Analysis
-
max time kernel
70s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-10-2024 22:36
Behavioral task
behavioral1
Sample
43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
General
-
Target
43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exe
-
Size
337KB
-
MD5
d9de49a859d1969443f6e9747e161a63
-
SHA1
f1b59e784a832836a4b5733491b1322ddc6ac40c
-
SHA256
43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b
-
SHA512
0dd863f5408ff7f26e0909f9d795a0f2ce500350057c8a359376a8df2c247a49a70aa2a1ea1e4672e286ae61c946a54fcfa8618818179fd01306cfb590e6cd7d
-
SSDEEP
3072:w0asLNDGPv3RuX7OwY/fmgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:9LND83lRfm1+fIyG5jZkCwi8r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lbdiabcg.exeAeachphg.exeBhqdgm32.exeIjmfiefj.exeKplhfo32.exeQnmfmoaa.exeAofhcmig.exeDheljhof.exeBbcjfn32.exeNehjmppo.exeIlnqhddd.exePccelqeb.exeNhdjdk32.exeGnmdfi32.exeHbfalpab.exeIhhjjm32.exeCkeekp32.exeMpmpeiqg.exeEnjmlgoj.exeFkdoii32.exeJgidnobg.exeDokjlcjh.exeMdqclpgd.exeAipickfe.exeKgdijk32.exeBgablmfa.exeEqpfchka.exeKblooa32.exePdjpmi32.exeMlcekgbb.exeHhkjpi32.exeKqncnjan.exeAeofcpjj.exeOepianef.exeFabppo32.exeNknmplji.exeMqjehngm.exeLeilnllb.exeQfdpgd32.exeGcmgdpid.exeKeekeg32.exeDnmada32.exeCjaieoko.exeAjipmocp.exePbnckg32.exeFimclh32.exeIcponb32.exeMdajff32.exeNlfaag32.exeLakqoe32.exeMkcagn32.exeOhmljj32.exeApdminod.exeBoainhic.exeGlgcec32.exeHhqmogam.exeCmmcae32.exeDeljfqmf.exeHobcok32.exeOafclh32.exeGledgkfn.exeJmaedolh.exeMnneabff.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbdiabcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeachphg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhqdgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijmfiefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kplhfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnmfmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aofhcmig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheljhof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbcjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehjmppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnqhddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pccelqeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmdfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbfalpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihhjjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmpeiqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enjmlgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkdoii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgidnobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dokjlcjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdqclpgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipickfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgdijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgablmfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpfchka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblooa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlcekgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhkjpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqncnjan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeofcpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oepianef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabppo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknmplji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqjehngm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leilnllb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfdpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcmgdpid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keekeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmada32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhkjpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjaieoko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajipmocp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbnckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icponb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdajff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lakqoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkcagn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohmljj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apdminod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boainhic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgcec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhqmogam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deljfqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oafclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gledgkfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmaedolh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnneabff.exe -
Executes dropped EXE 64 IoCs
Processes:
Ankabh32.exeAmpncd32.exeBfmlgi32.exeBedene32.exeCkajqo32.exeCnacbj32.exeCmimif32.exeDidgig32.exeDgoakpjn.exeElqcnfdp.exeEidchjbi.exeFepnhjdh.exeFkocfa32.exeFqnhcgma.exeGjkfglom.exeGoodpb32.exeHkfeec32.exeHchpjddc.exeJhahcjcf.exeKhhndi32.exeLnipgp32.exeLcieef32.exeLlcfck32.exeLngpac32.exeMhlcnl32.exeMqjehngm.exeMnneabff.exeNqakim32.exeNjipabhe.exeNhdjdk32.exeNehjmppo.exeNaokbq32.exeOjgokflc.exeOhmljj32.exeOfbikf32.exePejcab32.exePbnckg32.exePaemac32.exePoinkg32.exeQkpnph32.exeQlcgmpkp.exeAjghgd32.exeAhmehqna.exeApdminod.exeAlknnodh.exeAagfffbo.exeAokfpjai.exeAggkdlod.exeBhfhnofg.exeBqambacb.exeBmhmgbif.exeBnhjae32.exeBjnjfffm.exeCfekkgla.exeCbllph32.exeCemebcnf.exeCbqekhmp.exeCngfqi32.exeCmmcae32.exeDpdbdo32.exeElkbipdi.exeEiocbd32.exeEefdgeig.exeEamdlf32.exepid Process 2828 Ankabh32.exe 2268 Ampncd32.exe 2984 Bfmlgi32.exe 2928 Bedene32.exe 2764 Ckajqo32.exe 2584 Cnacbj32.exe 2644 Cmimif32.exe 3044 Didgig32.exe 2832 Dgoakpjn.exe 2316 Elqcnfdp.exe 2000 Eidchjbi.exe 1364 Fepnhjdh.exe 2672 Fkocfa32.exe 2920 Fqnhcgma.exe 284 Gjkfglom.exe 1420 Goodpb32.exe 1532 Hkfeec32.exe 2248 Hchpjddc.exe 1796 Jhahcjcf.exe 1096 Khhndi32.exe 832 Lnipgp32.exe 1696 Lcieef32.exe 1724 Llcfck32.exe 796 Lngpac32.exe 888 Mhlcnl32.exe 2600 Mqjehngm.exe 572 Mnneabff.exe 2932 Nqakim32.exe 2896 Njipabhe.exe 2060 Nhdjdk32.exe 2796 Nehjmppo.exe 2856 Naokbq32.exe 1304 Ojgokflc.exe 2168 Ohmljj32.exe 1524 Ofbikf32.exe 592 Pejcab32.exe 2172 Pbnckg32.exe 1656 Paemac32.exe 984 Poinkg32.exe 2452 Qkpnph32.exe 1784 Qlcgmpkp.exe 1468 Ajghgd32.exe 1104 Ahmehqna.exe 1600 Apdminod.exe 952 Alknnodh.exe 948 Aagfffbo.exe 2440 Aokfpjai.exe 2220 Aggkdlod.exe 2324 Bhfhnofg.exe 2836 Bqambacb.exe 2992 Bmhmgbif.exe 3016 Bnhjae32.exe 2912 Bjnjfffm.exe 2628 Cfekkgla.exe 2096 Cbllph32.exe 2704 Cemebcnf.exe 2436 Cbqekhmp.exe 2132 Cngfqi32.exe 1760 Cmmcae32.exe 1324 Dpdbdo32.exe 2176 Elkbipdi.exe 2536 Eiocbd32.exe 2196 Eefdgeig.exe 1540 Eamdlf32.exe -
Loads dropped DLL 64 IoCs
Processes:
43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exeAnkabh32.exeAmpncd32.exeBfmlgi32.exeBedene32.exeCkajqo32.exeCnacbj32.exeCmimif32.exeDidgig32.exeDgoakpjn.exeElqcnfdp.exeEidchjbi.exeFepnhjdh.exeFkocfa32.exeFqnhcgma.exeGjkfglom.exeGoodpb32.exeHkfeec32.exeHchpjddc.exeJhahcjcf.exeKhhndi32.exeLnipgp32.exeLcieef32.exeLlcfck32.exeLngpac32.exeMhlcnl32.exeMqjehngm.exeMnneabff.exeNqakim32.exeNjipabhe.exeNhdjdk32.exeNehjmppo.exepid Process 2348 43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exe 2348 43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exe 2828 Ankabh32.exe 2828 Ankabh32.exe 2268 Ampncd32.exe 2268 Ampncd32.exe 2984 Bfmlgi32.exe 2984 Bfmlgi32.exe 2928 Bedene32.exe 2928 Bedene32.exe 2764 Ckajqo32.exe 2764 Ckajqo32.exe 2584 Cnacbj32.exe 2584 Cnacbj32.exe 2644 Cmimif32.exe 2644 Cmimif32.exe 3044 Didgig32.exe 3044 Didgig32.exe 2832 Dgoakpjn.exe 2832 Dgoakpjn.exe 2316 Elqcnfdp.exe 2316 Elqcnfdp.exe 2000 Eidchjbi.exe 2000 