Analysis
-
max time kernel
95s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 03:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef032d210af29c92835c6517deca4770e7e1b7c546b54d53966d47268e4e6da4.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef032d210af29c92835c6517deca4770e7e1b7c546b54d53966d47268e4e6da4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ef032d210af29c92835c6517deca4770e7e1b7c546b54d53966d47268e4e6da4.exe
-
Size
96KB
-
MD5
a039986e8bc85e809f4d1df7fb305bd7
-
SHA1
6213de744cb7b91857581cc556ea5fd60c0a6763
-
SHA256
ef032d210af29c92835c6517deca4770e7e1b7c546b54d53966d47268e4e6da4
-
SHA512
883381cf987d3c522c33832b4db774ddabcc768104f5db9143ad0ae3d6f13104ab623d976e818ad2082c6257b09ccc22988f94e8e112f59d7cf85bd1b2691167
-
SSDEEP
1536:h6bKhA0oL3D6kZngq8jVxw2LC7RZObZUUWaegPYAG:Abj0ofl1gqAhCClUUWae9
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mjkblhfo.exeEagaoh32.exeIdcepgmg.exeBfkedibe.exeObafpg32.exeGlldgljg.exeMkadfj32.exeFbelcblk.exeGbabigfj.exeLjqhkckn.exeGafmaj32.exePgbbek32.exeDcjnoece.exeGdafnpqh.exeNeoieenp.exeGingkqkd.exeJqknkedi.exePhdnngdn.exeJfbkpd32.exeGpaqbbld.exeJbkbpoog.exeQepkbpak.exeBjnmpl32.exeQoelkp32.exeAojefobm.exeFbpchb32.exeCbeapmll.exeHgkkkcbc.exeAhippdbe.exeFbbpmb32.exeDmefhako.exeGkobjpin.exeKeakgpko.exeLbjelc32.exeGpgind32.exeGochjpho.exeLkalplel.exeHolfoqcm.exeAkhcfe32.exeBkafmd32.exeKgopidgf.exeBidqko32.exeIlmmni32.exeDnpdegjp.exeCmnpgb32.exeDdonekbl.exeDdadpdmn.exeKjhcjq32.exeLopmii32.exeOlckbd32.exeIgedlh32.exeLclpdncg.exeNlmdbh32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkblhfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eagaoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcepgmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkedibe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkadfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbelcblk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljqhkckn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gafmaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbbek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjnoece.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eagaoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdafnpqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neoieenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gingkqkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqknkedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phdnngdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfbkpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaqbbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbkbpoog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoelkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojefobm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpchb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgkkkcbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkobjpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keakgpko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gochjpho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkalplel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holfoqcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akhcfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkafmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgopidgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidqko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdafnpqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glldgljg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmmni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpdegjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddadpdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhcjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopmii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olckbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igedlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lclpdncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlmdbh32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Pjhlml32.exePqbdjfln.exePgllfp32.exePnfdcjkg.exePdpmpdbd.exePgnilpah.exeQnhahj32.exeQdbiedpa.exeQgqeappe.exeQjoankoi.exeQqijje32.exeQcgffqei.exeAjanck32.exeAnmjcieo.exeAdgbpc32.exeAcjclpcf.exeAfhohlbj.exeAnogiicl.exeAeiofcji.exeAfjlnk32.exeAqppkd32.exeAeklkchg.exeAndqdh32.exeAcqimo32.exeAfoeiklb.exeAadifclh.exeBfabnjjp.exeBagflcje.exeBganhm32.exeBjokdipf.exeBmngqdpj.exeBeeoaapl.exeBgcknmop.exeBffkij32.exeBmpcfdmg.exeBeglgani.exeBcjlcn32.exeBmbplc32.exeBclhhnca.exeBfkedibe.exeBnbmefbg.exeBapiabak.exeChjaol32.exeCndikf32.exeCenahpha.exeCfpnph32.exeCaebma32.exeCeqnmpfo.exeCfbkeh32.exeCnicfe32.exeCeckcp32.exeChagok32.exeCfdhkhjj.exeCmnpgb32.exeChcddk32.exeCffdpghg.exeCmqmma32.exeDdjejl32.exeDanecp32.exeDhhnpjmh.exeDjgjlelk.exeDmefhako.exeDdonekbl.exeDfnjafap.exepid