Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 17:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1415f123e5fdebb640379c4e0dd506d0d905bbb01d1c07b995a3d4d442eba06bN.exe
Resource
win7-20240708-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
1415f123e5fdebb640379c4e0dd506d0d905bbb01d1c07b995a3d4d442eba06bN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
1415f123e5fdebb640379c4e0dd506d0d905bbb01d1c07b995a3d4d442eba06bN.exe
-
Size
85KB
-
MD5
f8b3b6ece16ae97f148be3a22c335460
-
SHA1
1aea99eee7cdec3d7018e95976467019b6d41994
-
SHA256
1415f123e5fdebb640379c4e0dd506d0d905bbb01d1c07b995a3d4d442eba06b
-
SHA512
fa0427f7b9bc448bda3331b66a8ac629b6d83cb0e80d714a3b484a1542bcf135e7e1833bd096379743abe6cb8b27d5be9e373bcbcbc89eab0dbbde7ce3c57b73
-
SSDEEP
1536:+CnP58YLt9BxFARCUwBK2m4z55m1D4a/4MG+BlO7uXcNvvm5yw/Lb0OUrrQ35wNJ:+mBlpHxFARJwBKC+4a/4MFS7usluTXpC
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Biadeoce.exeKjepjkhf.exeOgjdmbil.exeDhphmj32.exeAmqhbe32.exeFdamgb32.exeOhghgodi.exeKcejco32.exeFligqhga.exeOonlfo32.exeOhpkmn32.exeCcmcgcmp.exeFplpll32.exeGingkqkd.exeNimmifgo.exeDfamapjo.exeIhdafkdg.exeJbiejoaj.exeDfoiaj32.exeImgicgca.exeJmeede32.exeOjnfihmo.exeLocbfd32.exePlagcbdn.exeJkaicd32.exeNhkikq32.exeDgeenfog.exeFiqjke32.exeKamjda32.exeMjahlgpf.exeIbaeen32.exeFhflnpoi.exeHnodaecc.exeNeoieenp.exeEfccmidp.exeEppqqn32.exeNbnlaldg.exeNhkikq32.exeGpecbk32.exeDkokcl32.exeFiggdg32.exeBmbiamhi.exeEecphp32.exeFkjmlaac.exeFohfbpgi.exeLcfidb32.exeGiqkkf32.exeJlkipgpe.exeJjafok32.exeNagpeo32.exeBihjfnmm.exeLkalplel.exeGlgcbf32.exeIhkjno32.exeFkpool32.exeBjpjel32.exeKlekfinp.exePfgogh32.exeIakiia32.exeJeocna32.exeKqbdldnq.exeEkkkoj32.exePkegpb32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biadeoce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepjkhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjdmbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhphmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqhbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdamgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohghgodi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcejco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fligqhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonlfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohpkmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmcgcmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplpll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gingkqkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nimmifgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfamapjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdafkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imgicgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmeede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Locbfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plagcbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkaicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkikq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeenfog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiqjke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibaeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhflnpoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnodaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neoieenp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppqqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnlaldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkikq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkokcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figgdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbiamhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecphp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjmlaac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giqkkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkipgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjafok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagpeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihjfnmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkalplel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihkjno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klekfinp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgogh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakiia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqbdldnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmcgcmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkegpb32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Kbghfc32.exeLlpmoiof.exeLpkiph32.exeLfealaol.exeLlbidimc.exeLblaabdp.exeLifjnm32.exeLocbfd32.exeLemkcnaa.exeLlgcph32.exeLflgmqhd.exeLlipehgk.exeLoglacfo.exeLeadnm32.exeMlklkgei.exeMbedga32.exeMhbmphjm.exeMbhamajc.exeMibijk32.exeMoobbb32.exeMpnnle32.exeMekgdl32.exeMleoafmn.exeMbognp32.exeNiipjj32.exeNpchgdcd.exeNgmpcn32.exeNhnlkfpp.exeNpedmdab.exeNgomin32.exeNiniei32.exeNlleaeff.exeNojanpej.exeNedjjj32.exeNhbfff32.exeNlnbgddc.exeNomncpcg.exeNgdfdmdi.exeNlqomd32.exeOgfcjm32.exeOlckbd32.exeOoagno32.exeOghppm32.exeOlehhc32.exeOiihahme.exeOcamjm32.exeOepifi32.exeOcdjpmac.exeOebflhaf.exeOjnblg32.exeOokjdn32.exePjpobg32.exePomgjn32.exePfgogh32.exePlagcbdn.exePckppl32.exePpopjp32.exePcmlfl32.exePhjenbhp.exePodmkm32.exePfnegggi.exePlhnda32.exeQhonib32.exeQoifflkg.exepid Process 4596 Kbghfc32.exe 2340 Llpmoiof.exe 1344 Lpkiph32.exe 2040 Lfealaol.exe 2908 Llbidimc.exe 2600 Lblaabdp.exe 3148 Lifjnm32.exe 4624 Locbfd32.exe 1756 Lemkcnaa.exe 2664 Llgcph32.exe 2724 Lflgmqhd.exe 2412 Llipehgk.exe 4584 Loglacfo.exe 3956 Leadnm32.exe 5060 Mlklkgei.exe 1648 Mbedga32.exe 400 Mhbmphjm.exe 552 Mbhamajc.exe 3272 Mibijk32.exe 3128 Moobbb32.exe 2932 Mpnnle32.exe 3252 Mekgdl32.exe 3464 Mleoafmn.exe 2956 Mbognp32.exe 4268 Niipjj32.exe 872 Npchgdcd.exe 4968 Ngmpcn32.exe 5008 Nhnlkfpp.exe 5092 Npedmdab.exe 2612 Ngomin32.exe 4032 Niniei32.exe 2192 Nlleaeff.exe 1664 Nojanpej.exe 5112 Nedjjj32.exe 5068 Nhbfff32.exe 4292 Nlnbgddc.exe 3388 Nomncpcg.exe 1416 Ngdfdmdi.exe 1320 Nlqomd32.exe 4752 Ogfcjm32.exe 4236 Olckbd32.exe 908 Ooagno32.exe 2348 Oghppm32.exe 2576 Olehhc32.exe 1428 Oiihahme.exe 1656 Ocamjm32.exe 1948 Oepifi32.exe 4696 Ocdjpmac.exe 2800 Oebflhaf.exe 3800 Ojnblg32.exe 3816 Ookjdn32.exe 1544 Pjpobg32.exe 4688 Pomgjn32.exe 3488 Pfgogh32.exe 712 Plagcbdn.exe 4136 Pckppl32.exe 776 Ppopjp32.exe 4764 Pcmlfl32.exe 1220 Phjenbhp.exe 2208 Podmkm32.exe 2296 Pfnegggi.exe 1636 Plhnda32.exe 2396 Qhonib32.exe 3456 Qoifflkg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ilnbicff.exePaeelgnj.exeKlekfinp.exeBggnof32.exeGdfoio32.exeHncmmd32.exeNklbmllg.exeMhldbh32.exeCmklglpn.exeDflfac32.exeEbkbbmqj.exeIpdndloi.exeGicgpelg.exeFbcfhibj.exeMfchlbfd.exeBdmmeo32.exeDkcndeen.exeGgkqgaol.exeCajjjk32.exeLhmmjbkf.exeEpikpo32.exeDkokcl32.exeDakikoom.exeAokkahlo.exeIkndgg32.exeKnbbep32.exeObcceg32.exeOgjdmbil.exeJekjcaef.exeDhlpqc32.exeOhghgodi.exeFpjcgm32.exeLfgipd32.exeNiipjj32.exeNgmpcn32.exeDhikci32.exeIiopca32.exeEkkkoj32.exeKlfaapbl.exeNjhgbp32.exeJhnojl32.exeLlbidimc.exeEdopabqn.exeNoeahkfc.exeLkchelci.exeIeidhh32.exeBgpcliao.exeLjpaqmgb.exeOmfekbdh.exeKkcfid32.exeNbqmiinl.exePlpqil32.exeHbjoeojc.exeHnbeeiji.exeAidehpea.exeHnfjbdmk.exeKjhloj32.exeBlielbfi.exeKeimof32.exeKkhpdcab.exeLcjcnoej.exeKefiopki.exeCgifbhid.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Iomoenej.exe Ilnbicff.exe File created C:\Windows\SysWOW64\Pjmjdm32.exe Paeelgnj.exe File created C:\Windows\SysWOW64\Kcoccc32.exe Klekfinp.exe File created C:\Windows\SysWOW64\Fliabjbh.dll Bggnof32.exe File opened for modification C:\Windows\SysWOW64\Hkpheidp.exe Gdfoio32.exe File created C:\Windows\SysWOW64\Ganmcc32.dll Hncmmd32.exe File created C:\Windows\SysWOW64\Clkbmh32.dll Nklbmllg.exe File opened for modification C:\Windows\SysWOW64\Mpclce32.exe Mhldbh32.exe File opened for modification C:\Windows\SysWOW64\Caghhk32.exe Cmklglpn.exe File created C:\Windows\SysWOW64\Dijbno32.exe Dflfac32.exe File created C:\Windows\SysWOW64\Mjaonjaj.dll Ebkbbmqj.exe File created C:\Windows\SysWOW64\Hokomfqg.dll Ipdndloi.exe File opened for modification C:\Windows\SysWOW64\Ggfglb32.exe Gicgpelg.exe File created C:\Windows\SysWOW64\Afdnfjpa.dll Fbcfhibj.exe File created C:\Windows\SysWOW64\Cnocia32.dll Mfchlbfd.exe File created C:\Windows\SysWOW64\Bhhiemoj.exe Bdmmeo32.exe File created C:\Windows\SysWOW64\Anfmbd32.dll Dkcndeen.exe File created C:\Windows\SysWOW64\Geoapenf.exe Ggkqgaol.exe File created C:\Windows\SysWOW64\Cdhffg32.exe Cajjjk32.exe File