Analysis
-
max time kernel
135s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 04:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exe
-
Size
128KB
-
MD5
f93b429284843147df4fe5fffda30bee
-
SHA1
67d8114dc37477ba416cbc292182dae3d0789733
-
SHA256
e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c
-
SHA512
95f1a305234583fad57acf3fdb8156df306497b43716ac0a90a2f7e94af2a10738184f5016b314a6024c9ff1fefec0d8e63b3b56c27c88388650c721b84e71b8
-
SSDEEP
1536:63rlHtqH6oCJiv5XDQjILQ9FKGXllUDtM60TD4ruhiZlrQIFiglF9xZ95Q:67PE6JK5X6KG7UDd0pCrQIFdFtLQ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mgbcha32.exeOcpfmd32.exeLcdmekne.exeEjcjfgbk.exeKqqdjceh.exeNaeigf32.exeNkkjpf32.exeEcfednma.exeIihhmhng.exePnbjca32.exeHojbbiae.exeNpbbcgga.exeLghgocek.exeEimien32.exeApeakonl.exePmfmej32.exeCemebcnf.exeFlnpoe32.exeDopfpkng.exeMnkfcjqe.exeNdnplk32.exeHigiih32.exeJfiekc32.exeMjgclcjh.exeNqjmec32.exeLhhhjhkf.exeHnbhpl32.exeNdiaem32.exeNlibhhme.exeCicggcke.exeGjffbhnj.exeIpameehe.exePojgnf32.exeBbpffhnb.exeAgcekn32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbcha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocpfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdmekne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcjfgbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqqdjceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naeigf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkkjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecfednma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iihhmhng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojbbiae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbbcgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghgocek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eimien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apeakonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmfmej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cemebcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flnpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dopfpkng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnkfcjqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndnplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Higiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfiekc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjgclcjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqjmec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhhhjhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnbhpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndiaem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Higiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlibhhme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicggcke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjffbhnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipameehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbpffhnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agcekn32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Oklmhcdf.exeOlkjaflh.exeOhbjgg32.exeOdiklh32.exePmfmej32.exePnfipm32.exePcenmcea.exePcgkcccn.exeQonlhd32.exeQifpqi32.exeQqbeel32.exeAepnkjcd.exeAcejlfhl.exeAmmoel32.exeBboahbio.exeBpbabf32.exeBebfpm32.exeBojkib32.exeBomhnb32.exeBdipfi32.exeCihedpcg.exeCpejfjha.exeCedpdpdf.exeCpidai32.exeDkcebg32.exeDlbaljhn.exeDekeeonn.exeDkjkcfjc.exeDdbolkac.exeEplmflde.exeEqnillbb.exeEnhcnd32.exeFipdqmje.exeFmdfppkb.exeGindjqnc.exeGfadcemm.exeGpjilj32.exeGeinjapb.exeGjffbhnj.exeHdqhambg.exeHjkpng32.exeHpghfn32.exeHmkiobge.exeHbhagiem.exeHmneebeb.exeHbknmicj.exeHmpbja32.exeIfhgcgjq.exeIleoknhh.exeIboghh32.exeIlhlan32.exeIbadnhmb.exeIljifm32.exeIebmpcjc.exeIkoehj32.exeIdgjqook.exeJakjjcnd.exeJkdoci32.exeJdlclo32.exeJempcgad.exeJgmlmj32.exeJhniebne.exeJafmngde.exeJkobgm32.exepid