Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 07:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c787a97c4bb4ce99351b1463c73684df639d8ec41e48d5b2ab7c6cf97aed7884.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
c787a97c4bb4ce99351b1463c73684df639d8ec41e48d5b2ab7c6cf97aed7884.exe
-
Size
163KB
-
MD5
93961986f51e6bd3636e0680f36bba99
-
SHA1
958fbc7842f49a4f6c295d201cecdc659750da6f
-
SHA256
c787a97c4bb4ce99351b1463c73684df639d8ec41e48d5b2ab7c6cf97aed7884
-
SHA512
0e03d8281ffed35674a46b8b2c26b253b36a0dccfd3756ede765c40cf2c2a94d5e1bd15214464dd0df99db4c09eee883dfbff57ef8a254583a8cb0ab4862aebb
-
SSDEEP
1536:PRrVtzqFXkvdod64r93B7wI3E01t7lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUg:tVtzqeWDr9ZV3E01tltOrWKDBr+yJbg
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dmlkhofd.exeFihnomjp.exeKeimof32.exeJifecp32.exeNoeahkfc.exePhedhmhi.exeIkpjbq32.exeEmnbdioi.exeFqeioiam.exeCnfaohbj.exeDomdjj32.exeIliinc32.exeLalnmiia.exeMicoed32.exePapfgbmg.exeBheffh32.exeGpecbk32.exeFnlmhc32.exeMnhdgpii.exePaiogf32.exeCidjbmcp.exeFielph32.exeBcahmb32.exeCoqncejg.exeLljdai32.exeCdnmfclj.exeFeqeog32.exeGinnfgop.exeCkpbnb32.exeOjgjndno.exeFpdcag32.exeDbocfo32.exeDfhjkabi.exeAckbmcjl.exeIggjga32.exeMejpje32.exeFmmmfj32.exeJcikgacl.exeBddjpd32.exeOjhiogdd.exeCcqkigkp.exeOoejohhq.exeQlggjk32.exeFfobhg32.exeFooclapd.exeNeclenfo.exeChlflabp.exeFniihmpf.exeDapkni32.exeNbcjnilj.exeGlgjlm32.exeIpbaol32.exeDmihij32.exeIgfclkdj.exeNgndaccj.exeMgnlkfal.exeCnaaib32.exeJgmjmjnb.exeOplfkeob.exeAkoqpg32.exeMokmdh32.exeNpbceggm.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keimof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noeahkfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnbdioi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqeioiam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfaohbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iliinc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalnmiia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Papfgbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnlmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhdgpii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paiogf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidjbmcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fielph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coqncejg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feqeog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginnfgop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojgjndno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdcag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbocfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhjkabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ackbmcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggjga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejpje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmmfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddjpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhiogdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccqkigkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooejohhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffobhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fooclapd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chlflabp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniihmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapkni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbcjnilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipbaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igfclkdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnlkfal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noeahkfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnmfclj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmjmjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplfkeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akoqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbceggm.exe -
Berbew family
-
Gozi family
-
Executes dropped EXE 64 IoCs
Processes:
Bcghch32.exeBjaqpbkh.exeBmomlnjk.exeBpnihiio.exeCcnncgmc.exeCcqkigkp.exeCadlbk32.exeCippgm32.exeCgqqdeod.exeCpleig32.exeCidjbmcp.exeDfhjkabi.exeDannij32.exeDclkee32.exeDapkni32.exeDfmcfp32.exeDikpbl32.exeDpehof32.exeDmihij32.exeEmnbdioi.exeEdhjqc32.exeEdjgfcec.exeEangpgcl.exeEhjlaaig.exeFdamgb32.exeFaenpf32.exeFipbdikp.exeFpmggb32.exeFkbkdkpp.exeFielph32.exeFdkpma32.exeGkdhjknm.exeGigheh32.exeGdoihpbk.exeGkiaej32.exeGinnfgop.exeGnlgleef.exeHammhcij.exeHgiepjga.exeHncmmd32.exeHpdfnolo.exeHkjjlhle.exeHacbhb32.exeIhnkel32.exeIklgah32.exeIddljmpc.exeIhphkl32.exeIahlcaol.exeIjcahd32.exeIakiia32.exeIhdafkdg.exeIjfnmc32.exeIqpfjnba.exeIkejgf32.exeIndfca32.exeJdnoplhh.exeJglklggl.exeJjmcnbdm.exeJgcamf32.exeKelkaj32.exeKenggi32.exeKbbhqn32.exeKjmmepfj.exeKkmioc32.exepid Process 4772 Bcghch32.exe 4400 Bjaqpbkh.exe 3480 Bmomlnjk.exe 1084 Bpnihiio.exe 4404 Ccnncgmc.exe 3692 Ccqkigkp.exe 3316 Cadlbk32.exe 3312 Cippgm32.exe 2440 Cgqqdeod.exe 1704 Cpleig32.exe 1392 Cidjbmcp.exe 3628 Dfhjkabi.exe 4568 Dannij32.exe 4440 Dclkee32.exe 572 Dapkni32.exe 1992 Dfmcfp32.exe 2756 Dikpbl32.exe 5012 Dpehof32.exe 4728 Dmihij32.exe 556 Emnbdioi.exe 5056 Edhjqc32.exe 2512 Edjgfcec.exe 876 Eangpgcl.exe 1368 Ehjlaaig.exe 2492 Fdamgb32.exe 320 Faenpf32.exe 2584 Fipbdikp.exe 3980 Fpmggb32.exe 4660 Fkbkdkpp.exe 4420 Fielph32.exe 3192 Fdkpma32.exe 3560 Gkdhjknm.exe 3580 Gigheh32.exe 2656 Gdoihpbk.exe 3512 Gkiaej32.exe 4468 Ginnfgop.exe 2980 Gnlgleef.exe 3460 Hammhcij.exe 4536 Hgiepjga.exe 644 Hncmmd32.exe 4516 Hpdfnolo.exe 4316 Hkjjlhle.exe 1524 Hacbhb32.exe 1544 Ihnkel32.exe 4940 Iklgah32.exe 2976 Iddljmpc.exe 3500 Ihphkl32.exe 4020 Iahlcaol.exe 2196 Ijcahd32.exe 5064 Iakiia32.exe 4460 Ihdafkdg.exe 4496 Ijfnmc32.exe 2736 Iqpfjnba.exe 3632 Ikejgf32.exe 3696 Indfca32.exe 4472 Jdnoplhh.exe 4224 Jglklggl.exe 4816 Jjmcnbdm.exe 3676 Jgcamf32.exe 1628 Kelkaj32.exe 2808 Kenggi32.exe 1784 Kbbhqn32.exe 2724 Kjmmepfj.exe 2604 Kkmioc32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bcfahbpo.exeQhkdof32.exeIgfclkdj.exeAfpjel32.exePefabkej.exePehngkcg.exeFpdcag32.exeCdkifmjq.exeDddllkbf.exeFkjmlaac.exeIlphdlqh.exeAjndioga.exeNclikl32.exeKhiofk32.exeJglklggl.exeLaiipofp.exeMfbaalbi.exeCpleig32.exeFmndpq32.exeNflkbanj.exeJgpfbjlo.exeAhofoogd.exeBddjpd32.exeJoahqn32.exeEgohdegl.exeGijmad32.exeNfldgk32.exePfojdh32.exeIknmla32.exeNmnqjp32.exeIlqoobdd.exeEbdlangb.exeKjjiej32.exeKofkbk32.exeJeocna32.exeOpqofe32.exeAoabad32.exeMgobel32.exeLjhnlb32.exeCdimqm32.exeNcpeaoih.exeMilidebi.exeKomhll32.exeNfihbk32.exeCdnmfclj.exeGmimai32.exeImkbnf32.exeBkgeainn.exePldcjeia.exeLgdidgjg.exeQacameaj.exeDmihij32.exeKcapicdj.exeMofmobmo.exeBklfgo32.exeFealin32.exeHfjdqmng.exeEnmjlojd.exeCgqqdeod.exeEleepoob.exeIehmmb32.exedescription ioc Process File created C:\Windows\SysWOW64\Bjpjel32.exe Bcfahbpo.exe File created C:\Windows\SysWOW64\Qmhlgmmm.exe Qhkdof32.exe File created C:\Windows\SysWOW64\Kgffoo32.dll Igfclkdj.exe File opened for modification C:\Windows\SysWOW64\Aogbfi32.exe Afpjel32.exe File opened for modification C:\Windows\SysWOW64\Ponfka32.exe Pefabkej.exe File created C:\Windows\SysWOW64\Plbfdekd.exe Pehngkcg.exe File created C:\Windows\SysWOW64\Fealin32.exe Fpdcag32.exe File opened for modification C:\Windows\SysWOW64\Coqncejg.exe Cdkifmjq.exe File created C:\Windows\SysWOW64\Dojqjdbl.exe Dddllkbf.exe File created C:\Windows\SysWOW64\Fniihmpf.exe Fkjmlaac.exe File created C:\Windows\SysWOW64\Iehmmb32.exe Ilphdlqh.exe File created C:\Windows\SysWOW64\Dbkjdh32.dll Ajndioga.exe File created C:\Windows\SysWOW64\Cjibekmc.dll Nclikl32.exe File created C:\Windows\SysWOW64\Kcoccc32.exe Khiofk32.exe File created C:\Windows\SysWOW64\Jjmcnbdm.exe Jglklggl.exe File created C:\Windows\SysWOW64\Lhcali32.exe Laiipofp.exe File opened for modification C:\Windows\SysWOW64\Mcfbkpab.exe Mfbaalbi.exe File opened for modification C:\Windows\SysWOW64\Cidjbmcp.exe Cpleig32.exe File opened for modification C:\Windows\SysWOW64\Fbjmhh32.exe Fmndpq32.exe File created C:\Windows\SysWOW64\Nmfcok32.exe Nflkbanj.exe File created C:\Windows\SysWOW64\Doepmnag.dll Jgpfbjlo.exe File created C:\Windows\SysWOW64\Qgaeof32.dll Ahofoogd.exe File opened for modification C:\Windows\SysWOW64\Bllbaa32.exe Bddjpd32.exe File created C:\Windows\SysWOW64\Lfcpgb32.dll Joahqn32.exe File created C:\Windows\SysWOW64\Ondhkbee.dll Egohdegl.exe File created C:\Windows\SysWOW64\Nkphhg32.dll Gijmad32.exe File created C:\Windows\SysWOW64\Nqaiecjd.exe Nfldgk32.exe File created C:\Windows\SysWOW64\Padnaq32.exe Pfojdh32.exe File created C:\Windows\SysWOW64\Iloidijb.exe Iknmla32.exe File opened for modification C:\Windows\SysWOW64\Ojbacd32.exe Nmnqjp32.exe File created C:\Windows\SysWOW64\Igfclkdj.exe Ilqoobdd.exe File opened for modification C:\Windows\SysWOW64\Edbiniff.exe Ebdlangb.exe File created C:\Windows\SysWOW64\Bgnagk32.dll Kjjiej32.exe File created C:\Windows\SysWOW64\Kjlopc32.exe Kofkbk32.exe File opened for modification C:\Windows\SysWOW64\Jlikkkhn.exe Jeocna32.exe File created C:\Windows\SysWOW64\Dgegjnih.dll Opqofe32.exe File opened for modification C:\Windows\SysWOW64\Aleckinj.exe Aoabad32.exe File created C:\Windows\SysWOW64\Kcejco32.exe Kjjiej32.exe File created C:\Windows\SysWOW64\Mgaokl32.exe Mgobel32.exe File created C:\Windows\SysWOW64\Mqafhl32.exe Ljhnlb32.exe File opened for modification C:\Windows\SysWOW64\Ckbemgcp.exe