Process 2760 Pjhlml32.exe 4496 Pqbdjfln.exe 3600 Pgllfp32.exe 1400 Pnfdcjkg.exe 3024 Pdpmpdbd.exe 5100 Pgnilpah.exe 2184 Qnhahj32.exe 2284 Qdbiedpa.exe 4972 Qgqeappe.exe 372 Qjoankoi.exe 2076 Qqijje32.exe 5048 Qcgffqei.exe 1432 Ajanck32.exe 3040 Anmjcieo.exe 2952 Adgbpc32.exe 1512 Acjclpcf.exe 2608 Afhohlbj.exe 2060 Anogiicl.exe 380 Aeiofcji.exe 1108 Afjlnk32.exe 4508 Aqppkd32.exe 3952 Aeklkchg.exe 732 Andqdh32.exe 4884 Acqimo32.exe 4996 Afoeiklb.exe 2332 Aadifclh.exe 4440 Bfabnjjp.exe 3324 Bagflcje.exe 4780 Bganhm32.exe 4368 Bjokdipf.exe 1696 Bmngqdpj.exe 4348 Beeoaapl.exe 4452 Bgcknmop.exe 3616 Bffkij32.exe 3412 Bmpcfdmg.exe 2212 Beglgani.exe 4672 Bcjlcn32.exe 1964 Bmbplc32.exe 1640 Bclhhnca.exe 556 Bfkedibe.exe 2288 Bnbmefbg.exe 3228 Bapiabak.exe 1544 Chjaol32.exe 1968 Cndikf32.exe 1164 Cenahpha.exe 1352 Cfpnph32.exe 2512 Caebma32.exe 984 Ceqnmpfo.exe 432 Cfbkeh32.exe 2772 Cnicfe32.exe 2396 Ceckcp32.exe 4956 Chagok32.exe 2156 Cfdhkhjj.exe 4472 Cmnpgb32.exe 2920 Chcddk32.exe 4024 Cffdpghg.exe 2792 Cmqmma32.exe 3692 Ddjejl32.exe 2912 Danecp32.exe 2932 Dhhnpjmh.exe 3840 Djgjlelk.exe 1532 Dmefhako.exe 3112 Ddonekbl.exe 3132 Dfnjafap.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cippgm32.exeFacqkg32.exeBdgged32.exeHnaqgd32.exeNhbolp32.exeIfomll32.exeChcddk32.exeEfffmo32.exeJgenbfoa.exeDdligq32.exeIplkpa32.exeKlfjijgq.exeGlcaambb.exeBclhhnca.exeMedqcmki.exeQcdbfk32.exeGlengm32.exeEbnfbcbc.exeGdfoio32.exeChjaol32.exePgbbek32.exeKjhloj32.exeFimhjl32.exePcobaedj.exeAoabad32.exeFmfgek32.exeOhnebd32.exeDfhjkabi.exeFehfljca.exeGgqida32.exeJeqbpb32.exeMhgfkg32.exeJgkdbacp.exeDeqcbpld.exePgllfp32.exeNlihle32.exeJlobkg32.exeIpoheakj.exeNlphbnoe.exeCfigpm32.exeHckeoeno.exePefabkej.exeDbbffdlq.exeKnbiofhg.exeKcejco32.exeGmafajfi.exeKqmkae32.exeLknojl32.exeJebfng32.exeFhmpagkp.exeEaladnik.exeEclmamod.exeEmehdh32.exeCjnffjkl.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Caghhk32.exe Cippgm32.exe File opened for modification C:\Windows\SysWOW64\Fpeafcfa.exe Facqkg32.exe File created C:\Windows\SysWOW64\Bkaobnio.exe Bdgged32.exe File opened for modification C:\Windows\SysWOW64\Hdkidohn.exe Hnaqgd32.exe File created C:\Windows\SysWOW64\Ejbdho32.dll Nhbolp32.exe File created C:\Windows\SysWOW64\Bahdob32.exe File created C:\Windows\SysWOW64\Nnfiop32.dll Ifomll32.exe File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe Chcddk32.exe File created C:\Windows\SysWOW64\Edjgfcec.exe Efffmo32.exe File created C:\Windows\SysWOW64\Cicdai32.dll Jgenbfoa.exe File created C:\Windows\SysWOW64\Dkfadkgf.exe Ddligq32.exe File created C:\Windows\SysWOW64\Npdopj32.dll Iplkpa32.exe File created C:\Windows\SysWOW64\Ichqihli.dll File opened for modification C:\Windows\SysWOW64\Ofmdio32.exe File created C:\Windows\SysWOW64\Khhnncno.dll Klfjijgq.exe File created C:\Windows\SysWOW64\Dcdcmh32.dll Glcaambb.exe File created C:\Windows\SysWOW64\Nnjaqjfh.dll Bclhhnca.exe File created C:\Windows\SysWOW64\Mlnipg32.exe Medqcmki.exe File opened for modification C:\Windows\SysWOW64\Qfbobf32.exe Qcdbfk32.exe File created C:\Windows\SysWOW64\Lejomj32.dll Glengm32.exe File opened for modification C:\Windows\SysWOW64\Felbnn32.exe Ebnfbcbc.exe File created C:\Windows\SysWOW64\Dgfnagdi.dll File opened for modification C:\Windows\SysWOW64\Aaldccip.exe File created C:\Windows\SysWOW64\Hkpheidp.exe Gdfoio32.exe File created C:\Windows\SysWOW64\Cndikf32.exe Chjaol32.exe File created C:\Windows\SysWOW64\Dleglm32.dll Pgbbek32.exe File created C:\Windows\SysWOW64\Kmfhkf32.exe Kjhloj32.exe File opened for modification C:\Windows\SysWOW64\Fbelcblk.exe Fimhjl32.exe File created C:\Windows\SysWOW64\Piijno32.exe Pcobaedj.exe File opened for modification C:\Windows\SysWOW64\Afkknogn.exe Aoabad32.exe File opened for modification C:\Windows\SysWOW64\Fligqhga.exe Fmfgek32.exe File created C:\Windows\SysWOW64\Fngdja32.dll Ohnebd32.exe File opened for modification C:\Windows\SysWOW64\Dmbbhkjf.exe Dfhjkabi.exe File opened for modification C:\Windows\SysWOW64\Foqkdp32.exe Fehfljca.exe File created C:\Windows\SysWOW64\Demnop32.dll Ggqida32.exe File created C:\Windows\SysWOW64\Jdljmf32.dll Jeqbpb32.exe File created C:\Windows\SysWOW64\Noloin32.dll Mhgfkg32.exe File created C:\Windows\SysWOW64\Iaqdae32.dll Jgkdbacp.exe File created C:\Windows\SysWOW64\Pkoaeldi.dll File created C:\Windows\SysWOW64\Ekkkoj32.exe Deqcbpld.exe File created C:\Windows\SysWOW64\Lnlden32.dll Pgllfp32.exe File created C:\Windows\SysWOW64\Ggmookkn.dll Nlihle32.exe File opened for modification C:\Windows\SysWOW64\Jqknkedi.exe