Process 872 Oklmhcdf.exe 584 Olkjaflh.exe 2964 Ohbjgg32.exe 2924 Odiklh32.exe 2512 Pmfmej32.exe 2536 Pnfipm32.exe 1316 Pcenmcea.exe 2984 Pcgkcccn.exe 3028 Qonlhd32.exe 1500 Qifpqi32.exe 1324 Qqbeel32.exe 696 Aepnkjcd.exe 1304 Acejlfhl.exe 520 Ammoel32.exe 2436 Bboahbio.exe 2228 Bpbabf32.exe 2148 Bebfpm32.exe 1320 Bojkib32.exe 1004 Bomhnb32.exe 2208 Bdipfi32.exe 1088 Cihedpcg.exe 2388 Cpejfjha.exe 1020 Cedpdpdf.exe 1528 Cpidai32.exe 2104 Dkcebg32.exe 2184 Dlbaljhn.exe 2368 Dekeeonn.exe 3060 Dkjkcfjc.exe 2480 Ddbolkac.exe 3040 Eplmflde.exe 2928 Eqnillbb.exe 3004 Enhcnd32.exe 2360 Fipdqmje.exe 3020 Fmdfppkb.exe 432 Gindjqnc.exe 2792 Gfadcemm.exe 2600 Gpjilj32.exe 1016 Geinjapb.exe 1956 Gjffbhnj.exe 2412 Hdqhambg.exe 2408 Hjkpng32.exe 624 Hpghfn32.exe 612 Hmkiobge.exe 1364 Hbhagiem.exe 2520 Hmneebeb.exe 1708 Hbknmicj.exe 2448 Hmpbja32.exe 892 Ifhgcgjq.exe 2236 Ileoknhh.exe 2164 Iboghh32.exe 1588 Ilhlan32.exe 2940 Ibadnhmb.exe 2836 Iljifm32.exe 2840 Iebmpcjc.exe 2988 Ikoehj32.exe 2332 Idgjqook.exe 2344 Jakjjcnd.exe 840 Jkdoci32.exe 564 Jdlclo32.exe 2216 Jempcgad.exe 1964 Jgmlmj32.exe 1716 Jhniebne.exe 1420 Jafmngde.exe 2584 Jkobgm32.exe -
Loads dropped DLL 64 IoCs
Processes:
e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exeOklmhcdf.exeOlkjaflh.exeOhbjgg32.exeOdiklh32.exePmfmej32.exePnfipm32.exePcenmcea.exePcgkcccn.exeQonlhd32.exeQifpqi32.exeQqbeel32.exeAepnkjcd.exeAcejlfhl.exeAmmoel32.exeBboahbio.exeBpbabf32.exeBebfpm32.exeBojkib32.exeBomhnb32.exeBdipfi32.exeCihedpcg.exeCpejfjha.exeCedpdpdf.exeCpidai32.exeDkcebg32.exeDlbaljhn.exeDekeeonn.exeDkjkcfjc.exeDdbolkac.exeEplmflde.exeEqnillbb.exepid Process 1628 e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exe 1628 e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exe 872 Oklmhcdf.exe 872 Oklmhcdf.exe 584 Olkjaflh.exe 584 Olkjaflh.exe 2964 Ohbjgg32.exe 2964 Ohbjgg32.exe 2924 Odiklh32.exe 2924 Odiklh32.exe 2512 Pmfmej32.exe 2512 Pmfmej32.exe 2536 Pnfipm32.exe 2536 Pnfipm32.exe 1316 Pcenmcea.exe 1316 Pcenmcea.exe 2984 Pcgkcccn.exe 2984 Pcgkcccn.exe 3028 Qonlhd32.exe 3028 Qonlhd32.exe 1500 Qifpqi32.exe 1500 Qifpqi32.exe 1324 Qqbeel32.exe 1324 Qqbeel32.exe 696 Aepnkjcd.exe 696 Aepnkjcd.exe 1304 Acejlfhl.exe 1304 Acejlfhl.exe 520 Ammoel32.exe 520 Ammoel32.exe 2436 Bboahbio.exe 2436 Bboahbio.exe 2228 Bpbabf32.exe 2228 Bpbabf32.exe 2148 Bebfpm32.exe 2148 Bebfpm32.exe 1320 Bojkib32.exe 1320 Bojkib32.exe 1004 Bomhnb32.exe 1004 Bomhnb32.exe 2208 Bdipfi32.exe 2208 Bdipfi32.exe 1088 Cihedpcg.exe 1088 Cihedpcg.exe 2388 Cpejfjha.exe 2388 Cpejfjha.exe 1020 Cedpdpdf.exe 1020 Cedpdpdf.exe 1528 Cpidai32.exe 1528 Cpidai32.exe 2104 Dkcebg32.exe 2104 Dkcebg32.exe 2184 Dlbaljhn.exe 2184 Dlbaljhn.exe 2368 Dekeeonn.exe 2368 Dekeeonn.exe 3060 Dkjkcfjc.exe 3060 Dkjkcfjc.exe 2480 Ddbolkac.exe 2480 Ddbolkac.exe 3040 Eplmflde.exe 3040 Eplmflde.exe 2928 Eqnillbb.exe 2928 Eqnillbb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gcimop32.exeAgloko32.exeMnneabff.exeFncddc32.exeJbmgapgc.exeBfnnpbnn.exeEelinm32.exeDcofqphi.exeGfmmanif.exeApllml32.exeHiccbfoa.exeDbqajk32.exeGaiehjfb.exeHpnpam32.exeCocnanmd.exeOhbjgg32.exeOdpljf32.exeJdfqomom.exeMacpcccp.exeEimien32.exePgjgapaa.exeFniikj32.exeEpakcm32.exeJhlgnd32.exeGdpikmci.exeAkpfmnmh.exeOmgfdhbq.exeOfqonp32.exeBlkoocfl.exeGmbagf32.exeMnakjaoc.exeQcdgei32.exeNpdlpnnj.exeAdnegldo.exeAcfonhgd.exeIbklddof.exeFhdhqg32.exeAjgfnk32.exeFleihi32.exePdffcn32.exeBiakbc32.exeOefqlmpq.