Cdimqm32.exe File created C:\Windows\SysWOW64\Klndfknp.dll Ncpeaoih.exe File created C:\Windows\SysWOW64\Nbbond32.dll Milidebi.exe File opened for modification C:\Windows\SysWOW64\Akoqpg32.exe Ajndioga.exe File opened for modification C:\Windows\SysWOW64\Knnhjcog.exe Komhll32.exe File created C:\Windows\SysWOW64\Nqoloc32.exe Nfihbk32.exe File created C:\Windows\SysWOW64\Cnfaohbj.exe Cdnmfclj.exe File created C:\Windows\SysWOW64\Qikoka32.dll Gmimai32.exe File created C:\Windows\SysWOW64\Igdgglfl.exe Imkbnf32.exe File created C:\Windows\SysWOW64\Bpdnjple.exe Bkgeainn.exe File opened for modification C:\Windows\SysWOW64\Pocpfphe.exe Pldcjeia.exe File created C:\Windows\SysWOW64\Bgqoll32.dll Lgdidgjg.exe File created C:\Windows\SysWOW64\Egilaj32.dll Qacameaj.exe File created C:\Windows\SysWOW64\Fjiepeok.dll Dmihij32.exe File opened for modification C:\Windows\SysWOW64\Likhem32.exe Kcapicdj.exe File created C:\Windows\SysWOW64\Ebdoljdi.dll Mofmobmo.exe File created C:\Windows\SysWOW64\Neiqnh32.dll Bklfgo32.exe File created C:\Windows\SysWOW64\Bhpopokm.dll Fealin32.exe File opened for modification C:\Windows\SysWOW64\Hlglidlo.exe Hfjdqmng.exe File created C:\Windows\SysWOW64\Egened32.exe Enmjlojd.exe File created C:\Windows\SysWOW64\Fljcnd32.dll Cgqqdeod.exe File created C:\Windows\SysWOW64\Fkkceedp.dll Eleepoob.exe File created C:\Windows\SysWOW64\Dapnbcqo.dll Pefabkej.exe File opened for modification C:\Windows\SysWOW64\Jhgiim32.exe Iehmmb32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3192 2180 WerFault.exe 692 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hdhedh32.exeEmanjldl.exeHacbhb32.exeOhnohn32.exeCfldelik.exeDannij32.exeGpecbk32.exeGeaepk32.exeQmhlgmmm.exeIafkld32.exeLegjmh32.exeMejpje32.exeFdqfll32.exeGlgjlm32.exeNabfjpak.exeBoenhgdd.exePhedhmhi.exeCdnmfclj.exeImpliekg.exeBkgeainn.exeGkmdecbg.exeIphioh32.exeFmhdkknd.exeAfpjel32.exeKedlip32.exePocpfphe.exeLqkqhm32.exeQjiipk32.exeJocnlg32.exeLojmcdgl.exePpikbm32.exePciqnk32.exeCkjbhmad.exeGpelhd32.exeEgaejeej.exeMgobel32.exeBdfpkm32.exeMfbaalbi.exeNimmifgo.exePpdbgncl.exeEmnbdioi.exeIqpfjnba.exeOoejohhq.exeJlgepanl.exeIefphb32.exeBjaqpbkh.exeMlmbfqoj.exeBllbaa32.exeJjmcnbdm.exeFmndpq32.exeHdokdg32.exeDmlkhofd.exeJphkkpbp.exeOjemig32.exeBcddcbab.exeAdndoe32.exeEeelnp32.exeNhdlao32.exeAeddnp32.exeAkamff32.exeLkchelci.exePlbfdekd.exePalklf32.exeFooclapd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emanjldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnohn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfldelik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dannij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpecbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaepk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhlgmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafkld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqfll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boenhgdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phedhmhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnmfclj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impliekg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgeainn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmdecbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kedlip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocpfphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkqhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjiipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocnlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojmcdgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppikbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciqnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjbhmad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egaejeej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfpkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbaalbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimmifgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppdbgncl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnbdioi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqpfjnba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooejohhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgepanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjaqpbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmbfqoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmcnbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmndpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdokdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmlkhofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jphkkpbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojemig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcddcbab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adndoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdlao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeddnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akamff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkchelci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbfdekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooclapd.exe -