Jlobkg32.exe File opened for modification C:\Windows\SysWOW64\Joahqn32.exe Ipoheakj.exe File opened for modification C:\Windows\SysWOW64\Pplobcpp.exe File opened for modification C:\Windows\SysWOW64\Oondnini.exe Nlphbnoe.exe File created C:\Windows\SysWOW64\Ljalni32.dll Cfigpm32.exe File created C:\Windows\SysWOW64\Hgfapd32.exe Hckeoeno.exe File created C:\Windows\SysWOW64\Phdnngdn.exe Pefabkej.exe File created C:\Windows\SysWOW64\Deqcbpld.exe Dbbffdlq.exe File created C:\Windows\SysWOW64\Kfjapcii.exe Knbiofhg.exe File opened for modification C:\Windows\SysWOW64\Lklbdm32.exe Kcejco32.exe File created C:\Windows\SysWOW64\Gldglf32.exe Gmafajfi.exe File created C:\Windows\SysWOW64\Kjepjkhf.exe Kqmkae32.exe File created C:\Windows\SysWOW64\Lnmkfh32.exe Lknojl32.exe File created C:\Windows\SysWOW64\Hpidaqmj.dll Jebfng32.exe File created C:\Windows\SysWOW64\Bkjcmgbp.dll Fhmpagkp.exe File created C:\Windows\SysWOW64\Oghghb32.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe File created C:\Windows\SysWOW64\Ehfjah32.exe Ealadnik.exe File created C:\Windows\SysWOW64\Faimhjhp.dll Eclmamod.exe File opened for modification C:\Windows\SysWOW64\Bkphhgfc.exe File created C:\Windows\SysWOW64\Nofhmj32.dll Emehdh32.exe File created C:\Windows\SysWOW64\Ckpbnb32.exe Cjnffjkl.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 7860 8580 1223 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kfcdfbqo.exeHckeoeno.exeBahkih32.exeMgeakekd.exeGgnlobej.exeNlihle32.exeOondnini.exeDndnpf32.exeKnqepc32.exeLlmhaold.exeFedmqk32.exeIgjngh32.exeJbdlop32.exeMejpje32.exeNnkpnclp.exeFbbpmb32.exeEgijmegb.exeBidqko32.exeDiicml32.exeIdkbkl32.exeOhiemobf.exeAomifecf.exeLnadagbm.exeAqppkd32.exeGkleeplq.exeIgjeanmj.exeIipfmggc.exeKlahfp32.exeEbjcajjd.exeCeqnmpfo.exeJnnpdg32.exeKmieae32.exeKgdpni32.exeHkhdqoac.exeAkglloai.exeDdligq32.exeEpmmqheb.exeJljbeali.exeLcdciiec.exeKiaqcnpb.exeNlqomd32.exeLkabjbih.exeNafjjf32.exeGdbmhf32.exeEbejfk32.exeElnoopdj.exeEjoomhmi.exeEkkkoj32.exeFelbnn32.exeEaladnik.exeAoabad32.exeBmngqdpj.exeIgcoqocb.exeNhpiafnm.exeJdbhkk32.exeIlcldb32.exeJfbkpd32.exeGkiaej32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcdfbqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckeoeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgeakekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnlobej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlihle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oondnini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndnpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmhaold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedmqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdlop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkpnclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egijmegb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bidqko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diicml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiemobf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomifecf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnadagbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqppkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkleeplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjeanmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipfmggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klahfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebjcajjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqnmpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmieae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkhdqoac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akglloai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddligq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmmqheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljbeali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdciiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiaqcnpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkabjbih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdbmhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnoopdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejoomhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ealadnik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoabad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmngqdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcoqocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpiafnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbhkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbkpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiaej32.exe -
Modifies registry class 64 IoCs