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Gmbagf32.exe Gcimop32.exe File created C:\Windows\SysWOW64\Lbgnie32.dll File opened for modification C:\Windows\SysWOW64\Hgnnpc32.exe File created C:\Windows\SysWOW64\Pcpmbgfg.dll Agloko32.exe File created C:\Windows\SysWOW64\Ekqjiiel.dll Mnneabff.exe File created C:\Windows\SysWOW64\Fhlhmi32.exe Fncddc32.exe File created C:\Windows\SysWOW64\Hkiacm32.dll Jbmgapgc.exe File opened for modification C:\Windows\SysWOW64\Hcpejd32.exe File created C:\Windows\SysWOW64\Bkjfhile.exe Bfnnpbnn.exe File created C:\Windows\SysWOW64\Epamlegl.exe Eelinm32.exe File created C:\Windows\SysWOW64\Lidafjlk.dll Dcofqphi.exe File created C:\Windows\SysWOW64\Lkkghlag.dll File created C:\Windows\SysWOW64\Gcankb32.exe Gfmmanif.exe File created C:\Windows\SysWOW64\Bhgaan32.exe Apllml32.exe File created C:\Windows\SysWOW64\Hejcggee.exe Hiccbfoa.exe File opened for modification C:\Windows\SysWOW64\Qhnlmjie.exe File opened for modification C:\Windows\SysWOW64\Dmffhd32.exe Dbqajk32.exe File opened for modification C:\Windows\SysWOW64\Hakani32.exe Gaiehjfb.exe File created C:\Windows\SysWOW64\Ohqejchc.dll File created C:\Windows\SysWOW64\Hnapja32.exe Hpnpam32.exe File created C:\Windows\SysWOW64\Jcbkhjjg.dll Cocnanmd.exe File created C:\Windows\SysWOW64\Nnkpkdio.exe File opened for modification C:\Windows\SysWOW64\Odiklh32.exe Ohbjgg32.exe File created C:\Windows\SysWOW64\Onipbl32.exe Odpljf32.exe File created C:\Windows\SysWOW64\Deafji32.dll Jdfqomom.exe File opened for modification C:\Windows\SysWOW64\Mogqlgbi.exe Macpcccp.exe File created C:\Windows\SysWOW64\Lindbn32.dll Eimien32.exe File opened for modification C:\Windows\SysWOW64\Ppelfbol.exe Pgjgapaa.exe File created C:\Windows\SysWOW64\Jocfda32.dll Fniikj32.exe File opened for modification C:\Windows\SysWOW64\Alojlgii.exe File created C:\Windows\SysWOW64\Bnnfdpgo.dll File opened for modification C:\Windows\SysWOW64\Jmbhhl32.exe File opened for modification C:\Windows\SysWOW64\Fhlogo32.exe Epakcm32.exe File created C:\Windows\SysWOW64\Cemfnh32.exe Cocnanmd.exe File created C:\Windows\SysWOW64\Dijbfk32.dll File created C:\Windows\SysWOW64\Gobdjc32.dll File created C:\Windows\SysWOW64\Cmolej32.dll Jhlgnd32.exe File created C:\Windows\SysWOW64\Goemhfco.exe Gdpikmci.exe File opened for modification C:\Windows\SysWOW64\Beignlig.exe Akpfmnmh.exe File created C:\Windows\SysWOW64\Oaecdo32.dll Omgfdhbq.exe File created C:\Windows\SysWOW64\Boppmf32.exe File created C:\Windows\SysWOW64\Gjabnoie.dll File opened for modification C:\Windows\SysWOW64\Gcankb32.exe Gfmmanif.exe File opened for modification C:\Windows\SysWOW64\Omjgkjof.exe Ofqonp32.exe File opened for modification C:\Windows\SysWOW64\Beccgi32.exe Blkoocfl.exe File opened for modification C:\Windows\SysWOW64\Hfjfpkji.exe Gmbagf32.exe File created C:\Windows\SysWOW64\Mgjpcf32.exe Mnakjaoc.exe File opened for modification C:\Windows\SysWOW64\Fhcejjal.exe File created C:\Windows\SysWOW64\Qiqpmp32.exe Qcdgei32.exe File created C:\Windows\SysWOW64\Deanooeb.exe File created C:\Windows\SysWOW64\Naeigf32.exe Npdlpnnj.exe File opened for modification C:\Windows\SysWOW64\Mcddca32.exe File created C:\Windows\SysWOW64\Bmjhod32.dll File created C:\Windows\SysWOW64\Anfjpa32.exe Adnegldo.exe File opened for modification C:\Windows\SysWOW64\Ankckagj.exe Acfonhgd.exe File opened for modification C:\Windows\SysWOW64\Ijfpif32.exe Ibklddof.exe File created C:\Windows\SysWOW64\Fpoleilj.exe Fhdhqg32.exe File created C:\Windows\SysWOW64\Aodnfbpm.exe Ajgfnk32.exe File created C:\Windows\SysWOW64\Gfmmanif.exe Fleihi32.exe File opened for modification C:\Windows\SysWOW64\Qajfmbna.exe Pdffcn32.exe File created C:\Windows\SysWOW64\Bqhbcqmj.exe Biakbc32.exe File opened for modification C:\Windows\SysWOW64\Oamaan32.exe Oefqlmpq.exe File created C:\Windows\SysWOW64\Clgngeed.dll File created C:\Windows\SysWOW64\Gcebfqbd.