Analysis
-
max time kernel
92s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 01:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe
-
Size
72KB
-
MD5
8bbd6925d09b61fe343842dc11730400
-
SHA1
2a554704bdfb8c050946fe0bef31b3b4b04ed58d
-
SHA256
e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2b
-
SHA512
0de5bf0e4a0fba70596c8aaf764017c694f4e5c20c477c3e0e730f8dbead4c35c101e0c4fc09da134f6d21818c95588d4391bef6003864ca15e67168728594d3
-
SSDEEP
768:3joGa4DU78TzLCCyky1SUbpxsr/VZ1djL6itGsuadbD7/z2p/1H5TXdnh4xg84x+:3sh4Y78TPykhysLL2Oz2Lj6+lWCWQ+
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egohdegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meefofek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmjdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidlqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mccfdmmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iojkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbicpfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfiokmkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaefgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblimcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkadoiip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljceqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhhpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jemfhacc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmojd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkogiikb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgkiaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haodle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimfpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmcolgbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpphjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olanmgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpoihnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdhon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbjcljl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnlgjlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhpqaiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggilil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akdilipp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganldgib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqmmmmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neccpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gifkpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcidmkpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giecfejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebjcajjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hefnkkkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlfqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgcakon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhdbhifj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfojdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhpoamf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehlkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifomll32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 5008 Fmjaphek.exe 4608 Fphnlcdo.exe 4776 Fgbfhmll.exe 2592 Fipbdikp.exe 4312 Fdffbake.exe 3256 Fgdbnmji.exe 2136 Fmnkkg32.exe 3532 Fdhcgaic.exe 4840 Fggocmhf.exe 408 Fielph32.exe 3368 Falcae32.exe 1844 Fdkpma32.exe 1532 Ggilil32.exe 5116 Gmcdffmq.exe 1788 Gaopfe32.exe 3656 Ghhhcomg.exe 3244 Gmeakf32.exe 2268 Ghkeio32.exe 4508 Gkiaej32.exe 2796 Gnhnaf32.exe 1356 Gdafnpqh.exe 4104 Ggpbjkpl.exe 216 Ginnfgop.exe 4268 Gaefgd32.exe 1784 Gddbcp32.exe 5096 Gknkpjfb.exe 4440 Gpkchqdj.exe 2164 Hkpheidp.exe 1544 Hajpbckl.exe 2620 Hhdhon32.exe 4700 Hnaqgd32.exe 4068 Hdkidohn.exe 2524 Hjhalefe.exe 1052 Haoimcgg.exe 100 Hkgnfhnh.exe 2884 Hdpbon32.exe 2936 Hgnoki32.exe 4932 Hnhghcki.exe 5036 Hacbhb32.exe 4848 Ihnkel32.exe 5012 Ijogmdqm.exe 1952 Iddljmpc.exe 4376 Ijadbdoj.exe 208 Iqklon32.exe 4880 Ijcahd32.exe 1688 Inomhbeq.exe 3812 Ihdafkdg.exe 4128 Ijfnmc32.exe 3300 Ibmeoq32.exe 468 Igjngh32.exe 5088 Jdnoplhh.exe 2028 Jkhgmf32.exe 4760 Jbaojpgb.exe 3720 Jkjcbe32.exe 1736 Jnhpoamf.exe 2280 Jdbhkk32.exe 2652 Jhndljll.exe 1252 Jklphekp.exe 1628 Jnkldqkc.exe 4368 Jhpqaiji.exe 2004 Jbiejoaj.exe 4100 Jqlefl32.exe 2544 Jkaicd32.exe 3404 Jnpfop32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aahbbkaq.exe Aojefobm.exe File opened for modification C:\Windows\SysWOW64\Nfaemp32.exe Npgmpf32.exe File opened for modification C:\Windows\SysWOW64\Qpeahb32.exe Qmgelf32.exe File opened for modification C:\Windows\SysWOW64\Kjmmepfj.exe Kkjlic32.exe File created C:\Windows\SysWOW64\Cmcolgbj.exe Cjecpkcg.exe File opened for modification C:\Windows\SysWOW64\Ijcjmmil.exe Igdnabjh.exe File opened for modification C:\Windows\SysWOW64\Gndick32.exe Ggkqgaol.exe File created C:\Windows\SysWOW64\Lbfecjhc.dll Gndick32.exe File created C:\Windows\SysWOW64\Eccphn32.dll Hlmchoan.exe File created C:\Windows\SysWOW64\Neafjdkn.exe Nafjjf32.exe File created C:\Windows\SysWOW64\Glldgljg.exe Gfokoelp.exe File created C:\Windows\SysWOW64\Bdbnjdfg.exe Bnhenj32.exe File created C:\Windows\SysWOW64\Fcokoohi.dll Nqpcjj32.exe File opened for modification C:\Windows\SysWOW64\Nimmifgo.exe Nbbeml32.exe File created C:\Windows\SysWOW64\Oqoefand.exe Ojemig32.exe File opened for modification C:\Windows\SysWOW64\Eblpgjha.exe Emphocjj.exe File created C:\Windows\SysWOW64\Hhoneioi.dll Jjjpnlbd.exe File opened for modification C:\Windows\SysWOW64\Jqhafffk.exe Jklinohd.exe File created C:\Windows\SysWOW64\Pmhkafda.dll Imiehfao.exe File created C:\Windows\SysWOW64\Jocefm32.exe Jpaekqhh.exe File opened for modification C:\Windows\SysWOW64\Mgnlkfal.exe Mqdcnl32.exe File created C:\Windows\SysWOW64\Ocohmc32.exe Onapdl32.exe File created C:\Windows\SysWOW64\Ceknlgnl.dll Gngeik32.exe File created C:\Windows\SysWOW64\Jhpqaiji.exe Jnkldqkc.exe File opened for modification C:\Windows\SysWOW64\Afkknogn.exe Acmobchj.exe File created C:\Windows\SysWOW64\Paplcg32.dll Ebhglj32.exe File