Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 15:56
Behavioral task
behavioral1
Sample
71494c49c84d730df2219b1a5b52f9b72d164625896ed6ff3f1fcce561b52710N.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
71494c49c84d730df2219b1a5b52f9b72d164625896ed6ff3f1fcce561b52710N.exe
-
Size
93KB
-
MD5
72290b0db2ea6041424c0a127c1d0ca0
-
SHA1
3eb98107143a227cdbd20e4dd32dacbaf9f288b6
-
SHA256
71494c49c84d730df2219b1a5b52f9b72d164625896ed6ff3f1fcce561b52710
-
SHA512
42d614c6aa67455f3b9d7fa47ae8f77874fedb8d823436ddd33afcde6c3e8ce50be9574bc419519dfbe22a0f6cca8715772c863da4895995fcd19b1ecb822c91
-
SSDEEP
1536:dPQfrAj8xitD9SuiLZ1cadOfMJks1DaYfMZRWuLsV+1Z:1QfO8siN1cadO9sgYfc0DV+1Z
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jhpqaiji.exeKjccdkki.exeFdbkja32.exeImiehfao.exeMnhkbfme.exeNghekkmn.exeMhppji32.exeOidofh32.exeNhdlao32.exeMgehfkop.exeKpiqfima.exeFipbdikp.exeDkdliame.exeMmbanbmg.exeDhikci32.exeAcqgojmb.exeCdhffg32.exeAmfjeobf.exeEfccmidp.exeMfqlfb32.exeFndpmndl.exeAcmobchj.exeMmkkmc32.exeGnnccl32.exeMablfnne.exePeahgl32.exePocpfphe.exeLedepn32.exeEjjaqk32.exeLkalplel.exeIomoenej.exeAagkhd32.exeNhnlkfpp.exeNafjjf32.exeIikmbh32.exeBgnffj32.exeNohehq32.exeGljgbllj.exeJnkldqkc.exeDjcoai32.exeNlfnaicd.exeOogpjbbb.exeMmpmnl32.exeAmnebo32.exeAcilajpk.exeFnnjmbpm.exeBddcenpi.exeGiecfejd.exePpikbm32.exeFggdpnkf.exeAajhndkb.exeFniihmpf.exeGlhimp32.exeFnalmh32.exeEfepbi32.exeOfkgcobj.exePhonha32.exeDafppp32.exeDhgonidg.exeIondqhpl.exePiocecgj.exeCnindhpg.exeGeldkfpi.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhpqaiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjccdkki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imiehfao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhkbfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghekkmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhppji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oidofh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdlao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgehfkop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpiqfima.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipbdikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkdliame.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbanbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhikci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acqgojmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhffg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfjeobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqlfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fndpmndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmobchj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkkmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnnccl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mablfnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peahgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pocpfphe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejjaqk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkalplel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomoenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagkhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnlkfpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafjjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikmbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnffj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohehq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljgbllj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkldqkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfnaicd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogpjbbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpmnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnebo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acilajpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnjmbpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giecfejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppikbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggdpnkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajhndkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniihmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhimp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnalmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efepbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofkgcobj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phonha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhgonidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iondqhpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piocecgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnindhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geldkfpi.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