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 1080 3316 1575 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cmmcae32.exeOcpfmd32.exeEmadjj32.exeIebmpcjc.exeGicpnhbb.exeHchpjddc.exeHhkakonn.exeCkpdej32.exeCjikaa32.exeOoncljom.exeAieihpgi.exeIhhlbegd.exeJemiiqmh.exeAofklbnj.exeOahpahel.exeEjcohe32.exeGpiadq32.exeLgabgl32.exeKaillp32.exeKekkkm32.exeAogpmcmb.exeDpnmoe32.exeKcnilhap.exeKboill32.exeMikjmi32.exeEjfnfn32.exeApllml32.exeJjgpjjak.exeMigdig32.exeKaieai32.exeFdemap32.exeFlnpoe32.exeDekeeonn.exeAqgqid32.exeJaoblk32.exeJbdadl32.exeBnjipn32.exeAfamgpga.exeIleoknhh.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpfmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emadjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebmpcjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gicpnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchpjddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkakonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpdej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjikaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooncljom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aieihpgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhlbegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jemiiqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofklbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oahpahel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcohe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpiadq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgabgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaillp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogpmcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnmoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcnilhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kboill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfnfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apllml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgpjjak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaieai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdemap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnpoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekeeonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqgqid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaoblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdadl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnjipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afamgpga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileoknhh.exe -
Modifies registry class 64 IoCs
Processes:
Fmfpnb32.exeQeglqpaj.exeCjifpdib.exeBpahad32.exeDlbaljhn.exeIbadnhmb.exeLjhngfkh.exeBcedbefd.exeMilaecdp.exeIapfmg32.exeFbbcdh32.exeJcekbk32.exeDdbolkac.exePhmiimlf.exeHfmcapna.exeHnnoempk.exeMnkfcjqe.exeMgmbbkij.exeMgalnk32.exeGklnmgic.exeIopgjp32.exeKnodnb32.exeAjjeld32.exeAbpohb32.exeDjaedbnj.exeNkmffegm.exeKejdqffo.exeOmbjpd32.exeCkjnfobi.exeJjcigcmd.exeQakkncmi.exeOlkjaflh.exeGjffbhnj.exeLkcgapjl.exeGicpnhbb.exeGpiffngk.exeHkdmaenk.exePkbcjn32.exeBbpffhnb.exeBpbabf32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmfpnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeglqpaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjifpdib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpahad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlbaljhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibadnhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljhngfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcedbefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Milaecdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapfmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnife32.dll" Fbbcdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcekbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnlkl32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