created C:\Windows\SysWOW64\Chbfoaba.dll Hnibokbd.exe File created C:\Windows\SysWOW64\Mlbkap32.exe Mehcdfch.exe File opened for modification C:\Windows\SysWOW64\Jekjcaef.exe Jblmgf32.exe File created C:\Windows\SysWOW64\Npjfngdm.dll Ldipha32.exe File created C:\Windows\SysWOW64\Egened32.exe Ebifmm32.exe File opened for modification C:\Windows\SysWOW64\Jbccge32.exe Jlikkkhn.exe File created C:\Windows\SysWOW64\Ehighp32.dll Iqklon32.exe File created C:\Windows\SysWOW64\Hahohdla.dll Neccpd32.exe File created C:\Windows\SysWOW64\Lbekag32.dll Bbdhiojo.exe File created C:\Windows\SysWOW64\Niojoeel.exe Nfqnbjfi.exe File created C:\Windows\SysWOW64\Hplicjok.exe Hibafp32.exe File created C:\Windows\SysWOW64\Inebjihf.exe Hihibbjo.exe File opened for modification C:\Windows\SysWOW64\Kpccmhdg.exe Khlklj32.exe File created C:\Windows\SysWOW64\Ckeimm32.exe Chglab32.exe File created C:\Windows\SysWOW64\Aaoaic32.exe Akdilipp.exe File opened for modification C:\Windows\SysWOW64\Jahqiaeb.exe Jllhpkfk.exe File created C:\Windows\SysWOW64\Njfagf32.exe Nclikl32.exe File created C:\Windows\SysWOW64\Mgbefe32.exe Mnjqmpgg.exe File created C:\Windows\SysWOW64\Kljibbol.dll Bmofagfp.exe File created C:\Windows\SysWOW64\Khacqh32.dll Diccgfpd.exe File opened for modification C:\Windows\SysWOW64\Jdfjld32.exe Jnlbojee.exe File created C:\Windows\SysWOW64\Aemghi32.dll Mpclce32.exe File opened for modification C:\Windows\SysWOW64\Hgmgqc32.exe Hdokdg32.exe File created C:\Windows\SysWOW64\Mjdebfnd.exe Mcjmel32.exe File created C:\Windows\SysWOW64\Kpccmhdg.exe Khlklj32.exe File created C:\Windows\SysWOW64\Jnlbojee.exe Jgbjbp32.exe File created C:\Windows\SysWOW64\Kbblcj32.dll Ekaapi32.exe File opened for modification C:\Windows\SysWOW64\Jngbjd32.exe Jepjhg32.exe File created C:\Windows\SysWOW64\Kncaec32.exe Kgiiiidd.exe File created C:\Windows\SysWOW64\Ieicjl32.dll Jocnlg32.exe File created C:\Windows\SysWOW64\Omfajq32.dll Majjng32.exe File created C:\Windows\SysWOW64\Fjecoi32.dll Oemefcap.exe File created C:\Windows\SysWOW64\Cgieglah.dll Pifnhpmi.exe File created C:\Windows\SysWOW64\Pknqoc32.exe Pddhbipj.exe File opened for modification C:\Windows\SysWOW64\Caojpaij.exe Coqncejg.exe File created C:\Windows\SysWOW64\Mfnhfm32.exe Mcoljagj.exe File opened for modification C:\Windows\SysWOW64\Nbnpcj32.exe Njghbl32.exe File opened for modification C:\Windows\SysWOW64\Nbnlaldg.exe Nqmojd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5936 5596 WerFault.exe 1078 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkchqdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idfaefkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgiiiidd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcelpggq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccahbmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnlkfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojcpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpnhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbcplpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paihlpfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljobpiql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpeiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neccpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnoga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepjhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koonge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfekbdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpqnneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmkiclm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmlkhofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmfllhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jphkkpbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfpdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjpnlbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpdhboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoknihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdoacabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqklon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kageaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpdegjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmeoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbiockdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gicgpelg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijfhbhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokdnjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjgne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbolp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdhiojo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbdopck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgnjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napjdpcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knenkbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljqhkckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpolgoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhamkipi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffclcgfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncoikmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpphljo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adndoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkple32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anoipp32.dll" Lmaamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmenm32.dll" Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Papfgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alcfei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljejh32.dll" Knfeeimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll" Pcgdhkem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggilil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijadbdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keqdmihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbldmmh.dll" Kolabf