created C:\Windows\SysWOW64\Fgibng32.dll Lhmmjbkf.exe File opened for modification C:\Windows\SysWOW64\Ebhglj32.exe Epikpo32.exe File opened for modification C:\Windows\SysWOW64\Dbicpfdk.exe Dkokcl32.exe File opened for modification C:\Windows\SysWOW64\Dqnjgl32.exe Dakikoom.exe File created C:\Windows\SysWOW64\Dgeaknci.dll Aokkahlo.exe File opened for modification C:\Windows\SysWOW64\Damfao32.exe Dkcndeen.exe File opened for modification C:\Windows\SysWOW64\Inmpcc32.exe Ikndgg32.exe File created C:\Windows\SysWOW64\Kelkaj32.exe Knbbep32.exe File created C:\Windows\SysWOW64\Kahobhgo.dll Obcceg32.exe File created C:\Windows\SysWOW64\Ofmdio32.exe Ogjdmbil.exe File created C:\Windows\SysWOW64\Hfibla32.dll Jekjcaef.exe File created C:\Windows\SysWOW64\Nbjklp32.dll Dhlpqc32.exe File created C:\Windows\SysWOW64\Okedcjcm.exe Ohghgodi.exe File opened for modification C:\Windows\SysWOW64\Fbhpch32.exe Fpjcgm32.exe File opened for modification C:\Windows\SysWOW64\Lckiihok.exe Lfgipd32.exe File opened for modification C:\Windows\SysWOW64\Npchgdcd.exe Niipjj32.exe File opened for modification C:\Windows\SysWOW64\Nhnlkfpp.exe Ngmpcn32.exe File created C:\Windows\SysWOW64\Doccpcja.exe Dhikci32.exe File created C:\Windows\SysWOW64\Ipihpkkd.exe Iiopca32.exe File created C:\Windows\SysWOW64\Jhkbjd32.dll Ekkkoj32.exe File opened for modification C:\Windows\SysWOW64\Kcpjnjii.exe Klfaapbl.exe File created C:\Windows\SysWOW64\Nmiadaea.dll Njhgbp32.exe File opened for modification C:\Windows\SysWOW64\Johggfha.exe Jhnojl32.exe File opened for modification C:\Windows\SysWOW64\Lblaabdp.exe Llbidimc.exe File opened for modification C:\Windows\SysWOW64\Filiii32.exe Edopabqn.exe File opened for modification C:\Windows\SysWOW64\Nbqmiinl.exe Noeahkfc.exe File created C:\Windows\SysWOW64\Lnadagbm.exe Lkchelci.exe File created C:\Windows\SysWOW64\Ljcpchlo.dll Ieidhh32.exe File opened for modification C:\Windows\SysWOW64\Bmjkic32.exe Bgpcliao.exe File opened for modification C:\Windows\SysWOW64\Lhcali32.exe Ljpaqmgb.exe File created C:\Windows\SysWOW64\Pbcncibp.exe Omfekbdh.exe File created C:\Windows\SysWOW64\Ophpeg32.dll Kkcfid32.exe File created C:\Windows\SysWOW64\Nacmdf32.exe Nbqmiinl.exe File opened for modification C:\Windows\SysWOW64\Pkcadhgm.exe Plpqil32.exe File created C:\Windows\SysWOW64\Hidgai32.exe Hbjoeojc.exe File created C:\Windows\SysWOW64\Hemmac32.exe Hnbeeiji.exe File opened for modification C:\Windows\SysWOW64\Aalmimfd.exe Aidehpea.exe File opened for modification C:\Windows\SysWOW64\Hdpbon32.exe Hnfjbdmk.exe File created C:\Windows\SysWOW64\Nfcconde.dll Kjhloj32.exe File opened for modification C:\Windows\SysWOW64\Bklfgo32.exe Blielbfi.exe File created C:\Windows\SysWOW64\Klcekpdo.exe Keimof32.exe File created C:\Windows\SysWOW64\Jklbcn32.dll Kkhpdcab.exe File opened for modification C:\Windows\SysWOW64\Lkalplel.exe Lcjcnoej.exe File created C:\Windows\SysWOW64\Kheekkjl.exe Kefiopki.exe File created C:\Windows\SysWOW64\Qfoaecol.dll Cgifbhid.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 6984 6944 WerFault.exe 1042 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Niipjj32.exeGpcfmkff.exeNlfnaicd.exeQcnjijoe.exeBgnkhg32.exeJdgafjpn.exeMhfppabl.exeCljobphg.exeMcbpjg32.exeOgjdmbil.exeBmkcqn32.exeHnfjbdmk.exeIakiia32.exeMcecjmkl.exeApmhiq32.exeBfmolc32.exeDdgibkpc.exeKapfiqoj.exeKcoccc32.exeOcamjm32.exeMicoed32.exeEbdcld32.exeCmklglpn.exeGijekg32.exeOhghgodi.exeCkjknfnh.exeNhnlkfpp.exePmaffnce.exeQbonoghb.exeJlkipgpe.exeLcjcnoej.exeNmgjia32.exeBhkmec32.exeFmhdkknd.exeNmbjcljl.exeLemkcnaa.exeEfgemb32.exeKeifdpif.exeJklphekp.exeLkabjbih.exePcjiff32.exeMhjhmhhd.exeBpjmph32.exeBgdemb32.exeEpokedmj.exeIbcjqgnm.exeAompak32.exeNenbjo32.exeJgkdbacp.exeAdfgdpmi.exeDgjoif32.exeKinmcg32.exePpolhcnm.exeBmjkic32.exeInebjihf.exePakllc32.exePkpmdbfd.exeIeidhh32.exeGejhef32.exeMpeiie32.exeCfnjpfcl.exeMjlalkmd.exeLblaabdp.exeJddnfd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niipjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcfmkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfnaicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcnjijoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnkhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdgafjpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfppabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cljobphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjdmbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkcqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfjbdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcecjmkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmhiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgibkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapfiqoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcoccc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocamjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micoed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdcld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmklglpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohghgodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjknfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhnlkfpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbonoghb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkipgpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjcnoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkmec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbjcljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lemkcnaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efgemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keifdpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklphekp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkabjbih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcjiff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjhmhhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjmph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epokedmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcjqgnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aompak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenbjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdbacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfgdpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kinmcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppolhcnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjkic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inebjihf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pakllc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkpmdbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieidhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejhef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpeiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnjpfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlalkmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lblaabdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddnfd32.exe -
Modifies registry class 64 IoCs
Processes:
Pefabkej.exeBkphhgfc.exeImgicgca.exeKegpifod.exeGiqkkf32.exeIbmeoq32.exeFjhacf32.exeGpecbk32.exePkegpb32.exeGpgind32.exePjjfdfbb.exeEfgemb32.exeKlcekpdo.exeGnnccl32.exeAidehpea.exeNiipjj32.exeKaehljpj.exeOhghgodi.exeBckkca32.exeGbdoof32.exeJncoikmp.exeKlggli32.exeNfohgqlg.exeIacngdgj.exeOgfcjm32.exeHkbdki32.exeJjafok32.exeAmjillkj.exeGlgcbf32.exeAdfgdpmi.exeChiblk32.exeNlnbgddc.exeMicoed32.exeFfnknafg.exeMejpje32.exeKcpahpmd.exeLpkiph32.exeLlbidimc.exeFacqkg32.exeNefped32.exeBheplb32.exeOonlfo32.exeMhoipb32.exeMhdckaeo.exeAfkknogn.exeEpikpo32.exeAlelqb32.exeIijfhbhl.exeMfpell32.exeOjnfihmo.exeAcqgojmb.exeEfffmo32.exeGijekg32.exeLqbncb32.exeAddaif32.exeAnmfbl32.exeLjpaqmgb.exeIndfca32.exeJjmcnbdm.exeIcdheded.exeMkhapk32.exeNceefd32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copdgb32.dll" Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkphhgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imgicgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicakqhn.dll" Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giqkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkdoago.dll" Ibmeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qglmjp32.dll" Fjhacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgbdc32.dll" Gpecbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficlfj32.dll" Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgljk32.dll" Pjjfdfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efgemb