Modifies registry class 64 IoCs
Processes:
Hcmbee32.exeDheibpje.exeMomcpa32.exeKnooej32.exeFooclapd.exeMalgcg32.exePffgom32.exeNqaiecjd.exeJpaleglc.exeJkimho32.exeGfjkjo32.exeQhhpop32.exeQmeigg32.exeEidlnd32.exeNlmdbh32.exeLhcali32.exeMkhapk32.exeJeocna32.exeBblnindg.exeKfnfjehl.exeMmpmnl32.exeMohidbkl.exeGmafajfi.exeKedlip32.exeLindkm32.exeNclikl32.exeAolblopj.exePpjbmc32.exeFdlkdhnk.exeFoclgq32.exeMfbaalbi.exeHkjjlhle.exeCihclh32.exeIpjedh32.exeHhdcmp32.exeKhiofk32.exeAjndioga.exeIgdgglfl.exeCnfkdb32.exeAdndoe32.exeFmmmfj32.exeHbhboolf.exeIliinc32.exeQpcecb32.exeFqeioiam.exeOjbacd32.exeCgqlcg32.exeMjlalkmd.exeKjjiej32.exePjbcplpe.exeAkamff32.exeBcinna32.exeJglklggl.exeLfeljd32.exeKoajmepf.exeFmndpq32.exeFeqeog32.exePciqnk32.exeGflhoo32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcmbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alapqh32.dll" Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knooej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fooclapd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pffgom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqaiecjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbeojn32.dll" Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcblj32.dll" Jkimho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfjkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmeigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eidlnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbiemdb.dll" Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpemq32.dll" Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgpbnj32.dll" Bblnindg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpqiega.dll" Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmafajfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kedlip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lindkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nclikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppjbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdlkdhnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foclgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkjjlhle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cihclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhdcmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichelm32.dll" Khiofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajndioga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdgglfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll" Cnfkdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khiofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjfai32.dll" Adndoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfjcpfb.dll" Fmmmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhboolf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqeioiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emihhjna.dll" Ojbacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkofn32.dll" Qhhpop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldeljei.dll" Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnagk32.dll" Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll" Pjbcplpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akamff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcinna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclbolkk.dll" Jglklggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkimho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblhpckf.dll" Lfeljd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koajmepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmndpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqaiecjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll" Pciqnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gflhoo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c787a97c4bb4ce99351b1463c73684df639d8ec41e48d5b2ab7c6cf97aed7884.exeBcghch32.exeBjaqpbkh.exeBmomlnjk.exeBpnihiio.exeCcnncgmc.exeCcqkigkp.exeCadlbk32.exeCippgm32.exeCgqqdeod.exeCpleig32.exeCidjbmcp.exeDfhjkabi.exeDannij32.exeDclkee32.exeDapkni32.exeDfmcfp32.exeDikpbl32.exeDpehof32.exeDmihij32.exeEmnbdioi.exeEdhjqc32.exedescription pid Process procid_target PID 4292 wrote to memory of 4772 4292 