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohiemobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akglloai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Camddhoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkmjaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipckmjqi.dll" Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll" Pblajhje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqbliicp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llnnmhfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll" Obnehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mibime32.dll" Gknkpjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahnhhod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbcfhibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfoann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnbiq32.dll" Mqdcnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdafnpqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgepom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfkmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmkff32.dll" Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdecgbfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmipdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll" Akdilipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jocnlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnaqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophkojl.dll" Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edhjghdk.dll" Chglab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejlbhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jihbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Galoohke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkkple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blielbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eieijp32.dll" Jocefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmchiim.dll" Gblbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqcmdnk.dll" Hmpcbhji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khlklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgpahk.dll" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmbbe32.dll" Iamamcop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdkidohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkpbin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pahilmoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebifmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggkqgaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mminhceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdijliok.dll" Bnhenj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3936 wrote to memory of 5008 3936 e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe 83 PID 3936 wrote to memory of 5008 3936 e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe 83 PID 3936 wrote to memory of 5008 3936 e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe 83 PID 5008 wrote to memory of 4608 5008 Fmjaphek.exe 84 PID 5008 wrote to memory of 4608 5008 Fmjaphek.exe 84 PID 5008 wrote to memory of 4608 5008 Fmjaphek.exe 84 PID 4608 wrote to memory of 4776 4608 Fphnlcdo.exe 85 PID 4608 wrote to memory of 4776 4608 Fphnlcdo.exe 85 PID 4608 wrote to memory of 4776 4608 Fphnlcdo.exe 85 PID 4776 wrote to memory of 2592 4776 Fgbfhmll.exe 86 PID 4776 wrote to memory of 2592 4776 Fgbfhmll.exe 86 PID 4776 wrote to memory of 2592 4776 Fgbfhmll.exe 86 PID 2592 wrote to memory of 4312 2592 Fipbdikp.exe 87 PID 2592 wrote to memory of 4312 2592 Fipbdikp.exe 87 PID 2592 wrote to memory of 4312 2592 Fipbdikp.exe 87 PID 4312 wrote to memory of 3256 4312 Fdffbake.exe 88 PID 4312 wrote to memory of 3256 4312 Fdffbake.exe 88 PID 4312 wrote to memory of 3256 4312 Fdffbake.exe 88 PID 3256 wrote to memory of 2136 3256 Fgdbnmji.exe 89 PID 3256 wrote to memory of 2136 3256 Fgdbnmji.exe 89 PID 3256 wrote to memory of 2136 3256 Fgdbnmji.exe 89 PID 2136 wrote to memory of 3532 2136 Fmnkkg32.exe 90 PID 2136 wrote to memory of 3532 2136 Fmnkkg32.exe 90 PID 2136 wrote to memory of 3532 2136 Fmnkkg32.exe 90 PID 3532 wrote to memory of 4840 3532 Fdhcgaic.exe 91 PID 3532 wrote to memory of 4840 3532 Fdhcgaic.exe 91 PID 3532 wrote to memory of 4840 3532 Fdhcgaic.exe 91 PID 4840 wrote to memory of 408 4840 Fggocmhf.exe 92 PID 4840 wrote to memory of 408 4840 Fggocmhf.exe 92 PID 4840 wrote to memory of 408 4840 Fggocmhf.exe 92 PID 408 wrote to memory of 3368 408 Fielph32.exe 93 PID 408 wrote to memory of 3368 408 Fielph32.exe 93 PID 408 wrote to memory of 3368 408 Fielph32.exe 93 PID 3368 wrote to memory of 1844 3368 Falcae32.exe 94 PID 3368 wrote to memory of 1844 3368 Falcae32.exe 94 PID 3368 wrote to memory of 1844 3368 Falcae32.exe 94 PID 1844 wrote to memory of 1532 1844 Fdkpma32.exe 95 PID 1844 wrote to memory of 1532 1844 Fdkpma32.exe 95 PID 1844 wrote to memory of 1532 1844 Fdkpma32.exe 95 PID 1532 wrote to memory of 5116 1532 Ggilil32.exe 96 PID 1532 wrote to memory of 5116 1532 Ggilil32.exe 96 PID 1532 wrote to memory of 5116 1532 Ggilil32.exe 96 PID 5116 wrote to memory of 1788 5116 Gmcdffmq.exe 97 PID 5116 wrote to memory of 1788 5116 Gmcdffmq.exe 97 PID 5116 wrote to memory of 1788 5116 Gmcdffmq.exe 97 PID 1788 wrote to memory of 3656 1788 Gaopfe32.exe 98 PID 1788 wrote to memory of 3656 1788 Gaopfe32.exe 98 PID 1788 wrote to memory of 3656 1788 Gaopfe32.exe 98 PID 3656 wrote to memory of 3244 3656 Ghhhcomg.exe 99 PID 3656 wrote to memory of 3244 3656 Ghhhcomg.exe 99 PID 3656 wrote to memory of 3244 3656 Ghhhcomg.exe 99 PID 3244 wrote to memory of 2268 3244 Gmeakf32.exe 100 PID 3244 wrote to memory of 2268 3244 Gmeakf32.exe 100 PID 3244 wrote to memory of 2268 3244 Gmeakf32.exe 100 PID 2268 wrote to memory of 4508 2268 Ghkeio32.exe 101 PID 2268 wrote to memory of 4508 2268 Ghkeio32.exe 101 PID 2268 wrote to memory of 4508 2268 Ghkeio32.exe 101 PID 4508 wrote to memory of 2796 4508 Gkiaej32.exe 102 PID 4508 wrote to memory of 2796 4508 Gkiaej32.exe 102 PID 4508 wrote to memory of 2796 4508 Gkiaej32.exe 102 PID 2796 wrote to memory of 1356 2796 Gnhnaf32.exe 103 PID 2796 wrote to memory of 1356 2796 Gnhnaf32.exe 103 PID 2796 wrote to memory of 1356 2796 Gnhnaf32.exe 103 PID 1356 wrote to memory of 4104 1356 Gdafnpqh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe"C:\Users\Admin\AppData\Local\Temp\e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe23⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe24⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe26⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe29⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe30⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4700 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe34⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe35⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe36⤵
