgopjq.exeAcgolj32.exeAcilajpk.exeAjcdnd32.exeAqmlknnd.exeAggegh32.exeAjeadd32.exeAcnemi32.exeAijnep32.exeAcpbbi32.exeAfnnnd32.exeAimkjp32.exeBgnkhg32.exeBjlgdc32.exeBoipmj32.exeBgpgng32.exeBqilgmdg.exeBfedoc32.exeBidqko32.exepid Process 3552 Mekgdl32.exe 4888 Mpqkad32.exe 3996 Niipjj32.exe 3948 Noehba32.exe 2084 Neppokal.exe 2320 Npedmdab.exe 844 Ngomin32.exe 2296 Nlleaeff.exe 456 Ngaionfl.exe 1816 Nipekiep.exe 2376 Npjnhc32.exe 3692 Neffpj32.exe 1860 Nheble32.exe 1252 Nookip32.exe 2284 Ogfcjm32.exe 4544 Ohgoaehe.exe 32 Olckbd32.exe 2308 Opogbbig.exe 3260 Ocmconhk.exe 1544 Oigllh32.exe 444 Olehhc32.exe 3320 Oocddono.exe 2520 Ocopdn32.exe 4856 Oofaiokl.exe 5092 Ogmijllo.exe 2256 Oileggkb.exe 876 Oljaccjf.exe 5056 Ocdjpmac.exe 3420 Ohqbhdpj.exe 1852 Ocffempp.exe 4784 Pjpobg32.exe 3720 Ppjgoaoj.exe 3816 Pfgogh32.exe 1240 Phelcc32.exe 376 Poodpmca.exe 1848 Pjehmfch.exe 4400 Ppopjp32.exe 436 Pflibgil.exe 728 Ppamophb.exe 3612 Pfnegggi.exe 3668 Pofjpl32.exe 780 Qgnbaj32.exe 1336 Qhonib32.exe 3672 Qcdbfk32.exe 2024 Qjnkcekm.exe 5116 Qlmgopjq.exe 3132 Acgolj32.exe 3656 Acilajpk.exe 1196 Ajcdnd32.exe 2872 Aqmlknnd.exe 3788 Aggegh32.exe 1948 Ajeadd32.exe 4820 Acnemi32.exe 2884 Aijnep32.exe 3988 Acpbbi32.exe 4952 Afnnnd32.exe 4932 Aimkjp32.exe 648 Bgnkhg32.exe 2808 Bjlgdc32.exe 2220 Boipmj32.exe 1500 Bgpgng32.exe 3928 Bqilgmdg.exe 4076 Bfedoc32.exe 5080 Bidqko32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jgpmmp32.exeAlkijdci.exeJekqmhia.exeNnfpinmi.exePhelcc32.exeCfcqpa32.exeIqmidndd.exeIkkpgafg.exeLjaoeini.exeIbhkfm32.exeGdcliikj.exeKgflcifg.exeAqmlknnd.exeJbfheo32.exeAcmobchj.exeGikdkj32.exeCpfcfmlp.exeCgqlcg32.exeOcopdn32.exeNlnkmnah.exeDifpmfna.exeAekddhcb.exeLmaamn32.exeChdialdl.exeHgghjjid.exeJkjcbe32.exeLnnbqnjn.exePddhbipj.exeGkhkjd32.exeFmnkkg32.exeGgnedlao.exeIljpij32.exeHpqldc32.exeHpchib32.exeEdjgfcec.exeIqklon32.exeNojjcj32.exeDbpjaeoc.exeGaefgd32.exeGgbook32.exeJqglkmlj.exeAakebqbj.exeJkgpbp32.exeBlgifbil.exeLclpdncg.exeFlkdfh32.exeHbohpn32.exeHgiepjga.exePiijno32.exeHloqml32.exeHmpjmn32.exeDfdpad32.exeKpoalo32.exeMnhkbfme.exeHbhboolf.exeMcbpjg32.exeCcnncgmc.exeEmbkoi32.exePhigif32.exeEnnqfenp.exeOhlqcagj.exePalklf32.exeDabhdinj.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Jjoiil32.exe Jgpmmp32.exe File created C:\Windows\SysWOW64\Aojefobm.exe Alkijdci.exe File created C:\Windows\SysWOW64\Accimdgp.dll Jekqmhia.exe File created C:\Windows\SysWOW64\Bgagea32.dll Nnfpinmi.exe File opened for modification C:\Windows\SysWOW64\Poodpmca.exe Phelcc32.exe File opened for modification C:\Windows\SysWOW64\Cjomap32.exe Cfcqpa32.exe File created C:\Windows\SysWOW64\Idieem32.exe Iqmidndd.exe File opened for modification C:\Windows\SysWOW64\Injmcmej.exe Ikkpgafg.exe File created C:\Windows\SysWOW64\Lmpkadnm.exe Ljaoeini.exe File created C:\Windows\SysWOW64\Iibccgep.exe Ibhkfm32.exe File created C:\Windows\SysWOW64\Gkmdecbg.exe Gdcliikj.exe File opened for modification C:\Windows\SysWOW64\Kjeiodek.exe Kgflcifg.exe File created C:\Windows\SysWOW64\Jajoep32.dll Aqmlknnd.exe File created C:\Windows\SysWOW64\Ejlacgdj.dll Jbfheo32.exe File created C:\Windows\SysWOW64\Abponp32.exe Acmobchj.exe File created C:\Windows\SysWOW64\Dibkjmof.dll Gikdkj32.exe File opened for modification C:\Windows\SysWOW64\Cgqlcg32.exe Cpfcfmlp.exe File opened for modification C:\Windows\SysWOW64\Cogddd32.exe Cgqlcg32.exe File created C:\Windows\SysWOW64\Kmmmic32.dll Ocopdn32.exe File opened for modification C:\Windows\SysWOW64\Najceeoo.exe Nlnkmnah.exe File created C:\Windows\SysWOW64\Dkdliame.exe Difpmfna.exe File opened for modification C:\Windows\SysWOW64\Akglloai.exe Aekddhcb.exe File created C:\Windows\SysWOW64\Lopmii32.exe Lmaamn32.exe File created C:\Windows\SysWOW64\Ibmlia32.dll Chdialdl.exe File opened for modification C:\Windows\SysWOW64\Hkbdki32.exe Hgghjjid.exe File opened for modification C:\Windows\SysWOW64\Jqglkmlj.exe Jkjcbe32.exe File opened for modification C:\Windows\SysWOW64\Lalnmiia.exe Lnnbqnjn.exe File opened for modification C:\Windows\SysWOW64\Plkpcfal.exe Pddhbipj.exe File created C:\Windows\SysWOW64\Adnipccc.dll Gkhkjd32.exe File opened for modification C:\Windows\SysWOW64\Fggocmhf.exe Fmnkkg32.exe File opened for modification C:\Windows\SysWOW64\Gpfjma32.exe Ggnedlao.exe File created C:\Windows\SysWOW64\Igpdfb32.exe Iljpij32.exe File opened for modification C:\Windows\SysWOW64\Gpelhd32.exe Gikdkj32.exe File opened for modification C:\Windows\SysWOW64\Hbohpn32.exe Hpqldc32.exe File opened for modification C:\Windows\SysWOW64\Ibaeen32.exe Hpchib32.exe File opened for modification C:\Windows\SysWOW64\Ehfcfb32.exe Edjgfcec.exe File opened for modification C:\Windows\SysWOW64\Ikqqlgem.exe Iqklon32.exe File opened for modification C:\Windows\SysWOW64\Neccpd32.exe Nojjcj32.exe File created C:\Windows\SysWOW64\Dijbno32.exe Dbpjaeoc.exe File opened for