Banaaa32.dll" Ddbolkac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phmiimlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfmcapna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnnoempk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhkco32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfhfkhm.dll" Mnkfcjqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgmbbkij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faaeni32.dll" Mgalnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppemb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logkbl32.dll" Gklnmgic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhgio32.dll" Iopgjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knodnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimamm32.dll" Ajjeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpohb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbmhdi32.dll" Djaedbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfioha32.dll" Nkmffegm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmccoajo.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnjlnpf.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kejdqffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdodbj32.dll" Ombjpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjnfobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angohn32.dll" Jjcigcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qakkncmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdapn32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olkjaflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajodjfdi.dll" Gjffbhnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkcgapjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gicpnhbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmmho32.dll" Gpiffngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkdmaenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopbaq32.dll" Pkbcjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqonafca.dll" Bbpffhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdekagh.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciagloib.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpbabf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exeOklmhcdf.exeOlkjaflh.exeOhbjgg32.exeOdiklh32.exePmfmej32.exePnfipm32.exePcenmcea.exePcgkcccn.exeQonlhd32.exeQifpqi32.exeQqbeel32.exeAepnkjcd.exeAcejlfhl.exeAmmoel32.exeBboahbio.exedescription pid Process procid_target PID 1628 wrote to memory of 872 1628 e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exe 30 PID 1628 wrote to memory of 872 1628 e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exe 30 PID 1628 wrote to memory of 872 1628 e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exe 30 PID 1628 wrote to memory of 872 1628 e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exe 30 PID 872 wrote to memory of 584 872 Oklmhcdf.exe 31 PID 872 wrote to memory of 584 872 Oklmhcdf.exe 31 PID 872 wrote to memory of 584 872 Oklmhcdf.exe 31 PID 872 wrote to memory of 584 872 Oklmhcdf.exe 31 PID 584 wrote to memory of 2964 584 Olkjaflh.exe 32 PID 584 wrote to memory of 2964 584 Olkjaflh.exe 32 PID 584 wrote to memory of 2964 584 Olkjaflh.exe 32 PID 584 wrote to memory of 2964 584 Olkjaflh.exe 32 PID 2964 wrote to memory of 2924 2964 Ohbjgg32.exe 33 PID 2964 wrote to memory of 2924 2964 Ohbjgg32.exe 33 PID 2964 wrote to memory of 2924 2964 Ohbjgg32.exe 33 PID 2964 wrote to memory of 2924 2964 Ohbjgg32.exe 33 PID 2924 wrote to memory of 2512 2924 Odiklh32.exe 34 PID 2924 wrote to memory of 2512 2924 Odiklh32.exe 34 PID 2924 wrote to memory of 2512 2924 Odiklh32.exe 34 PID 2924 wrote to memory of 2512 2924 Odiklh32.exe 34 PID 2512 wrote to memory of 2536 2512 Pmfmej32.exe 