Eidchjbi.exe 1364 Fepnhjdh.exe 1364 Fepnhjdh.exe 2672 Fkocfa32.exe 2672 Fkocfa32.exe 2920 Fqnhcgma.exe 2920 Fqnhcgma.exe 284 Gjkfglom.exe 284 Gjkfglom.exe 1420 Goodpb32.exe 1420 Goodpb32.exe 1532 Hkfeec32.exe 1532 Hkfeec32.exe 2248 Hchpjddc.exe 2248 Hchpjddc.exe 1796 Jhahcjcf.exe 1796 Jhahcjcf.exe 1096 Khhndi32.exe 1096 Khhndi32.exe 832 Lnipgp32.exe 832 Lnipgp32.exe 1696 Lcieef32.exe 1696 Lcieef32.exe 1724 Llcfck32.exe 1724 Llcfck32.exe 796 Lngpac32.exe 796 Lngpac32.exe 888 Mhlcnl32.exe 888 Mhlcnl32.exe 2600 Mqjehngm.exe 2600 Mqjehngm.exe 572 Mnneabff.exe 572 Mnneabff.exe 2932 Nqakim32.exe 2932 Nqakim32.exe 2896 Njipabhe.exe 2896 Njipabhe.exe 2060 Nhdjdk32.exe 2060 Nhdjdk32.exe 2796 Nehjmppo.exe 2796 Nehjmppo.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bjdqfajl.exeKeekeg32.exeObdlcjkd.exeBbkkbpjc.exeDddodd32.exeAlknnodh.exeBocfch32.exeNoepfkgh.exeJhahcjcf.exeKplfmfmf.exeKehidp32.exeCpccnp32.exeOkmceiii.exeMqjehngm.exeCopobe32.exeFabppo32.exeHhkjpi32.exeBjehlldb.exeLgekdh32.exePdjpmi32.exeMkqnghfk.exeEamdlf32.exeIlnqhddd.exeLcnqin32.exePlfjme32.exeEedijo32.exeBpokkdim.exeEdokna32.exePejcab32.exeApdminod.exeKhnqbhdi.exeNlfaag32.exePqlhbo32.exeDgphpi32.exeAdcobk32.exeCqcomn32.exeGhaeaaki.exeDclgbgbh.exeEpgabhdg.exeCijkaehj.exeHmpemkkf.exePoinkg32.exeCmmcae32.exeMqgahh32.exePaqoef32.exeLicbca32.exeNnidchqp.exeGhagjj32.exeQkcdigpa.exeJaahgd32.exePjlgna32.exeColegflh.exeDpggnfap.exeGlgcec32.exeHhhkbqea.exeNnkqih32.exeGbglgcbc.exeFhgnie32.exeQfdpgd32.exeNqakim32.exedescription ioc Process File created C:\Windows\SysWOW64\Nkhbkg32.dll Bjdqfajl.exe File created C:\Windows\SysWOW64\Lhfpoelo.dll Keekeg32.exe File created C:\Windows\SysWOW64\Cmcfpikj.dll Obdlcjkd.exe File created C:\Windows\SysWOW64\Odqqbmpp.dll Bbkkbpjc.exe File created C:\Windows\SysWOW64\Dojhkoac.dll Dddodd32.exe File created C:\Windows\SysWOW64\Knoaabhm.dll Alknnodh.exe File created C:\Windows\SysWOW64\Blgfml32.exe Bocfch32.exe File created C:\Windows\SysWOW64\Negicbnm.dll Noepfkgh.exe File created C:\Windows\SysWOW64\Gjmhgp32.dll Jhahcjcf.exe File created C:\Windows\SysWOW64\Kblooa32.exe Kplfmfmf.exe File created C:\Windows\SysWOW64\Indiip32.dll Kehidp32.exe File created C:\Windows\SysWOW64\Dljdcqek.exe Cpccnp32.exe File created C:\Windows\SysWOW64\Pqlhbo32.exe Okmceiii.exe File created C:\Windows\SysWOW64\Mnneabff.exe Mqjehngm.exe File created C:\Windows\SysWOW64\Ebjdjpda.dll Copobe32.exe File created C:\Windows\SysWOW64\Fmhaep32.exe Fabppo32.exe File opened for modification C:\Windows\SysWOW64\Hdakej32.exe Hhkjpi32.exe File created C:\Windows\SysWOW64\Bfliqmjg.exe Bjehlldb.exe File opened for modification C:\Windows\SysWOW64\Leilnllb.exe Lgekdh32.exe File created C:\Windows\SysWOW64\Pnodjb32.exe Pdjpmi32.exe File created C:\Windows\SysWOW64\Ndkoemji.exe Mkqnghfk.exe File created C:\Windows\SysWOW64\Edmnnakm.exe Eamdlf32.exe File created C:\Windows\SysWOW64\Jiaaaicm.exe Ilnqhddd.exe File created C:\Windows\SysWOW64\Oknckq32.dll Lcnqin32.exe File opened for modification C:\Windows\SysWOW64\Pjlgna32.exe Plfjme32.exe File created C:\Windows\SysWOW64\Jkjigh32.dll Eedijo32.exe File created C:\Windows\SysWOW64\Bpahad32.exe Bpokkdim.exe File opened for modification C:\Windows\SysWOW64\Epflbbpp.exe Edokna32.exe File created C:\Windows\SysWOW64\Fmengo32.dll Pejcab32.exe File created C:\Windows\SysWOW64\Alknnodh.exe Apdminod.exe File created C:\Windows\SysWOW64\Icgpcjpo.dll Khnqbhdi.exe File created C:\Windows\SysWOW64\Nfnfjmgp.exe Nlfaag32.exe File created C:\Windows\SysWOW64\Pnphlc32.exe Pqlhbo32.exe File opened for modification C:\Windows\SysWOW64\Dokmel32.exe Dgphpi32.exe File created C:\Windows\SysWOW64\Donkapjh.dll Adcobk32.exe File created C:\Windows\SysWOW64\Bdieho32.dll Cqcomn32.exe File opened for modification C:\Windows\SysWOW64\Ghcbga32.exe Ghaeaaki.exe File created C:\Windows\SysWOW64\Gbjncbgq.dll Dclgbgbh.exe File created C:\Windows\SysWOW64\Epjlaj32.dll