modification C:\Windows\SysWOW64\Ggbook32.exe Gaefgd32.exe File opened for modification C:\Windows\SysWOW64\Gnlgleef.exe Ggbook32.exe File created C:\Windows\SysWOW64\Egfdnejf.dll Jqglkmlj.exe File created C:\Windows\SysWOW64\Jimehgni.dll Aakebqbj.exe File created C:\Windows\SysWOW64\Jlhljhbg.exe Jkgpbp32.exe File opened for modification C:\Windows\SysWOW64\Boeebnhp.exe Blgifbil.exe File created C:\Windows\SysWOW64\Qfglbe32.dll Lclpdncg.exe File created C:\Windows\SysWOW64\Fpgpgfmh.exe Flkdfh32.exe File created C:\Windows\SysWOW64\Hiipmhmk.exe Hbohpn32.exe File created C:\Windows\SysWOW64\Idajkk32.dll Hgiepjga.exe File created C:\Windows\SysWOW64\Qlggjk32.exe Piijno32.exe File opened for modification C:\Windows\SysWOW64\Hdehni32.exe Hloqml32.exe File created C:\Windows\SysWOW64\Plbhknkl.dll Hmpjmn32.exe File created C:\Windows\SysWOW64\Dmohno32.exe Dfdpad32.exe File opened for modification C:\Windows\SysWOW64\Kcmmhj32.exe Kpoalo32.exe File created C:\Windows\SysWOW64\Maggnali.exe Mnhkbfme.exe File opened for modification C:\Windows\SysWOW64\Hplbickp.exe Hbhboolf.exe File created C:\Windows\SysWOW64\Mgnlkfal.exe Mcbpjg32.exe File opened for modification C:\Windows\SysWOW64\Cgjjdf32.exe Ccnncgmc.exe File opened for modification C:\Windows\SysWOW64\Ejflhm32.exe Embkoi32.exe File created C:\Windows\SysWOW64\Pocpfphe.exe Phigif32.exe File opened for modification C:\Windows\SysWOW64\Eehicoel.exe Ennqfenp.exe File opened for modification C:\Windows\SysWOW64\Pfoann32.exe Ohlqcagj.exe File created C:\Windows\SysWOW64\Lmnbjama.dll Palklf32.exe File created C:\Windows\SysWOW64\Ddadpdmn.exe Dabhdinj.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1684 17336 WerFault.exe 961 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dbbffdlq.exeJljbeali.exeBkobmnka.exeFbpchb32.exeGmdcfidg.exePocpfphe.exeCkbemgcp.exeOfhknodl.exeQlmgopjq.exeHcblpdgg.exeIcnklbmj.exePaelfmaf.exeDeqcbpld.exeNipekiep.exeJdgafjpn.exeMmbanbmg.exePalklf32.exeGdoihpbk.exeGiinpa32.exeCjhfpa32.exeDakacjdb.exeLdgccb32.exeJlobkg32.exeAekddhcb.exeFpodlbng.exeMaggnali.exeGblbca32.exeGldglf32.exeMbighjdd.exeFdglmkeg.exeIlcldb32.exeLnldla32.exeMbenmk32.exeKgdpni32.exeOileggkb.exeGmeakf32.exeMhafeb32.exeNajceeoo.exeFiodpl32.exeHkbdki32.exeKqmkae32.exeIpjoja32.exeKpoalo32.exeOdjeljhd.exeMqimikfj.exeJcbdgb32.exeEejeiocj.exeJebfng32.exeJlolpq32.exeLmaamn32.exeHpomcp32.exeMjpbam32.exeJdmgfedl.exeKjblje32.exeLgdidgjg.exeAhdged32.exeEiahnnph.exeDdcqedkk.exeFdcjlb32.exeOifeab32.exeFjadje32.exeAojefobm.exeAcgolj32.exeBgpgng32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbffdlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljbeali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkobmnka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdcfidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocpfphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbemgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhknodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlmgopjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblpdgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnklbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deqcbpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipekiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdgafjpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbanbmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdoihpbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giinpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhfpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakacjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlobkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekddhcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpodlbng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maggnali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gldglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbighjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdglmkeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnldla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbenmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oileggkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhafeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najceeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiodpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbdki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmkae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjoja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoalo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjeljhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqimikfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcbdgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejeiocj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaamn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpomcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpbam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmgfedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjblje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdidgjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiahnnph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddcqedkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjadje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojefobm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acgolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpgng32.exe -