Loeolc32.exeLikcilhh.exeLbchba32.exeMhppji32.exeMojhgbdl.exeMedqcmki.exeMlnipg32.exeMfcmmp32.exeMhdjehhj.exeMoobbb32.exeMehjol32.exeMlbbkfoq.exeMfhfhong.exeMpqkad32.exeNemcjk32.exeNpchgdcd.exeNgmpcn32.exeNhnlkfpp.exeNohehq32.exeNiniei32.exeNojanpej.exeNhbfff32.exeNpjnhc32.exeNibbqicm.exeNplkmckj.exeNcjginjn.exeOidofh32.exeOoagno32.exeOekpkigo.exeOlehhc32.exeOocddono.exeOenlqi32.exeOhlimd32.exeOpcqnb32.exeOcamjm32.exeOepifi32.exeOpemca32.exeOohnonij.exeOgpepl32.exeOhqbhdpj.exeOphjiaql.exePedbahod.exePgdokkfg.exePhelcc32.exePoodpmca.exePpopjp32.exePoaqemao.exePhjenbhp.exePgkelj32.exePhlacbfm.exePqcjepfo.exeQljjjqlc.exeQcdbfk32.exeQjnkcekm.exeQqhcpo32.exeAokcklid.exeAjqgidij.exeAcilajpk.exeAhfdjanb.exeAopmfk32.exeAggegh32.exeAmcmpodi.exeAcnemi32.exeAmfjeobf.exepid Process 1764 Loeolc32.exe 5044 Likcilhh.exe 4780 Lbchba32.exe 1292 Mhppji32.exe 1488 Mojhgbdl.exe 3024 Medqcmki.exe 4752 Mlnipg32.exe 2992 Mfcmmp32.exe 2584 Mhdjehhj.exe 3316 Moobbb32.exe 1932 Mehjol32.exe 2508 Mlbbkfoq.exe 4208 Mfhfhong.exe 2016 Mpqkad32.exe 748 Nemcjk32.exe 2100 Npchgdcd.exe 2180 Ngmpcn32.exe 2024 Nhnlkfpp.exe 2320 Nohehq32.exe 4600 Niniei32.exe 4512 Nojanpej.exe 2972 Nhbfff32.exe 644 Npjnhc32.exe 1856 Nibbqicm.exe 2996 Nplkmckj.exe 4952 Ncjginjn.exe 1512 Oidofh32.exe 1844 Ooagno32.exe 1980 Oekpkigo.exe 3548 Olehhc32.exe 4680 Oocddono.exe 3492 Oenlqi32.exe 1072 Ohlimd32.exe 4740 Opcqnb32.exe 928 Ocamjm32.exe 3716 Oepifi32.exe 4432 Opemca32.exe 3912 Oohnonij.exe 4720 Ogpepl32.exe 2764 Ohqbhdpj.exe 3508 Ophjiaql.exe 4068 Pedbahod.exe 3404 Pgdokkfg.exe 5020 Phelcc32.exe 4932 Poodpmca.exe 4744 Ppopjp32.exe 2912 Poaqemao.exe 3116 Phjenbhp.exe 2932 Pgkelj32.exe 2644 Phlacbfm.exe 2592 Pqcjepfo.exe 2476 Qljjjqlc.exe 4732 Qcdbfk32.exe 3544 Qjnkcekm.exe 976 Qqhcpo32.exe 4384 Aokcklid.exe 3448 Ajqgidij.exe 1316 Acilajpk.exe 808 Ahfdjanb.exe 3988 Aopmfk32.exe 1412 Aggegh32.exe 3708 Amcmpodi.exe 844 Acnemi32.exe 4696 Amfjeobf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mqfpckhm.exeHnlodjpa.exeNciopppp.exeAfappe32.exeJmeede32.exeBddcenpi.exeBhblllfo.exeLhnhajba.exeObnehj32.exePamiaboj.exePolppg32.exeGpcfmkff.exeIloidijb.exeMmkkmc32.exeOpeiadfg.exeAidehpea.exeGahcmd32.exeDdadpdmn.exeFkihnmhj.exeBhldpj32.exeBddjpd32.exeFkfcqb32.exeGndick32.exeBjfogbjb.exeCpbbch32.exeHaodle32.exeIondqhpl.exeHlepcdoa.exeEiildjag.exeOemefcap.exeKflide32.exeAdfgdpmi.exeDkkaiphj.exeDgihop32.exeFdkdibjp.exeLikcilhh.exeHcblpdgg.exeLqkgbcff.exePmcclm32.exeBmeandma.exeNqmojd32.exeNfqnbjfi.exeOhqbhdpj.exeFdepgkgj.exeAknifq32.exeDkpjdo32.exeHjchaf32.exePocpfphe.exeFijkdmhn.exeKoonge32.exeDfamapjo.exeLckiihok.exeNqmfdj32.exeHbnaeh32.exeDdgplado.exeDannij32.exeGgilil32.exeIkqqlgem.exePhganm32.exeHiiggoaf.exeJpaleglc.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Mfchlbfd.exe Mqfpckhm.exe File opened for modification C:\Windows\SysWOW64\Hajkqfoe.exe Hnlodjpa.exe File created C:\Windows\SysWOW64\Cnokmj32.dll Nciopppp.exe File created C:\Windows\SysWOW64\Ajmladbl.exe Afappe32.exe File created C:\Windows\SysWOW64\Jofalmmp.exe Jmeede32.exe File created C:\Windows\SysWOW64\Fgijpe32.dll Bddcenpi.exe File created C:\Windows\SysWOW64\Cklgfgfg.dll Bhblllfo.exe File created C:\Windows\SysWOW64\Lohqnd32.exe Lhnhajba.exe File created C:\Windows\SysWOW64\Nblolm32.exe Nciopppp.exe File created C:\Windows\SysWOW64\Omdieb32.exe Obnehj32.exe File created C:\Windows\SysWOW64\Macgaopp.dll Pamiaboj.exe File created C:\Windows\SysWOW64\Qhkjegqi.dll Polppg32.exe File opened for modification C:\Windows\SysWOW64\Gljgbllj.exe Gpcfmkff.exe File created C:\Windows\SysWOW64\Abakhdbk.dll Iloidijb.exe File created C:\Windows\SysWOW64\Chmbeqne.dll Mmkkmc32.exe File created C:\Windows\SysWOW64\Pnpkdp32.dll Opeiadfg.exe File opened