Epgabhdg.exe File created C:\Windows\SysWOW64\Cpccnp32.exe Cijkaehj.exe File created C:\Windows\SysWOW64\Lplfkgmm.dll Hmpemkkf.exe File opened for modification C:\Windows\SysWOW64\Qkpnph32.exe Poinkg32.exe File opened for modification C:\Windows\SysWOW64\Dpdbdo32.exe Cmmcae32.exe File opened for modification C:\Windows\SysWOW64\Nnhakp32.exe Mqgahh32.exe File created C:\Windows\SysWOW64\Paclje32.exe Paqoef32.exe File created C:\Windows\SysWOW64\Hdakej32.exe Hhkjpi32.exe File created C:\Windows\SysWOW64\Pncock32.dll Licbca32.exe File opened for modification C:\Windows\SysWOW64\Npgppdpc.exe Nnidchqp.exe File created C:\Windows\SysWOW64\Ofcebj32.dll Ghagjj32.exe File opened for modification C:\Windows\SysWOW64\Ahgdbk32.exe Qkcdigpa.exe File opened for modification C:\Windows\SysWOW64\Apjpglfn.exe Adcobk32.exe File opened for modification C:\Windows\SysWOW64\Boainhic.exe Bjdqfajl.exe File created C:\Windows\SysWOW64\Dfnalqca.dll Jaahgd32.exe File opened for modification C:\Windows\SysWOW64\Pafpjljk.exe Pjlgna32.exe File opened for modification C:\Windows\SysWOW64\Cjaieoko.exe Colegflh.exe File created C:\Windows\SysWOW64\Dddodd32.exe Dpggnfap.exe File opened for modification C:\Windows\SysWOW64\Ghndjd32.exe Glgcec32.exe File opened for modification C:\Windows\SysWOW64\Kblooa32.exe Kplfmfmf.exe File opened for modification C:\Windows\SysWOW64\Hobcok32.exe Hhhkbqea.exe File created C:\Windows\SysWOW64\Lpccqd32.dll Nnkqih32.exe File created C:\Windows\SysWOW64\Dkollo32.dll Gbglgcbc.exe File created C:\Windows\SysWOW64\Epoljelg.dll Fhgnie32.exe File created C:\Windows\SysWOW64\Aooaej32.exe Qfdpgd32.exe File opened for modification C:\Windows\SysWOW64\Njipabhe.exe Nqakim32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3568 3436 WerFault.exe 550 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jalolemm.exeKfnmnojj.exeNnidchqp.exeJknlfg32.exePfnjfepp.exeKhnqbhdi.exePblinp32.exeDjfooa32.exeKdcinjpo.exeElkbipdi.exeEefdgeig.exeBpokkdim.exeEdieng32.exeEpflbbpp.exeFepnhjdh.exeIjjgkmqh.exeEccdmmpk.exeEpgabhdg.exeObilip32.exeMmlmmdga.exeIngogcke.exeMilagp32.exeEdmnnakm.exeHfjfpkji.exeHqpjndio.exeGabohk32.exeKjbnlqld.exeAkhndf32.exeLbgkhoml.exeOhmljj32.exeFimclh32.exeFoqadnpq.exeGfhikl32.exeMnfhfmhc.exeNlfaag32.exeColegflh.exeMhbhecjc.exeCbdpag32.exePejcab32.exeMlcekgbb.exeBpahad32.exeIomhkgkb.exeLgekdh32.exeBnkpjd32.exeOgiegc32.exeHkgjge32.exeDpggnfap.exeOmbhgljn.exeFkdoii32.exeMkhocj32.exeMcjihk32.exeFfiebc32.exeCnfnlk32.exeAnkabh32.exeDidgig32.exeLngpac32.exeDcgmgh32.exeEekpknlf.exeAjghgd32.exeBhqdgm32.exeBbkkbpjc.exeAfojgiei.exeElqcnfdp.exeElfakg32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jalolemm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnmnojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnidchqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknlfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnjfepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khnqbhdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblinp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcinjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkbipdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eefdgeig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpokkdim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edieng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epflbbpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepnhjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjgkmqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccdmmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgabhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obilip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmlmmdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingogcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milagp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmnnakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjfpkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqpjndio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gabohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbnlqld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhndf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgkhoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foqadnpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfhfmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfaag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colegflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbhecjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejcab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlcekgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpahad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomhkgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgekdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkpjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogiegc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkgjge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpggnfap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombhgljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdoii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhocj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjihk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffiebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankabh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didgig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgmgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eekpknlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajghgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhqdgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkkbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afojgiei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elqcnfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfakg32.exe -
Modifies registry class 64 IoCs
Processes:
Lahaqm32.exeFkdoii32.exeJiiikq32.exePgfnfq32.exeCkeekp32.exe43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exeAlknnodh.exeHmfkbeoc.exeCcjehkek.exeEpgabhdg.exeEnokidgl.exeEqjenb32.exeLnipgp32.exeFhgnie32.exeNdaaclac.exeNphbhm32.exeOoaiehhj.exeOpcaiggo.exeNjaoeq32.exeFholmo32.exeKemjieol.exeMlfgkleh.exeBgablmfa.exeDciekjhc.exeMqgahh32.exeMhbhecjc.exePaqoef32.exeJgiffg32.exeLaifbnho.exeLkkfdmpq.exeMnfhfmhc.exeOedclm32.exeBaoopndk.exeObfiijia.exeHhkjpi32.exeCgnbepjp.exeHpckee32.exeGnenfjdh.exeDgphpi32.exeJcfmkcdn.exeJaahgd32.exeNlfaag32.exeInopce32.exeLaidie32.exeCnpieceq.exeEdmnnakm.exeIlnqhddd.exeMjkmfn32.exePinnfonh.exeLakqoe32.exeOenngb32.exeDhhkiq32.exeJhahcjcf.exeKoelibnh.exeApjpglfn.exeDgemgm32.exeGcapckod.exeGhaeaaki.exeMhmhpm32.exeCmimif32.exeNaokbq32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lahaqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkdoii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiiikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgfnfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckeekp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alknnodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljoia32.dll" Hmfkbeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccjehkek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epgabhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enokidgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqjenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmele32.dll" Lnipgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjlaj32.dll" Epgabhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epoljelg.dll" Fhgnie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndaaclac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcide32.dll" Nphbhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooaiehhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafbcl32.dll" Opcaiggo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njaoeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fholmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kemjieol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlfgkleh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgablmfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckeekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dciekjhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqgahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhbhecjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paqoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmoade32.dll" Jgiffg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laifbnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkkfdmpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfhfmhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oedclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakoae32.dll" Baoopndk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obfiijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhkjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidcqahi.dll" Cgnbepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meieho32.dll" Hpckee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifpbfc32.dll" Gnenfjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgphpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcfmkcdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaahgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inopce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laidie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hibkkjpb.dll" Cnpieceq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edmnnakm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilnqhddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhoqqojp.dll" Mjkmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pinnfonh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qogcek32.dll" Lakqoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbllfi.dll" Oenngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqnqdcmj.dll" 43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhahcjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koelibnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneddmal.dll" Apjpglfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgemgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcapckod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghaeaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhmhpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coiege32.dll" Cmimif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbmgkoo.dll" Naokbq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exeAnkabh32.exeAmpncd32.exeBfmlgi32.exeBedene32.exeCkajqo32.exeCnacbj32.exeCmimif32.exeDidgig32.exeDgoakpjn.exeElqcnfdp.exeEidchjbi.exeFepnhjdh.exeFkocfa32.exeFqnhcgma.exeGjkfglom.exedescription pid Process procid_target PID 2348 wrote to memory of 2828 2348 43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exe 29 PID 2348 wrote to memory of 2828 2348 43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exe 29 PID 2348 wrote to memory of 2828 2348 43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exe 29 PID 2348 wrote to memory of 2828 2348 43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exe 29 PID 2828 wrote to memory of 2268 2828 Ankabh32.exe 30 PID 2828 wrote to memory of 2268 2828 Ankabh32.exe 30 PID 2828 wrote to memory of 2268 2828 Ankabh32.exe 30 PID 2828 wrote to memory of 2268 2828 Ankabh32.exe 30 PID 2268 wrote to memory of 2984 2268 Ampncd32.exe 31 PID 2268 wrote to memory of 2984 2268 Ampncd32.exe 31 PID 2268 wrote to memory of 2984 2268 Ampncd32.exe 31 PID 2268 wrote to memory of 2984 2268 Ampncd32.exe 31 PID 2984 wrote to memory of 