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klcekpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpoofmk.dll" Gnnccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aidehpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niipjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpjda32.dll" Kaehljpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hobipl32.dll" Ohghgodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcelk32.dll" Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flafeh32.dll" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klggli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfohgqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iacngdgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikjab32.dll" Ogfcjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkbdki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amjillkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adfgdpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlnbgddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mieced32.dll" Micoed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaalh32.dll" Mejpje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcpahpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpkiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciepangh.dll" Llbidimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Facqkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nefped32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll" Oonlfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobhcgin.dll" Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhdckaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achnlqjp.dll" Afkknogn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alelqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iijfhbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjakdno.dll" Klggli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfpell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll" Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defgao32.dll" Acqgojmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efffmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gijekg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqbncb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Addaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anmfbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljpaqmgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlonj32.dll" Jjmcnbdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icdheded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofpe32.dll" Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceefd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1415f123e5fdebb640379c4e0dd506d0d905bbb01d1c07b995a3d4d442eba06bN.exeKbghfc32.exeLlpmoiof.exeLpkiph32.exeLfealaol.exeLlbidimc.exeLblaabdp.exeLifjnm32.exeLocbfd32.exeLemkcnaa.exeLlgcph32.exeLflgmqhd.exeLlipehgk.exeLoglacfo.exeLeadnm32.exeMlklkgei.exeMbedga32.exeMhbmphjm.exeMbhamajc.exeMibijk32.exeMoobbb32.exeMpnnle32.exedescription pid Process procid_target PID 4412 wrote to memory of 4596 4412 1415f123e5fdebb640379c4e0dd506d0d905bbb01d1c07b995a3d4d442eba06bN.exe 83 PID 4412 wrote to memory of 4596 4412 1415f123e5fdebb640379c4e0dd506d0d905bbb01d1c07b995a3d4d442eba06bN.exe 83 PID 4412 wrote to memory of 4596 4412 1415f123e5fdebb640379c4e0dd506d0d905bbb01d1c07b995a3d4d442eba06bN.exe 83 PID 4596 wrote to memory of 2340 4596 Kbghfc32.exe 84 PID 4596 wrote to memory of 2340 4596 Kbghfc32.exe 84 PID 4596 wrote to memory of 2340 4596 Kbghfc32.exe 84 PID 2340 wrote to memory of 1344 2340 Llpmoiof.exe 85 PID 2340 wrote to memory of 1344 2340 Llpmoiof.exe 85 PID 2340 wrote to memory of 1344 2340 Llpmoiof.exe 85 PID 1344 wrote to memory of 2040 1344 Lpkiph32.exe 86 PID 1344 wrote to memory of 2040 1344 Lpkiph32.exe 86 PID 1344 wrote to memory of 2040 1344 Lpkiph32.exe 86 PID 2040 wrote to memory of 2908 2040 Lfealaol.exe 87 PID 2040 wrote to memory of 2908 2040 Lfealaol.exe 87 PID 2040 wrote to memory of 2908 2040 Lfealaol.exe 87 PID 2908 wrote to memory of 2600 2908 Llbidimc.exe 88 PID 2908 wrote to memory of 2600 2908 Llbidimc.exe 88 PID 2908 wrote to memory of 2600 2908 Llbidimc.exe 88 PID 2600 wrote to memory of 3148 2600 