Processes:
Mbbagk32.exeEfblbbqd.exeJjamia32.exeLndham32.exeLqikmc32.exeLqndhcdc.exeHkehkocf.exeBblnindg.exeBjbfklei.exeDpnkdq32.exeIinqbn32.exeHfaajnfb.exeGaefgd32.exeNhkikq32.exeNlkgmh32.exeLoeolc32.exeFhdohp32.exeKqbkfkal.exePjpobg32.exeDiicml32.exeEmehdh32.exeJcoaglhk.exeOjnblg32.exeIgedlh32.exeBnkbcj32.exeEfpomccg.exePpopjp32.exeJnhidk32.exeOacoqnci.exeAlnmjjdb.exeEppjfgcp.exePoomegpf.exeAaohcj32.exeEkkkoj32.exeKbddfmgl.exeCcpdoqgd.exeQmepam32.exeAeiofcji.exeBcghch32.exeEaindh32.exeKnqepc32.exeFideeaco.exeGiinpa32.exeAolblopj.exeEbnfbcbc.exeDfamapjo.exeFpmggb32.exeFkbkdkpp.exeIndfca32.exeJbkbpoog.exePhdnngdn.exeMhdjehhj.exeFipkjb32.exeJcanll32.exeNedjjj32.exeKiggbhda.exeOaompd32.exeMjkblhfo.exeFneggdhg.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnadil32.dll" Efblbbqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjamia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqikmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koijai32.dll" Hkehkocf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bblnindg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbfklei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpnkdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfaajnfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plpjfnfg.dll" Gaefgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhkikq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlkgmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loeolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefekh32.dll" Fhdohp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diicml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofhmj32.dll" Emehdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcoaglhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojnblg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igedlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmok32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhihhecc.dll" Bnkbcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppopjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccahg32.dll" Jnhidk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oacoqnci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnmjjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffiipfmi.dll" Eppjfgcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poomegpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaohcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hijeeipc.dll" Kbddfmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophfi32.dll" Hfaajnfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccpdoqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmepam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfapnkp.dll" Bcghch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcondbo.dll" Eaindh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fideeaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcfhh32.dll" Giinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aolblopj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebnfbcbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfamapjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpmggb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkbkdkpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbkbpoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copdgb32.dll" Phdnngdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhdjehhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fipkjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcanll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nedjjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiggbhda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaompd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fneggdhg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ef032d210af29c92835c6517deca4770e7e1b7c546b54d53966d47268e4e6da4.exePjhlml32.exePqbdjfln.exePgllfp32.exePnfdcjkg.exePdpmpdbd.exePgnilpah.exeQnhahj32.exeQdbiedpa.exeQgqeappe.exeQjoankoi.exeQqijje32.exeQcgffqei.exeAjanck32.exeAnmjcieo.exeAdgbpc32.exeAcjclpcf.exeAfhohlbj.exeAnogiicl.exeAeiofcji.exeAfjlnk32.exeAqppkd32.exedescription pid Process procid_target PID 4640 wrote to memory of 2760 4640 ef032d210af29c92835c6517deca4770e7e1b7c546b54d53966d47268e4e6da4.exe 83 PID 4640 wrote to memory of 2760 4640 ef032d210af29c92835c6517deca4770e7e1b7c546b54d53966d47268e4e6da4.exe 83 PID 4640 wrote to memory of 2760 4640 ef032d210af29c92835c6517deca4770e7e1b7c546b54d53966d47268e4e6da4.exe 83 PID 2760 wrote to memory of 4496 2760 Pjhlml32.exe 84 PID 2760 wrote to memory of 4496 2760 Pjhlml32.exe 84 PID 2760 wrote to memory of 4496 2760 Pjhlml32.exe 84 