for modification C:\Windows\SysWOW64\Aalmimfd.exe Aidehpea.exe File created C:\Windows\SysWOW64\Hkpheidp.exe Gahcmd32.exe File created C:\Windows\SysWOW64\Nbjklp32.dll Ddadpdmn.exe File created C:\Windows\SysWOW64\Ecjddk32.dll Fkihnmhj.exe File created C:\Windows\SysWOW64\Njiekege.dll Bhldpj32.exe File opened for modification C:\Windows\SysWOW64\Bllbaa32.exe Bddjpd32.exe File created C:\Windows\SysWOW64\Lhpapf32.dll Fkfcqb32.exe File created C:\Windows\SysWOW64\Gijmad32.exe Gndick32.exe File created C:\Windows\SysWOW64\Podbibma.dll Bjfogbjb.exe File created C:\Windows\SysWOW64\Dmloej32.dll Cpbbch32.exe File created C:\Windows\SysWOW64\Hldiinke.exe Haodle32.exe File opened for modification C:\Windows\SysWOW64\Iehmmb32.exe Iondqhpl.exe File opened for modification C:\Windows\SysWOW64\Hoclopne.exe Hlepcdoa.exe File opened for modification C:\Windows\SysWOW64\Epcdqd32.exe Eiildjag.exe File created C:\Windows\SysWOW64\Olgncmim.exe Oemefcap.exe File created C:\Windows\SysWOW64\Kncaec32.exe Kflide32.exe File created C:\Windows\SysWOW64\Dnkdmlfj.dll Adfgdpmi.exe File created C:\Windows\SysWOW64\Mnokmd32.dll Dkkaiphj.exe File created C:\Windows\SysWOW64\Ncjiib32.dll Dgihop32.exe File created C:\Windows\SysWOW64\Fgiaemic.exe Fdkdibjp.exe File created C:\Windows\SysWOW64\Bfpjcbmh.dll Likcilhh.exe File created C:\Windows\SysWOW64\Iljpij32.exe Hcblpdgg.exe File created C:\Windows\SysWOW64\Iaghgm32.dll Lqkgbcff.exe File opened for modification C:\Windows\SysWOW64\Phigif32.exe Pmcclm32.exe File opened for modification C:\Windows\SysWOW64\Bgnffj32.exe Bmeandma.exe File created C:\Windows\SysWOW64\Debcil32.dll Nqmojd32.exe File created C:\Windows\SysWOW64\Ocgjojai.dll Nfqnbjfi.exe File opened for modification C:\Windows\SysWOW64\Ophjiaql.exe Ohqbhdpj.exe File created C:\Windows\SysWOW64\Flakaffp.dll Fdepgkgj.exe File created C:\Windows\SysWOW64\Aahbbkaq.exe Aknifq32.exe File opened for modification C:\Windows\SysWOW64\Dpmcmf32.exe Dkpjdo32.exe File created C:\Windows\SysWOW64\Hajpbckl.exe Hjchaf32.exe File created C:\Windows\SysWOW64\Pmmanjof.dll Pocpfphe.exe File created C:\Windows\SysWOW64\Dmkalh32.dll Fijkdmhn.exe File opened for modification C:\Windows\SysWOW64\Kamjda32.exe Koonge32.exe File created C:\Windows\SysWOW64\Epjajeqo.exe Dfamapjo.exe File created C:\Windows\SysWOW64\Kbmimp32.dll Lckiihok.exe File created C:\Windows\SysWOW64\Nggnadib.exe Nqmfdj32.exe File created C:\Windows\SysWOW64\Hajkqfoe.exe Hnlodjpa.exe File opened for modification C:\Windows\SysWOW64\Hihibbjo.exe Hbnaeh32.exe File created C:\Windows\SysWOW64\Dmohno32.exe Ddgplado.exe File created C:\Windows\SysWOW64\Dmdnjdgj.dll Dannij32.exe File opened for modification C:\Windows\SysWOW64\Fmgejhgn.exe Fkihnmhj.exe File created C:\Windows\SysWOW64\Dcdepb32.dll Ggilil32.exe File created C:\Windows\SysWOW64\Iakiia32.exe Ikqqlgem.exe File opened for modification C:\Windows\SysWOW64\Poajkgnc.exe Phganm32.exe File created C:\Windows\SysWOW64\Hlhccj32.exe Hiiggoaf.exe File created C:\Windows\SysWOW64\Flafeh32.dll Jpaleglc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 6440 6968 WerFault.exe 1116 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Djcoai32.exeKiikpnmj.exeAoofle32.exeIknmla32.exePeahgl32.exeGiecfejd.exeGpgind32.exeIikmbh32.exeEjflhm32.exeMecjif32.exeEmnbdioi.exeFideeaco.exeJknfcofa.exeAkpoaj32.exeEbaplnie.exeFmnkkg32.exeDcigeooj.exeBllbaa32.exeOjhiogdd.exeIakiia32.exeHmkigh32.exeEphbhd32.exeAokcklid.exeBmofagfp.exeHcmbee32.exeJqhafffk.exeHlegnjbm.exeIpjoja32.exeKjpijpdg.exeManmoq32.exeKodnmkap.exeFniihmpf.exeJbagbebm.exeBppfmigl.exeIgigla32.exeBgbpaipl.exeEbdlangb.exePhjenbhp.exePmcclm32.exePaeelgnj.exeFajbjh32.exePcgdhkem.exeHajpbckl.exeHdilnojp.exeNjjdho32.exeMapppn32.exeAcccdj32.exeKghjhemo.exeQcclld32.exeMmkkmc32.exeOblhcj32.exePqbala32.exeEnjfli32.exeHjhalefe.exeKngkqbgl.exeNbnlaldg.exeJlgoek32.exeEigonjcj.exeLcggio32.exeAhfmpnql.exeOcnabm32.exeCdhffg32.exeKgmcce32.exeMlpokp32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiikpnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoofle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknmla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peahgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giecfejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgind32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikmbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejflhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecjif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnbdioi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fideeaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknfcofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebaplnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnkkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcigeooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhiogdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkigh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokcklid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmofagfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcmbee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhafffk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlegnjbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjoja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpijpdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manmoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodnmkap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fniihmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbagbebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bppfmigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igigla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbpaipl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdlangb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phjenbhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paeelgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgdhkem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajpbckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdilnojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapppn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acccdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghjhemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcclld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkkmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblhcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqbala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enjfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjhalefe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngkqbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnlaldg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eigonjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcggio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfmpnql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocnabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmcce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpokp32.exe -
Modifies registry class 64 IoCs
Processes:
Bmofagfp.exeGipdap32.exeOjomcopk.exeGaebef32.exeMmbanbmg.exeQclmck32.exeKgninn32.exeCkhecmcf.exeEnbjad32.exeDhphmj32.exeKheekkjl.exeOqmhqapg.exeCcblbb32.exeDaollh32.exeQljjjqlc.exeBkoigdom.exeIknmla32.exeDnpdegjp.exeHoaojp32.exeLhcali32.exeDknnoofg.exeKjpijpdg.exeGlcaambb.exeOhlqcagj.exeAdhdjpjf.exeBajqda32.exeJeocna32.exeMhilfa32.exeKnhakh32.exeGlbjggof.exeAmjbbfgo.exePcmeke32.exeIgbalblk.exeMmkkmc32.exePhlacbfm.exeLgffic32.exePknqoc32.exeKoonge32.exeNblolm32.exeLbchba32.exeIggjga32.exePmaffnce.exeBllbaa32.exeDbpjaeoc.exeDkcndeen.exeMljmhflh.exeMpqkad32.exeOhqbhdpj.exeIphioh32.exeOjgjndno.exeBddjpd32.exeEnjfli32.exeLankbigo.exeAlqjpi32.exeBmabggdm.exePmcclm32.exeJllokajf.exeLqkqhm32.exeOcjoadei.exeNohehq32.exeNpjnhc32.exeFalcae32.exeHhiajmod.exeLaqhhi32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmofagfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gipdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpilmfi.dll" Gaebef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmbanbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcomgibl.dll" Qclmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmeoam32.dll" Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhpjc32.dll" Ckhecmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enbjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhphmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdpoomj.dll" Oqmhqapg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccblbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daollh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooiolbic.dll" Qljjjqlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeciaina.dll" Dnpdegjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoaojp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbaohka.dll" Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibgpcd32.dll" Kjpijpdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll" Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falmlm32.dll" Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbpqqmm.dll" Mhilfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knhakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glbjggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll" Amjbbfgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcmeke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igbalblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmkkmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phlacbfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgffic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pknqoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmkmfbo.dll" Koonge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nblolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbchba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmaffnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiffheej.dll" Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicpnnio.dll" Dbpjaeoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkcndeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnpn32.dll" Mljmhflh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpqkad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohqbhdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iphioh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgjndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bddjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enjfli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lankbigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alqjpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmabggdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhgcipb.dll" Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllokajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqkqhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocjoadei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nohehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfgbl32.dll" Npjnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Falcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pebndcpg.dll" Hhiajmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jadelk32.dll" Laqhhi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
71494c49c84d730df2219b1a5b52f9b72d164625896ed6ff3f1fcce561b52710N.exeLoeolc32.exeLikcilhh.exeLbchba32.exeMhppji32.exeMojhgbdl.exeMedqcmki.exeMlnipg32.exeMfcmmp32.exeMhdjehhj.exeMoobbb32.exeMehjol32.exeMlbbkfoq.exeMfhfhong.exeMpqkad32.exeNemcjk32.exeNpchgdcd.exeNgmpcn32.exeNhnlkfpp.exeNohehq32.exeNiniei32.exeNojanpej.exedescription pid Process procid_target PID 1168 wrote to memory of 1764 1168 71494c49c84d730df2219b1a5b52f9b72d164625896ed6ff3f1fcce561b52710N.exe 85 PID 1168 wrote to memory of 1764 1168 71494c49c84d730df2219b1a5b52f9b72d164625896ed6ff3f1fcce561b52710N.exe 85 PID 1168 wrote to memory of 1764 1168 71494c49c84d730df2219b1a5b52f9b72d164625896ed6ff3f1fcce561b52710N.exe 85 PID 1764 wrote to memory of 5044 1764 Loeolc32.exe 86 PID 1764 wrote to memory of 5044 1764 Loeolc32.exe 86 PID 1764 wrote to memory of 5044 1764 Loeolc32.exe 86 PID 5044 wrote to memory of 4780 5044 Likcilhh.exe 87 PID 5044 wrote to memory of 4780 5044 Likcilhh.exe 87 PID 5044 wrote to memory of 4780 5044 Likcilhh.exe 87 PID 4780 wrote to memory of 1292 4780 Lbchba32.exe 88 PID 4780 wrote to memory of 1292 4780 Lbchba32.exe 88 PID 4780 wrote to memory of 1292 4780 Lbchba32.exe 88 PID 1292 wrote to memory of 1488 1292 Mhppji32.exe 89 PID 1292 wrote to memory of 1488 1292 Mhppji32.exe 89 PID 1292 wrote to memory of 1488 1292 Mhppji32.exe 89 PID 1488 wrote to memory of 3024 1488 Mojhgbdl.exe 90 PID 1488 wrote to memory of 3024 1488 Mojhgbdl.exe 90 PID 1488 wrote to memory of 3024 1488 Mojhgbdl.exe 90 PID 