35 PID 2512 wrote to memory of 2536 2512 Pmfmej32.exe 35 PID 2512 wrote to memory of 2536 2512 Pmfmej32.exe 35 PID 2512 wrote to memory of 2536 2512 Pmfmej32.exe 35 PID 2536 wrote to memory of 1316 2536 Pnfipm32.exe 36 PID 2536 wrote to memory of 1316 2536 Pnfipm32.exe 36 PID 2536 wrote to memory of 1316 2536 Pnfipm32.exe 36 PID 2536 wrote to memory of 1316 2536 Pnfipm32.exe 36 PID 1316 wrote to memory of 2984 1316 Pcenmcea.exe 37 PID 1316 wrote to memory of 2984 1316 Pcenmcea.exe 37 PID 1316 wrote to memory of 2984 1316 Pcenmcea.exe 37 PID 1316 wrote to memory of 2984 1316 Pcenmcea.exe 37 PID 2984 wrote to memory of 3028 2984 Pcgkcccn.exe 38 PID 2984 wrote to memory of 3028 2984 Pcgkcccn.exe 38 PID 2984 wrote to memory of 3028 2984 Pcgkcccn.exe 38 PID 2984 wrote to memory of 3028 2984 Pcgkcccn.exe 38 PID 3028 wrote to memory of 1500 3028 Qonlhd32.exe 39 PID 3028 wrote to memory of 1500 3028 Qonlhd32.exe 39 PID 3028 wrote to memory of 1500 3028 Qonlhd32.exe 39 PID 3028 wrote to memory of 1500 3028 Qonlhd32.exe 39 PID 1500 wrote to memory of 1324 1500 Qifpqi32.exe 40 PID 1500 wrote to memory of 1324 1500 Qifpqi32.exe 40 PID 1500 wrote to memory of 1324 1500 Qifpqi32.exe 40 PID 1500 wrote to memory of 1324 1500 Qifpqi32.exe 40 PID 1324 wrote to memory of 696 1324 Qqbeel32.exe 41 PID 1324 wrote to memory of 696 1324 Qqbeel32.exe 41 PID 1324 wrote to memory of 696 1324 Qqbeel32.exe 41 PID 1324 wrote to memory of 696 1324 Qqbeel32.exe 41 PID 696 wrote to memory of 1304 696 Aepnkjcd.exe 42 PID 696 wrote to memory of 1304 696 Aepnkjcd.exe 42 PID 696 wrote to memory of 1304 696 Aepnkjcd.exe 42 PID 696 wrote to memory of 1304 696 Aepnkjcd.exe 42 PID 1304 wrote to memory of 520 1304 Acejlfhl.exe 43 PID 1304 wrote to memory of 520 1304 Acejlfhl.exe 43 PID 1304 wrote to memory of 520 1304 Acejlfhl.exe 43 PID 1304 wrote to memory of 520 1304 Acejlfhl.exe 43 PID 520 wrote to memory of 2436 520 Ammoel32.exe 44 PID 520 wrote to memory of 2436 520 Ammoel32.exe 44 PID 520 wrote to memory of 2436 520 Ammoel32.exe 44 PID 520 wrote to memory of 2436 520 Ammoel32.exe 44 PID 2436 wrote to memory of 2228 2436 Bboahbio.exe 45 PID 2436 wrote to memory of 2228 2436 Bboahbio.exe 45 PID 2436 wrote to memory of 2228 2436 Bboahbio.exe 45 PID 2436 wrote to memory of 2228 2436 Bboahbio.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exe"C:\Users\Admin\AppData\Local\Temp\e82706209df1931d698cccaf5fbd3acca1c9ed37c388ca966059ba0fe2d46a0c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Olkjaflh.exeC:\Windows\system32\Olkjaflh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Ohbjgg32.exeC:\Windows\system32\Ohbjgg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Odiklh32.exeC:\Windows\system32\Odiklh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Pmfmej32.exeC:\Windows\system32\Pmfmej32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Pnfipm32.exeC:\Windows\system32\Pnfipm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Pcenmcea.exeC:\Windows\system32\Pcenmcea.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Pcgkcccn.exeC:\Windows\system32\Pcgkcccn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Qonlhd32.exeC:\Windows\system32\Qonlhd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Qifpqi32.exeC:\Windows\system32\Qifpqi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Qqbeel32.exeC:\Windows\system32\Qqbeel32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Acejlfhl.exeC:\Windows\system32\Acejlfhl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Ammoel32.exeC:\Windows\system32\Ammoel32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Bboahbio.exeC:\Windows\system32\Bboahbio.