Modifies registry class 64 IoCs
Processes:
Dfmcfp32.exeJbfheo32.exeDlkbjqgm.exeKgdpni32.exeNqpcjj32.exeQhonib32.exeJjoiil32.exePlpqil32.exePehngkcg.exeBdpaeehj.exeFfqhcq32.exeHfaajnfb.exeHgghjjid.exeCbeapmll.exeJpcapp32.exeFmqgpgoc.exeEehicoel.exeQdaniq32.exeAmlogfel.exeQachgk32.exeHpomcp32.exeKnflpoqf.exeOlfghg32.exeEiahnnph.exeEnnqfenp.exeFijkdmhn.exeFkkeclfh.exeGlldgljg.exeHcpojd32.exeGejopl32.exeOndljl32.exeMblcnj32.exeHkgnfhnh.exeJqglkmlj.exeLnbklm32.exeBljlfh32.exeCmflbf32.exeEnkdaepb.exeKflide32.exeNookip32.exeBhkfkmmg.exePnplfj32.exeMbighjdd.exeGmggfp32.exeIpjedh32.exeIipfmggc.exeGinnfgop.exeAkccap32.exeMqimikfj.exeOileggkb.exeAhjgjj32.exeCkmehb32.exeIkkpgafg.exeIdhnkf32.exeMqafhl32.exeEjbbmnnb.exeBklfgo32.exeQfmmplad.exeBpfkpp32.exeBlgifbil.exeKcejco32.exeMeiioonj.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpnpfack.dll" Dfmcfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfheo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqpcjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhonib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifba32.dll" Plpqil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pehngkcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffqhcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfaajnfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgghjjid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhejhfp.dll" Jpcapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmqgpgoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcaaeme.dll" Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll" Amlogfel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjalckog.dll" Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpomcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olfghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiahnnph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdaklmfn.dll" Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggebqoki.dll" Fkkeclfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Golneb32.dll" Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occgpjdk.dll" Hcpojd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mblcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkgnfhnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqglkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalebkhm.dll" Lnbklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bljlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmflbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enkdaepb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kflide32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nookip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkfkmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnplfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppipkl32.dll" Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiahnnph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ginnfgop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqimikfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oileggkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkellk32.dll" Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckmehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idhnkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occomh32.dll" Ejbbmnnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bklfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpank32.dll" Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjmdflo.dll" Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjhee32.dll" Meiioonj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e939220dfc86af9db587cbc9f6389e7637b1188688b373321f90cecfc7c57544N.exeMekgdl32.exeMpqkad32.exeNiipjj32.exeNoehba32.exeNeppokal.exeNpedmdab.exeNgomin32.exeNlleaeff.exeNgaionfl.exeNipekiep.exeNpjnhc32.exeNeffpj32.exeNheble32.exeNookip32.exeOgfcjm32.exeOhgoaehe.exeOlckbd32.exeOpogbbig.exeOcmconhk.exeOigllh32.exeOlehhc32.exedescription pid Process procid_target PID 4724 wrote to memory of 3552 4724 e939220dfc86af9db587cbc9f6389e7637b1188688b373321f90cecfc7c57544N.exe 83 PID 4724 wrote to memory of 3552 4724 e939220dfc86af9db587cbc9f6389e7637b1188688b373321f90cecfc7c57544N.exe 