PID 4496 wrote to memory of 3600 4496 Pqbdjfln.exe 85 PID 4496 wrote to memory of 3600 4496 Pqbdjfln.exe 85 PID 4496 wrote to memory of 3600 4496 Pqbdjfln.exe 85 PID 3600 wrote to memory of 1400 3600 Pgllfp32.exe 86 PID 3600 wrote to memory of 1400 3600 Pgllfp32.exe 86 PID 3600 wrote to memory of 1400 3600 Pgllfp32.exe 86 PID 1400 wrote to memory of 3024 1400 Pnfdcjkg.exe 87 PID 1400 wrote to memory of 3024 1400 Pnfdcjkg.exe 87 PID 1400 wrote to memory of 3024 1400 Pnfdcjkg.exe 87 PID 3024 wrote to memory of 5100 3024 Pdpmpdbd.exe 88 PID 3024 wrote to memory of 5100 3024 Pdpmpdbd.exe 88 PID 3024 wrote to memory of 5100 3024 Pdpmpdbd.exe 88 PID 5100 wrote to memory of 2184 5100 Pgnilpah.exe 89 PID 5100 wrote to memory of 2184 5100 Pgnilpah.exe 89 PID 5100 wrote to memory of 2184 5100 Pgnilpah.exe 89 PID 2184 wrote to memory of 2284 2184 Qnhahj32.exe 90 PID 2184 wrote to memory of 2284 2184 Qnhahj32.exe 90 PID 2184 wrote to memory of 2284 2184 Qnhahj32.exe 90 PID 2284 wrote to memory of 4972 2284 Qdbiedpa.exe 91 PID 2284 wrote to memory of 4972 2284 Qdbiedpa.exe 91 PID 2284 wrote to memory of 4972 2284 Qdbiedpa.exe 91 PID 4972 wrote to memory of 372 4972 Qgqeappe.exe 92 PID 4972 wrote to memory of 372 4972 Qgqeappe.exe 92 PID 4972 wrote to memory of 372 4972 Qgqeappe.exe 92 PID 372 wrote to memory of 2076 372 Qjoankoi.exe 93 PID 372 wrote to memory of 2076 372 Qjoankoi.exe 93 PID 372 wrote to memory of 2076 372 Qjoankoi.exe 93 PID 2076 wrote to memory of 5048 2076 Qqijje32.exe 94 PID 2076 wrote to memory of 5048 2076 Qqijje32.exe 94 PID 2076 wrote to memory of 5048 2076 Qqijje32.exe 94 PID 5048 wrote to memory of 1432 5048 Qcgffqei.exe 95 PID 5048 wrote to memory of 1432 5048 Qcgffqei.exe 95 PID 5048 wrote to memory of 1432 5048 Qcgffqei.exe 95 PID 1432 wrote to memory of 3040 1432 Ajanck32.exe 96 PID 1432 wrote to memory of 3040 1432 Ajanck32.exe 96 PID 1432 wrote to memory of 3040 1432 Ajanck32.exe 96 PID 3040 wrote to memory of 2952 3040 Anmjcieo.exe 97 PID 3040 wrote to memory of 2952 3040 Anmjcieo.exe 97 PID 3040 wrote to memory of 2952 3040 Anmjcieo.exe 97 PID 2952 wrote to memory of 1512 2952 Adgbpc32.exe 98 PID 2952 wrote to memory of 1512 2952 Adgbpc32.exe 98 PID 2952 wrote to memory of 1512 2952 Adgbpc32.exe 98 PID 1512 wrote to memory of 2608 1512 Acjclpcf.exe 99 PID 1512 wrote to memory of 2608 1512 Acjclpcf.exe 99 PID 1512 wrote to memory of 2608 1512 Acjclpcf.exe 99 PID 2608 wrote to memory of 2060 2608 Afhohlbj.exe 100 PID 2608 wrote to memory of 2060 2608 Afhohlbj.exe 100 PID 2608 wrote to memory of 2060 2608 Afhohlbj.exe 100 PID 2060 wrote to memory of 380 2060 Anogiicl.exe 101 PID 2060 wrote to memory of 380 2060 Anogiicl.exe 101 PID 2060 wrote to memory of 380 2060 Anogiicl.exe 101 PID 380 wrote to memory of 1108 380 Aeiofcji.exe 102 PID 380 wrote to memory of 1108 380 Aeiofcji.exe 102 PID 380 wrote to memory of 1108 380 Aeiofcji.exe 102 PID 1108 wrote to memory of 4508 1108 Afjlnk32.exe 103 PID 1108 wrote to memory of 4508 1108 Afjlnk32.exe 103 PID 1108 wrote to memory of 4508 1108 Afjlnk32.exe 103 PID 4508 wrote to memory of 3952 4508 Aqppkd32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef032d210af29c92835c6517deca4770e7e1b7c546b54d53966d47268e4e6da4.exe"C:\Users\Admin\AppData\Local\Temp\ef032d210af29c92835c6517deca4770e7e1b7c546b54d53966d47268e4e6da4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe23⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe24⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe25⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe26⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe27⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe28⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe29⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe30⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe31⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe33⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe34⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe35⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe36⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe37⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe38⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe39⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe42⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe43⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe45⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe46⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe47⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe48⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:984 