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe37⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe38⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe39⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe40⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe41⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe42⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe43⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:208 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe46⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe47⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe48⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe49⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3300 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:468 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe52⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe53⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe54⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe55⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe57⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe58⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe59⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe62⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe63⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe64⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe65⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe66⤵PID:2556
-
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe67⤵PID:3312
-
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe68⤵PID:4804
-
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe69⤵PID:32
-
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe70⤵PID:4472
-
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe71⤵
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe72⤵PID:3968
-
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe73⤵PID:832
-
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe74⤵PID:4044
-
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe75⤵
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe76⤵
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe77⤵PID:2372
-
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe78⤵
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe79⤵PID:1652
-
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe80⤵PID:2712
-
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe81⤵PID:2440
-
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe82⤵PID:4372
-
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe83⤵PID:4332
-
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe84⤵PID:4800
-
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe85⤵PID:4308
-
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe86⤵PID:1924
-
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe87⤵PID:2040
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe88⤵PID:3252
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe89⤵PID:404
-
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe90⤵PID:1016
-
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe91⤵PID:4924
-
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe92⤵PID:4384
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe93⤵PID:452
-
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe94⤵PID:244
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe95⤵PID:4348
-
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe96⤵PID:3764
-
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe97⤵PID:3760
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe98⤵PID:1368
-
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe99⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe100⤵PID:1644
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe101⤵PID:2376
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe102⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3236 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe104⤵PID:436
-
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe105⤵PID:2264
-
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe106⤵
- Drops file in System32 directory
PID:740 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe107⤵PID:64
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe108⤵PID:1164
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe109⤵PID:5056
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe110⤵PID:2212
-
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe111⤵
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe112⤵PID:2408
-
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe113⤵PID:3672
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe114⤵PID:5160
-
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe115⤵PID:5204
-
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe116⤵PID:5248
-
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe117⤵PID:5292
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe118⤵PID:5336
-
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe119⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe120⤵PID:5424
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe121⤵PID:5468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-