83 PID 4724 wrote to memory of 3552 4724 e939220dfc86af9db587cbc9f6389e7637b1188688b373321f90cecfc7c57544N.exe 83 PID 3552 wrote to memory of 4888 3552 Mekgdl32.exe 84 PID 3552 wrote to memory of 4888 3552 Mekgdl32.exe 84 PID 3552 wrote to memory of 4888 3552 Mekgdl32.exe 84 PID 4888 wrote to memory of 3996 4888 Mpqkad32.exe 85 PID 4888 wrote to memory of 3996 4888 Mpqkad32.exe 85 PID 4888 wrote to memory of 3996 4888 Mpqkad32.exe 85 PID 3996 wrote to memory of 3948 3996 Niipjj32.exe 86 PID 3996 wrote to memory of 3948 3996 Niipjj32.exe 86 PID 3996 wrote to memory of 3948 3996 Niipjj32.exe 86 PID 3948 wrote to memory of 2084 3948 Noehba32.exe 87 PID 3948 wrote to memory of 2084 3948 Noehba32.exe 87 PID 3948 wrote to memory of 2084 3948 Noehba32.exe 87 PID 2084 wrote to memory of 2320 2084 Neppokal.exe 88 PID 2084 wrote to memory of 2320 2084 Neppokal.exe 88 PID 2084 wrote to memory of 2320 2084 Neppokal.exe 88 PID 2320 wrote to memory of 844 2320 Npedmdab.exe 89 PID 2320 wrote to memory of 844 2320 Npedmdab.exe 89 PID 2320 wrote to memory of 844 2320 Npedmdab.exe 89 PID 844 wrote to memory of 2296 844 Ngomin32.exe 90 PID 844 wrote to memory of 2296 844 Ngomin32.exe 90 PID 844 wrote to memory of 2296 844 Ngomin32.exe 90 PID 2296 wrote to memory of 456 2296 Nlleaeff.exe 91 PID 2296 wrote to memory of 456 2296 Nlleaeff.exe 91 PID 2296 wrote to memory of 456 2296 Nlleaeff.exe 91 PID 456 wrote to memory of 1816 456 Ngaionfl.exe 92 PID 456 wrote to memory of 1816 456 Ngaionfl.exe 92 PID 456 wrote to memory of 1816 456 Ngaionfl.exe 92 PID 1816 wrote to memory of 2376 1816 Nipekiep.exe 93 PID 1816 wrote to memory of 2376 1816 Nipekiep.exe 93 PID 1816 wrote to memory of 2376 1816 Nipekiep.exe 93 PID 2376 wrote to memory of 3692 2376 Npjnhc32.exe 94 PID 2376 wrote to memory of 3692 2376 Npjnhc32.exe 94 PID 2376 wrote to memory of 3692 2376 Npjnhc32.exe 94 PID 3692 wrote to memory of 1860 3692 Neffpj32.exe 95 PID 3692 wrote to memory of 1860 3692 Neffpj32.exe 95 PID 3692 wrote to memory of 1860 3692 Neffpj32.exe 95 PID 1860 wrote to memory of 1252 1860 Nheble32.exe 96 PID 1860 wrote to memory of 1252 1860 Nheble32.exe 96 PID 1860 wrote to memory of 1252 1860 Nheble32.exe 96 PID 1252 wrote to memory of 2284 1252 Nookip32.exe 97 PID 1252 wrote to memory of 2284 1252 Nookip32.exe 97 PID 1252 wrote to memory of 2284 1252 Nookip32.exe 97 PID 2284 wrote to memory of 4544 2284 Ogfcjm32.exe 98 PID 2284 wrote to memory of 4544 2284 Ogfcjm32.exe 98 PID 2284 wrote to memory of 4544 2284 Ogfcjm32.exe 98 PID 4544 wrote to memory of 32 4544 Ohgoaehe.exe 99 PID 4544 wrote to memory of 32 4544 Ohgoaehe.exe 99 PID 4544 wrote to memory of 32 4544 Ohgoaehe.exe 99 PID 32 wrote to memory of 2308 32 Olckbd32.exe 100 PID 32 wrote to memory of 2308 32 Olckbd32.exe 100 PID 32 wrote to memory of 2308 32 Olckbd32.exe 100 PID 2308 wrote to memory of 3260 2308 Opogbbig.exe 101 PID 2308 wrote to memory of 3260 2308 Opogbbig.exe 101 PID 2308 wrote to memory of 3260 2308 Opogbbig.exe 101 PID 3260 wrote to memory of 1544 3260 Ocmconhk.exe 102 PID 3260 wrote to memory of 1544 3260 Ocmconhk.exe 102 PID 3260 wrote to memory of 1544 3260 Ocmconhk.exe 102 PID 1544 wrote to memory of 444 1544 Oigllh32.exe 103 PID 1544 wrote to memory of 444 1544 Oigllh32.exe 103 PID 1544 wrote to memory of 444 1544 Oigllh32.exe 103 PID 444 wrote to memory of 3320 444 Olehhc32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e939220dfc86af9db587cbc9f6389e7637b1188688b373321f90cecfc7c57544N.exe"C:\Users\Admin\AppData\Local\Temp\e939220dfc86af9db587cbc9f6389e7637b1188688b373321f90cecfc7c57544N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe23⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe25⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe28⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe29⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe30⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe31⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe32⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe33⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe34⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe36⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe37⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe38⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe39⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe40⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe41⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe42⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe43⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe45⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe46⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5116 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3132 