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Bpbabf32.exeC:\Windows\system32\Bpbabf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Bebfpm32.exeC:\Windows\system32\Bebfpm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Bojkib32.exeC:\Windows\system32\Bojkib32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Bomhnb32.exeC:\Windows\system32\Bomhnb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Bdipfi32.exeC:\Windows\system32\Bdipfi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Cihedpcg.exeC:\Windows\system32\Cihedpcg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Cpejfjha.exeC:\Windows\system32\Cpejfjha.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Cedpdpdf.exeC:\Windows\system32\Cedpdpdf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Dlbaljhn.exeC:\Windows\system32\Dlbaljhn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Dkjkcfjc.exeC:\Windows\system32\Dkjkcfjc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Ddbolkac.exeC:\Windows\system32\Ddbolkac.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Eplmflde.exeC:\Windows\system32\Eplmflde.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Enhcnd32.exeC:\Windows\system32\Enhcnd32.exe33⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe34⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe35⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe36⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe37⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe38⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe39⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Gjffbhnj.exeC:\Windows\system32\Gjffbhnj.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Hdqhambg.exeC:\Windows\system32\Hdqhambg.exe41⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe42⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe43⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Hmkiobge.exeC:\Windows\system32\Hmkiobge.exe44⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe45⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Hmneebeb.exeC:\Windows\system32\Hmneebeb.exe46⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe47⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Hmpbja32.exeC:\Windows\system32\Hmpbja32.exe48⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe49⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe51⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ilhlan32.exeC:\Windows\system32\Ilhlan32.exe52⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe54⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Iebmpcjc.exeC:\Windows\system32\Iebmpcjc.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe56⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Idgjqook.exeC:\Windows\system32\Idgjqook.exe57⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe58⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe59⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe60⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Jempcgad.exeC:\Windows\system32\Jempcgad.exe61⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe62⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe63⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe64⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Jkobgm32.exeC:\Windows\system32\Jkobgm32.exe65⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Kfdfdf32.exeC:\Windows\system32\Kfdfdf32.exe66⤵PID:2604
-
C:\Windows\SysWOW64\Kfgcieii.exeC:\Windows\system32\Kfgcieii.exe67⤵PID:2752
-
C:\Windows\SysWOW64\Kghoan32.exeC:\Windows\system32\Kghoan32.exe68⤵PID:2608
-
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1828 -
C:\Windows\SysWOW64\Kkfhglen.exeC:\Windows\system32\Kkfhglen.exe70⤵PID:1616
-
C:\Windows\SysWOW64\Kcamln32.exeC:\Windows\system32\Kcamln32.exe71⤵PID:2496
-
C:\Windows\SysWOW64\Kkhdml32.exeC:\Windows\system32\Kkhdml32.exe72⤵PID:2152
-