c787a97c4bb4ce99351b1463c73684df639d8ec41e48d5b2ab7c6cf97aed7884.exe 82 PID 4292 wrote to memory of 4772 4292 c787a97c4bb4ce99351b1463c73684df639d8ec41e48d5b2ab7c6cf97aed7884.exe 82 PID 4292 wrote to memory of 4772 4292 c787a97c4bb4ce99351b1463c73684df639d8ec41e48d5b2ab7c6cf97aed7884.exe 82 PID 4772 wrote to memory of 4400 4772 Bcghch32.exe 83 PID 4772 wrote to memory of 4400 4772 Bcghch32.exe 83 PID 4772 wrote to memory of 4400 4772 Bcghch32.exe 83 PID 4400 wrote to memory of 3480 4400 Bjaqpbkh.exe 84 PID 4400 wrote to memory of 3480 4400 Bjaqpbkh.exe 84 PID 4400 wrote to memory of 3480 4400 Bjaqpbkh.exe 84 PID 3480 wrote to memory of 1084 3480 Bmomlnjk.exe 85 PID 3480 wrote to memory of 1084 3480 Bmomlnjk.exe 85 PID 3480 wrote to memory of 1084 3480 Bmomlnjk.exe 85 PID 1084 wrote to memory of 4404 1084 Bpnihiio.exe 86 PID 1084 wrote to memory of 4404 1084 Bpnihiio.exe 86 PID 1084 wrote to memory of 4404 1084 Bpnihiio.exe 86 PID 4404 wrote to memory of 3692 4404 Ccnncgmc.exe 87 PID 4404 wrote to memory of 3692 4404 Ccnncgmc.exe 87 PID 4404 wrote to memory of 3692 4404 Ccnncgmc.exe 87 PID 3692 wrote to memory of 3316 3692 Ccqkigkp.exe 88 PID 3692 wrote to memory of 3316 3692 Ccqkigkp.exe 88 PID 3692 wrote to memory of 3316 3692 Ccqkigkp.exe 88 PID 3316 wrote to memory of 3312 3316 Cadlbk32.exe 89 PID 3316 wrote to memory of 3312 3316 Cadlbk32.exe 89 PID 3316 wrote to memory of 3312 3316 Cadlbk32.exe 89 PID 3312 wrote to memory of 2440 3312 Cippgm32.exe 90 PID 3312 wrote to memory of 2440 3312 Cippgm32.exe 90 PID 3312 wrote to memory of 2440 3312 Cippgm32.exe 90 PID 2440 wrote to memory of 1704 2440 Cgqqdeod.exe 91 PID 2440 wrote to memory of 1704 2440 Cgqqdeod.exe 91 PID 2440 wrote to memory of 1704 2440 Cgqqdeod.exe 91 PID 1704 wrote to memory of 1392 1704 Cpleig32.exe 92 PID 1704 wrote to memory of 1392 1704 Cpleig32.exe 92 PID 1704 wrote to memory of 1392 1704 Cpleig32.exe 92 PID 1392 wrote to memory of 3628 1392 Cidjbmcp.exe 93 PID 1392 wrote to memory of 3628 1392 Cidjbmcp.exe 93 PID 1392 wrote to memory of 3628 1392 Cidjbmcp.exe 93 PID 3628 wrote to memory of 4568 3628 Dfhjkabi.exe 94 PID 3628 wrote to memory of 4568 3628 Dfhjkabi.exe 94 PID 3628 wrote to memory of 4568 3628 Dfhjkabi.exe 94 PID 4568 wrote to memory of 4440 4568 Dannij32.exe 95 PID 4568 wrote to memory of 4440 4568 Dannij32.exe 95 PID 4568 wrote to memory of 4440 4568 Dannij32.exe 95 PID 4440 wrote to memory of 572 4440 Dclkee32.exe 96 PID 4440 wrote to memory of 572 4440 Dclkee32.exe 96 PID 4440 wrote to memory of 572 4440 Dclkee32.exe 96 PID 572 wrote to memory of 1992 572 Dapkni32.exe 97 PID 572 wrote to memory of 1992 572 Dapkni32.exe 97 PID 572 wrote to memory of 1992 572 Dapkni32.exe 97 PID 1992 wrote to memory of 2756 1992 Dfmcfp32.exe 98 PID 1992 wrote to memory of 2756 1992 Dfmcfp32.exe 98 PID 1992 wrote to memory of 2756 1992 Dfmcfp32.exe 98 PID 2756 wrote to memory of 5012 2756 Dikpbl32.exe 99 PID 2756 wrote to memory of 5012 2756 Dikpbl32.exe 99 PID 2756 wrote to memory of 5012 2756 Dikpbl32.exe 99 PID 5012 wrote to memory of 4728 5012 Dpehof32.exe 100 PID 5012 wrote to memory of 4728 5012 Dpehof32.exe 100 PID 5012 wrote to memory of 4728 5012 Dpehof32.exe 100 PID 4728 wrote to memory of 556 4728 Dmihij32.exe 101 PID 4728 wrote to memory of 556 4728 Dmihij32.exe 101 PID 4728 wrote to memory of 556 4728 Dmihij32.exe 101 PID 556 wrote to memory of 5056 556 Emnbdioi.exe 102 PID 556 wrote to memory of 5056 556 Emnbdioi.exe 102 PID 556 wrote to memory of 5056 556 Emnbdioi.exe 102 PID 5056 wrote to memory of 2512 5056 Edhjqc32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c787a97c4bb4ce99351b1463c73684df639d8ec41e48d5b2ab7c6cf97aed7884.exe"C:\Users\Admin\AppData\Local\Temp\c787a97c4bb4ce99351b1463c73684df639d8ec41e48d5b2ab7c6cf97aed7884.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe23⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe24⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe25⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe26⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe27⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe28⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe29⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe30⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe32⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe33⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe34⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe35⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe36⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe38⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe39⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe40⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe41⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe42⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4316 