3024 wrote to memory of 4752 3024 Medqcmki.exe 91 PID 3024 wrote to memory of 4752 3024 Medqcmki.exe 91 PID 3024 wrote to memory of 4752 3024 Medqcmki.exe 91 PID 4752 wrote to memory of 2992 4752 Mlnipg32.exe 92 PID 4752 wrote to memory of 2992 4752 Mlnipg32.exe 92 PID 4752 wrote to memory of 2992 4752 Mlnipg32.exe 92 PID 2992 wrote to memory of 2584 2992 Mfcmmp32.exe 93 PID 2992 wrote to memory of 2584 2992 Mfcmmp32.exe 93 PID 2992 wrote to memory of 2584 2992 Mfcmmp32.exe 93 PID 2584 wrote to memory of 3316 2584 Mhdjehhj.exe 94 PID 2584 wrote to memory of 3316 2584 Mhdjehhj.exe 94 PID 2584 wrote to memory of 3316 2584 Mhdjehhj.exe 94 PID 3316 wrote to memory of 1932 3316 Moobbb32.exe 95 PID 3316 wrote to memory of 1932 3316 Moobbb32.exe 95 PID 3316 wrote to memory of 1932 3316 Moobbb32.exe 95 PID 1932 wrote to memory of 2508 1932 Mehjol32.exe 96 PID 1932 wrote to memory of 2508 1932 Mehjol32.exe 96 PID 1932 wrote to memory of 2508 1932 Mehjol32.exe 96 PID 2508 wrote to memory of 4208 2508 Mlbbkfoq.exe 97 PID 2508 wrote to memory of 4208 2508 Mlbbkfoq.exe 97 PID 2508 wrote to memory of 4208 2508 Mlbbkfoq.exe 97 PID 4208 wrote to memory of 2016 4208 Mfhfhong.exe 98 PID 4208 wrote to memory of 2016 4208 Mfhfhong.exe 98 PID 4208 wrote to memory of 2016 4208 Mfhfhong.exe 98 PID 2016 wrote to memory of 748 2016 Mpqkad32.exe 99 PID 2016 wrote to memory of 748 2016 Mpqkad32.exe 99 PID 2016 wrote to memory of 748 2016 Mpqkad32.exe 99 PID 748 wrote to memory of 2100 748 Nemcjk32.exe 100 PID 748 wrote to memory of 2100 748 Nemcjk32.exe 100 PID 748 wrote to memory of 2100 748 Nemcjk32.exe 100 PID 2100 wrote to memory of 2180 2100 Npchgdcd.exe 101 PID 2100 wrote to memory of 2180 2100 Npchgdcd.exe 101 PID 2100 wrote to memory of 2180 2100 Npchgdcd.exe 101 PID 2180 wrote to memory of 2024 2180 Ngmpcn32.exe 102 PID 2180 wrote to memory of 2024 2180 Ngmpcn32.exe 102 PID 2180 wrote to memory of 2024 2180 Ngmpcn32.exe 102 PID 2024 wrote to memory of 2320 2024 Nhnlkfpp.exe 103 PID 2024 wrote to memory of 2320 2024 Nhnlkfpp.exe 103 PID 2024 wrote to memory of 2320 2024 Nhnlkfpp.exe 103 PID 2320 wrote to memory of 4600 2320 Nohehq32.exe 104 PID 2320 wrote to memory of 4600 2320 Nohehq32.exe 104 PID 2320 wrote to memory of 4600 2320 Nohehq32.exe 104 PID 4600 wrote to memory of 4512 4600 Niniei32.exe 105 PID 4600 wrote to memory of 4512 4600 Niniei32.exe 105 PID 4600 wrote to memory of 4512 4600 Niniei32.exe 105 PID 4512 wrote to memory of 2972 4512 Nojanpej.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\71494c49c84d730df2219b1a5b52f9b72d164625896ed6ff3f1fcce561b52710N.exe"C:\Users\Admin\AppData\Local\Temp\71494c49c84d730df2219b1a5b52f9b72d164625896ed6ff3f1fcce561b52710N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe23⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe25⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe26⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe27⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe29⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe30⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe31⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe32⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe33⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe34⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe35⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe36⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe37⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe38⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe39⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe40⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe42⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe43⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe44⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe45⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe46⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe47⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe48⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe50⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe52⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe54⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe55⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe56⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4384 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe58⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe60⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe61⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe62⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe63⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe64⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe66⤵PID:2684