C:\Windows\SysWOW64\Kccian32.exeC:\Windows\system32\Kccian32.exe73⤵PID:2272
-
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe74⤵PID:1492
-
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe75⤵
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe76⤵PID:1832
-
C:\Windows\SysWOW64\Lffohikd.exeC:\Windows\system32\Lffohikd.exe77⤵PID:1340
-
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe78⤵
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe79⤵PID:1396
-
C:\Windows\SysWOW64\Lpapgnpb.exeC:\Windows\system32\Lpapgnpb.exe80⤵PID:2176
-
C:\Windows\SysWOW64\Lijepc32.exeC:\Windows\system32\Lijepc32.exe81⤵PID:2700
-
C:\Windows\SysWOW64\Lnfmhj32.exeC:\Windows\system32\Lnfmhj32.exe82⤵PID:1356
-
C:\Windows\SysWOW64\Milaecdp.exeC:\Windows\system32\Milaecdp.exe83⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Mjmnmk32.exeC:\Windows\system32\Mjmnmk32.exe84⤵PID:2072
-
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe85⤵PID:2704
-
C:\Windows\SysWOW64\Mnkfcjqe.exeC:\Windows\system32\Mnkfcjqe.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe87⤵PID:2936
-
C:\Windows\SysWOW64\Mmpcdfem.exeC:\Windows\system32\Mmpcdfem.exe88⤵PID:2192
-
C:\Windows\SysWOW64\Mhfhaoec.exeC:\Windows\system32\Mhfhaoec.exe89⤵PID:2180
-
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Mbpibm32.exeC:\Windows\system32\Mbpibm32.exe91⤵PID:1192
-
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe92⤵PID:1952
-
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe93⤵PID:1400
-
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe94⤵PID:2336
-
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe95⤵PID:1760
-
C:\Windows\SysWOW64\Nokcbm32.exeC:\Windows\system32\Nokcbm32.exe96⤵PID:2672
-
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe97⤵PID:1600
-
C:\Windows\SysWOW64\Nomphm32.exeC:\Windows\system32\Nomphm32.exe98⤵PID:2780
-
C:\Windows\SysWOW64\Nlapaapg.exeC:\Windows\system32\Nlapaapg.exe99⤵PID:1672
-
C:\Windows\SysWOW64\Nmbmii32.exeC:\Windows\system32\Nmbmii32.exe100⤵PID:2224
-
C:\Windows\SysWOW64\Nejdjf32.exeC:\Windows\system32\Nejdjf32.exe101⤵PID:2956
-
C:\Windows\SysWOW64\Okfmbm32.exeC:\Windows\system32\Okfmbm32.exe102⤵PID:2832
-
C:\Windows\SysWOW64\Oaqeogll.exeC:\Windows\system32\Oaqeogll.exe103⤵PID:944
-
C:\Windows\SysWOW64\Ohjmlaci.exeC:\Windows\system32\Ohjmlaci.exe104⤵PID:1784
-
C:\Windows\SysWOW64\Omgfdhbq.exeC:\Windows\system32\Omgfdhbq.exe105⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Odanqb32.exeC:\Windows\system32\Odanqb32.exe106⤵PID:2676
-
C:\Windows\SysWOW64\Pdajpf32.exeC:\Windows\system32\Pdajpf32.exe107⤵PID:2308
-
C:\Windows\SysWOW64\Pkkblp32.exeC:\Windows\system32\Pkkblp32.exe108⤵PID:2476
-
C:\Windows\SysWOW64\Pqjhjf32.exeC:\Windows\system32\Pqjhjf32.exe109⤵PID:1868
-
C:\Windows\SysWOW64\Pjblcl32.exeC:\Windows\system32\Pjblcl32.exe110⤵PID:1064
-
C:\Windows\SysWOW64\Qqldpfmh.exeC:\Windows\system32\Qqldpfmh.exe111⤵PID:1808
-
C:\Windows\SysWOW64\Qfimhmlo.exeC:\Windows\system32\Qfimhmlo.exe112⤵PID:2424
-
C:\Windows\SysWOW64\Qcmnaaji.exeC:\Windows\system32\Qcmnaaji.exe113⤵PID:2212
-
C:\Windows\SysWOW64\Ajgfnk32.exeC:\Windows\system32\Ajgfnk32.exe114⤵
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Aodnfbpm.exeC:\Windows\system32\Aodnfbpm.exe115⤵PID:1944
-
C:\Windows\SysWOW64\Ajibckpc.exeC:\Windows\system32\Ajibckpc.exe116⤵PID:1436
-
C:\Windows\SysWOW64\Aofklbnj.exeC:\Windows\system32\Aofklbnj.exe117⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Aioodg32.exeC:\Windows\system32\Aioodg32.exe118⤵PID:2268
-
C:\Windows\SysWOW64\Aoihaa32.exeC:\Windows\system32\Aoihaa32.exe119⤵PID:864
-
C:\Windows\SysWOW64\Aeepjh32.exeC:\Windows\system32\Aeepjh32.exe120⤵PID:1800
-
C:\Windows\SysWOW64\Aokdga32.exeC:\Windows\system32\Aokdga32.exe121⤵PID:2544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-