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe45⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe46⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe47⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe48⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe49⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe50⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe51⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe52⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe53⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe55⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe56⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe57⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe60⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe61⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe62⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe63⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe64⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe65⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe66⤵PID:5116
-
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3152 -
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe69⤵PID:2972
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe70⤵PID:3392
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe71⤵
- Drops file in System32 directory
PID:4348 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe72⤵PID:4360
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe73⤵
- System Location Discovery: System Language Discovery
PID:4744 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe74⤵PID:1356
-
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe75⤵
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe78⤵PID:5032
-
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe79⤵PID:3660
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe80⤵PID:3804
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1400 -
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe83⤵PID:3136
-
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe84⤵
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe85⤵PID:4188
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe86⤵PID:2180
-
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe87⤵PID:4340
-
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe88⤵PID:1608
-
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4572 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe90⤵
- System Location Discovery: System Language Discovery
PID:4128 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe91⤵PID:4724
-
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe92⤵PID:2732
-
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe93⤵PID:1612
-
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe94⤵PID:384
-
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe95⤵PID:4592
-
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe97⤵PID:1936
-
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe98⤵PID:1048
-
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe99⤵PID:5132
-
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe101⤵PID:5220
-
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe102⤵PID:5264
-
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5304 -
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe104⤵PID:5348
-
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe105⤵PID:5384
-
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5476 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe108⤵
- System Location Discovery: System Language Discovery
PID:5520 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5564 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe110⤵PID:5612
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe111⤵PID:5656
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe112⤵PID:5704
-
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5744 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe114⤵
- Drops file in System32 directory
PID:5788 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe115⤵PID:5828
-
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe116⤵PID:5872
-
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe117⤵PID:5920
-
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5964 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe119⤵PID:6008
-
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe120⤵
- System Location Discovery: System Language Discovery
PID:6052 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe121⤵PID:6096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-