Lblaabdp.exe 89 PID 2600 wrote to memory of 3148 2600 Lblaabdp.exe 89 PID 2600 wrote to memory of 3148 2600 Lblaabdp.exe 89 PID 3148 wrote to memory of 4624 3148 Lifjnm32.exe 90 PID 3148 wrote to memory of 4624 3148 Lifjnm32.exe 90 PID 3148 wrote to memory of 4624 3148 Lifjnm32.exe 90 PID 4624 wrote to memory of 1756 4624 Locbfd32.exe 91 PID 4624 wrote to memory of 1756 4624 Locbfd32.exe 91 PID 4624 wrote to memory of 1756 4624 Locbfd32.exe 91 PID 1756 wrote to memory of 2664 1756 Lemkcnaa.exe 92 PID 1756 wrote to memory of 2664 1756 Lemkcnaa.exe 92 PID 1756 wrote to memory of 2664 1756 Lemkcnaa.exe 92 PID 2664 wrote to memory of 2724 2664 Llgcph32.exe 93 PID 2664 wrote to memory of 2724 2664 Llgcph32.exe 93 PID 2664 wrote to memory of 2724 2664 Llgcph32.exe 93 PID 2724 wrote to memory of 2412 2724 Lflgmqhd.exe 94 PID 2724 wrote to memory of 2412 2724 Lflgmqhd.exe 94 PID 2724 wrote to memory of 2412 2724 Lflgmqhd.exe 94 PID 2412 wrote to memory of 4584 2412 Llipehgk.exe 95 PID 2412 wrote to memory of 4584 2412 Llipehgk.exe 95 PID 2412 wrote to memory of 4584 2412 Llipehgk.exe 95 PID 4584 wrote to memory of 3956 4584 Loglacfo.exe 96 PID 4584 wrote to memory of 3956 4584 Loglacfo.exe 96 PID 4584 wrote to memory of 3956 4584 Loglacfo.exe 96 PID 3956 wrote to memory of 5060 3956 Leadnm32.exe 97 PID 3956 wrote to memory of 5060 3956 Leadnm32.exe 97 PID 3956 wrote to memory of 5060 3956 Leadnm32.exe 97 PID 5060 wrote to memory of 1648 5060 Mlklkgei.exe 98 PID 5060 wrote to memory of 1648 5060 Mlklkgei.exe 98 PID 5060 wrote to memory of 1648 5060 Mlklkgei.exe 98 PID 1648 wrote to memory of 400 1648 Mbedga32.exe 99 PID 1648 wrote to memory of 400 1648 Mbedga32.exe 99 PID 1648 wrote to memory of 400 1648 Mbedga32.exe 99 PID 400 wrote to memory of 552 400 Mhbmphjm.exe 100 PID 400 wrote to memory of 552 400 Mhbmphjm.exe 100 PID 400 wrote to memory of 552 400 Mhbmphjm.exe 100 PID 552 wrote to memory of 3272 552 Mbhamajc.exe 101 PID 552 wrote to memory of 3272 552 Mbhamajc.exe 101 PID 552 wrote to memory of 3272 552 Mbhamajc.exe 101 PID 3272 wrote to memory of 3128 3272 Mibijk32.exe 102 PID 3272 wrote to memory of 3128 3272 Mibijk32.exe 102 PID 3272 wrote to memory of 3128 3272 Mibijk32.exe 102 PID 3128 wrote to memory of 2932 3128 Moobbb32.exe 103 PID 3128 wrote to memory of 2932 3128 Moobbb32.exe 103 PID 3128 wrote to memory of 2932 3128 Moobbb32.exe 103 PID 2932 wrote to memory of 3252 2932 Mpnnle32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1415f123e5fdebb640379c4e0dd506d0d905bbb01d1c07b995a3d4d442eba06bN.exe"C:\Users\Admin\AppData\Local\Temp\1415f123e5fdebb640379c4e0dd506d0d905bbb01d1c07b995a3d4d442eba06bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe23⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe24⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe25⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4268 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe27⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4968 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe30⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe31⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe32⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe33⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe34⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe35⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe36⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4292 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe38⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe39⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe40⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4752 