2928 2984 Bfmlgi32.exe 32 PID 2984 wrote to memory of 2928 2984 Bfmlgi32.exe 32 PID 2984 wrote to memory of 2928 2984 Bfmlgi32.exe 32 PID 2984 wrote to memory of 2928 2984 Bfmlgi32.exe 32 PID 2928 wrote to memory of 2764 2928 Bedene32.exe 33 PID 2928 wrote to memory of 2764 2928 Bedene32.exe 33 PID 2928 wrote to memory of 2764 2928 Bedene32.exe 33 PID 2928 wrote to memory of 2764 2928 Bedene32.exe 33 PID 2764 wrote to memory of 2584 2764 Ckajqo32.exe 34 PID 2764 wrote to memory of 2584 2764 Ckajqo32.exe 34 PID 2764 wrote to memory of 2584 2764 Ckajqo32.exe 34 PID 2764 wrote to memory of 2584 2764 Ckajqo32.exe 34 PID 2584 wrote to memory of 2644 2584 Cnacbj32.exe 35 PID 2584 wrote to memory of 2644 2584 Cnacbj32.exe 35 PID 2584 wrote to memory of 2644 2584 Cnacbj32.exe 35 PID 2584 wrote to memory of 2644 2584 Cnacbj32.exe 35 PID 2644 wrote to memory of 3044 2644 Cmimif32.exe 36 PID 2644 wrote to memory of 3044 2644 Cmimif32.exe 36 PID 2644 wrote to memory of 3044 2644 Cmimif32.exe 36 PID 2644 wrote to memory of 3044 2644 Cmimif32.exe 36 PID 3044 wrote to memory of 2832 3044 Didgig32.exe 37 PID 3044 wrote to memory of 2832 3044 Didgig32.exe 37 PID 3044 wrote to memory of 2832 3044 Didgig32.exe 37 PID 3044 wrote to memory of 2832 3044 Didgig32.exe 37 PID 2832 wrote to memory of 2316 2832 Dgoakpjn.exe 38 PID 2832 wrote to memory of 2316 2832 Dgoakpjn.exe 38 PID 2832 wrote to memory of 2316 2832 Dgoakpjn.exe 38 PID 2832 wrote to memory of 2316 2832 Dgoakpjn.exe 38 PID 2316 wrote to memory of 2000 2316 Elqcnfdp.exe 39 PID 2316 wrote to memory of 2000 2316 Elqcnfdp.exe 39 PID 2316 wrote to memory of 2000 2316 Elqcnfdp.exe 39 PID 2316 wrote to memory of 2000 2316 Elqcnfdp.exe 39 PID 2000 wrote to memory of 1364 2000 Eidchjbi.exe 40 PID 2000 wrote to memory of 1364 2000 Eidchjbi.exe 40 PID 2000 wrote to memory of 1364 2000 Eidchjbi.exe 40 PID 2000 wrote to memory of 1364 2000 Eidchjbi.exe 40 PID 1364 wrote to memory of 2672 1364 Fepnhjdh.exe 41 PID 1364 wrote to memory of 2672 1364 Fepnhjdh.exe 41 PID 1364 wrote to memory of 2672 1364 Fepnhjdh.exe 41 PID 1364 wrote to memory of 2672 1364 Fepnhjdh.exe 41 PID 2672 wrote to memory of 2920 2672 Fkocfa32.exe 42 PID 2672 wrote to memory of 2920 2672 Fkocfa32.exe 42 PID 2672 wrote to memory of 2920 2672 Fkocfa32.exe 42 PID 2672 wrote to memory of 2920 2672 Fkocfa32.exe 42 PID 2920 wrote to memory of 284 2920 Fqnhcgma.exe 43 PID 2920 wrote to memory of 284 2920 Fqnhcgma.exe 43 PID 2920 wrote to memory of 284 2920 Fqnhcgma.exe 43 PID 2920 wrote to memory of 284 2920 Fqnhcgma.exe 43 PID 284 wrote to memory of 1420 284 Gjkfglom.exe 44 PID 284 wrote to memory of 1420 284 Gjkfglom.exe 44 PID 284 wrote to memory of 1420 284 Gjkfglom.exe 44 PID 284 wrote to memory of 1420 284 Gjkfglom.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exe"C:\Users\Admin\AppData\Local\Temp\43cfe7fe346a76baa51b4ca6485709598ff3d5594962fb54dd14dc61a8d9946b.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Ankabh32.exeC:\Windows\system32\Ankabh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Bedene32.exeC:\Windows\system32\Bedene32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Cnacbj32.exeC:\Windows\system32\Cnacbj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Cmimif32.exeC:\Windows\system32\Cmimif32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Eidchjbi.exeC:\Windows\system32\Eidchjbi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Fepnhjdh.exeC:\Windows\system32\Fepnhjdh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Fkocfa32.exeC:\Windows\system32\Fkocfa32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Fqnhcgma.exeC:\Windows\system32\Fqnhcgma.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\Goodpb32.exeC:\Windows\system32\Goodpb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Hkfeec32.exeC:\Windows\system32\Hkfeec32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Jhahcjcf.exeC:\Windows\system32\Jhahcjcf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Lcieef32.exeC:\Windows\system32\Lcieef32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Naokbq32.exeC:\Windows\system32\Naokbq32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe34⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe36⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:592 -