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe49⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe50⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe52⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe53⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe54⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe55⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe56⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe57⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe58⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe59⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe60⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe61⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe63⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe64⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe65⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe66⤵PID:4508
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe67⤵PID:2356
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4672 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe69⤵PID:468
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe70⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe71⤵PID:2756
-
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe73⤵PID:4328
-
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe74⤵PID:5064
-
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe75⤵PID:1020
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe76⤵PID:4760
-
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe77⤵PID:2468
-
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe78⤵PID:1436
-
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe79⤵PID:3116
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe80⤵PID:2168
-
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe81⤵PID:4360
-
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe82⤵
- Drops file in System32 directory
PID:4884 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe83⤵PID:2132
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe84⤵PID:4696
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe85⤵PID:4644
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe86⤵PID:4196
-
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe87⤵
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe88⤵PID:3964
-
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe89⤵PID:992
-
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe91⤵PID:4712
-
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe92⤵PID:4412
-
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe93⤵PID:4876
-
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe94⤵PID:4148
-
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe95⤵
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4748 -
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe97⤵PID:3196
-
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe98⤵PID:2392
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe99⤵
- System Location Discovery: System Language Discovery
PID:3632 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe100⤵PID:880
-
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe101⤵PID:5136
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe102⤵PID:5176
-
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe103⤵PID:5216
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe104⤵PID:5260
-
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe105⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe106⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe107⤵PID:5392
-
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe108⤵
- Drops file in System32 directory
PID:5432 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe109⤵PID:5476
-
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe110⤵PID:5520
-
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe111⤵PID:5564
-
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe112⤵PID:5608
-
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe113⤵
- Modifies registry class
PID:5652 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe114⤵
- System Location Discovery: System Language Discovery
PID:5696 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe115⤵PID:5740
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe116⤵PID:5776
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe117⤵PID:5828
-
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe118⤵PID:5872
-
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe119⤵
- Drops file in System32 directory
PID:5916 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe120⤵PID:5964
-
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe121⤵
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe122⤵
- System Location Discovery: System Language Discovery
PID:6052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-