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe42⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe43⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe44⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe45⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe46⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe48⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe49⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe50⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe51⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe52⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe53⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe54⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe57⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe58⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe59⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe60⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe61⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe62⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe63⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe64⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe65⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe66⤵PID:2336
-
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe67⤵PID:464
-
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe68⤵PID:1924
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe69⤵
- System Location Discovery: System Language Discovery
PID:3984 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe70⤵PID:536
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe71⤵PID:4400
-
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe72⤵PID:1036
-
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe73⤵PID:2992
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe74⤵PID:4864
-
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe75⤵PID:3344
-
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe76⤵PID:1604
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe77⤵
- System Location Discovery: System Language Discovery
PID:4076 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe78⤵
- System Location Discovery: System Language Discovery
PID:820 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe79⤵PID:4812
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3580 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe81⤵PID:964
-
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe82⤵PID:5072
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4344 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe84⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe86⤵PID:764
-
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe87⤵PID:4540
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe88⤵PID:2516
-
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe89⤵PID:1412
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe91⤵PID:3460
-
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe92⤵PID:1064
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe93⤵PID:3136
-
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe94⤵PID:4448
-
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe95⤵PID:1076
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe96⤵PID:1956
-
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe97⤵PID:2116
-
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe98⤵PID:4836
-
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe99⤵PID:2708
-
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe100⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe101⤵PID:3696
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4568 -
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe103⤵PID:4432
-
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe104⤵PID:4420
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe105⤵
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe106⤵PID:1520
-
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe107⤵
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe108⤵PID:3036
-
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe109⤵PID:4508
-
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe110⤵PID:1444
-
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe111⤵
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe112⤵PID:1828
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe113⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4828 -
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe115⤵PID:916
-
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe116⤵PID:5104
-
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe117⤵PID:3760
-
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe118⤵PID:5132
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe119⤵PID:5176
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe120⤵PID:5220
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-