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe50⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe51⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe52⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe53⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe54⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe57⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe58⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe59⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe60⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe61⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe62⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe65⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe66⤵PID:4988
-
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe67⤵PID:3764
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe68⤵PID:2500
-
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe69⤵PID:3636
-
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe70⤵PID:1536
-
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe71⤵PID:3748
-
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe72⤵PID:2552
-
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe73⤵PID:4656
-
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe74⤵PID:3888
-
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe75⤵PID:3376
-
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe76⤵PID:4308
-
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe77⤵PID:1932
-
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4824 -
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe79⤵PID:4304
-
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe80⤵
- System Location Discovery: System Language Discovery
PID:224 -
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe81⤵PID:676
-
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe82⤵PID:3640
-
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe83⤵PID:1412
-
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe84⤵PID:2640
-
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe85⤵
- Drops file in System32 directory
PID:4404 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe86⤵PID:4740
-
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe87⤵PID:2388
-
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe88⤵
- System Location Discovery: System Language Discovery
PID:3628 -
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe89⤵PID:4608
-
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe90⤵PID:4556
-
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe91⤵
- Drops file in System32 directory
PID:3392 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe92⤵PID:60
-
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe93⤵PID:2404
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe94⤵PID:2436
-
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4388 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe96⤵PID:552
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe97⤵PID:1636
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe98⤵
- System Location Discovery: System Language Discovery
PID:4260 -
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe99⤵PID:5092
-
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe100⤵PID:1068
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe101⤵
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe102⤵
- Drops file in System32 directory
PID:392 -
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe103⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe105⤵PID:216
-
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3360 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe107⤵PID:456
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe108⤵PID:4844
-
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe109⤵PID:4132
-
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe110⤵PID:4444
-
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe111⤵PID:2248
-
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe112⤵PID:5148
-
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe113⤵PID:5192
-
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe114⤵PID:5236
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe115⤵PID:5280
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe116⤵
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe117⤵PID:5368
-
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe118⤵PID:5412
-
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe119⤵PID:5456
-
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe120⤵
- System Location Discovery: System Language Discovery
PID:5500 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe121⤵PID:5544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-