-
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe67⤵PID:4592
-
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe68⤵PID:2184
-
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe69⤵PID:2224
-
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe70⤵PID:2112
-
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe71⤵PID:4304
-
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe72⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe73⤵PID:3312
-
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe74⤵
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe75⤵PID:4692
-
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe76⤵PID:4560
-
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe77⤵PID:4024
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe78⤵PID:1444
-
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe79⤵PID:1460
-
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe80⤵PID:4980
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe81⤵PID:64
-
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe82⤵PID:640
-
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe83⤵PID:4676
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe84⤵PID:3892
-
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe85⤵PID:4356
-
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe86⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe87⤵PID:3732
-
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe88⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe89⤵PID:1464
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe90⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe91⤵PID:3936
-
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe92⤵PID:3964
-
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe93⤵PID:4804
-
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe94⤵
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe95⤵PID:2604
-
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe96⤵PID:4944
-
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe97⤵PID:2612
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe98⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe99⤵PID:4000
-
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe100⤵PID:4040
-
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe101⤵
- System Location Discovery: System Language Discovery
PID:3932 -
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe102⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe103⤵PID:2904
-
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe104⤵
- Drops file in System32 directory
PID:3680 -
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe105⤵PID:2580
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe106⤵PID:1376
-
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe107⤵PID:3876
-
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe108⤵PID:2408
-
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe109⤵PID:4548
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3136 -
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe111⤵PID:2984
-
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe112⤵
- System Location Discovery: System Language Discovery
PID:5136 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe113⤵PID:5180
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe114⤵PID:5224
-
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe115⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe116⤵PID:5312
-
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe117⤵
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe118⤵PID:5400
-
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe119⤵PID:5444
-
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe120⤵PID:5488
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe121⤵PID:5532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-