C:\Windows\SysWOW64\Pbnckg32.exeC:\Windows\system32\Pbnckg32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe39⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Poinkg32.exeC:\Windows\system32\Poinkg32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe41⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Qlcgmpkp.exeC:\Windows\system32\Qlcgmpkp.exe42⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Ajghgd32.exeC:\Windows\system32\Ajghgd32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Ahmehqna.exeC:\Windows\system32\Ahmehqna.exe44⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Apdminod.exeC:\Windows\system32\Apdminod.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe47⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Aokfpjai.exeC:\Windows\system32\Aokfpjai.exe48⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Aggkdlod.exeC:\Windows\system32\Aggkdlod.exe49⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Bhfhnofg.exeC:\Windows\system32\Bhfhnofg.exe50⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Bqambacb.exeC:\Windows\system32\Bqambacb.exe51⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Bmhmgbif.exeC:\Windows\system32\Bmhmgbif.exe52⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe53⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Bjnjfffm.exeC:\Windows\system32\Bjnjfffm.exe54⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Cfekkgla.exeC:\Windows\system32\Cfekkgla.exe55⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Cbllph32.exeC:\Windows\system32\Cbllph32.exe56⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Cemebcnf.exeC:\Windows\system32\Cemebcnf.exe57⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Cbqekhmp.exeC:\Windows\system32\Cbqekhmp.exe58⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe59⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Cmmcae32.exeC:\Windows\system32\Cmmcae32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Dpdbdo32.exeC:\Windows\system32\Dpdbdo32.exe61⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Elkbipdi.exeC:\Windows\system32\Elkbipdi.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Eiocbd32.exeC:\Windows\system32\Eiocbd32.exe63⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Eefdgeig.exeC:\Windows\system32\Eefdgeig.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Eamdlf32.exeC:\Windows\system32\Eamdlf32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Edmnnakm.exeC:\Windows\system32\Edmnnakm.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Fimclh32.exeC:\Windows\system32\Fimclh32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Fcegdnna.exeC:\Windows\system32\Fcegdnna.exe68⤵PID:844
-
C:\Windows\SysWOW64\Folhio32.exeC:\Windows\system32\Folhio32.exe69⤵PID:2064
-
C:\Windows\SysWOW64\Falakjag.exeC:\Windows\system32\Falakjag.exe70⤵PID:2892
-
C:\Windows\SysWOW64\Foqadnpq.exeC:\Windows\system32\Foqadnpq.exe71⤵
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe72⤵
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Ghkbccdn.exeC:\Windows\system32\Ghkbccdn.exe73⤵PID:2792
-
C:\Windows\SysWOW64\Ggppdpif.exeC:\Windows\system32\Ggppdpif.exe74⤵PID:2228
-
C:\Windows\SysWOW64\Gqidme32.exeC:\Windows\system32\Gqidme32.exe75⤵PID:2148
-
C:\Windows\SysWOW64\Gnmdfi32.exeC:\Windows\system32\Gnmdfi32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Gfhikl32.exeC:\Windows\system32\Gfhikl32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe78⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Hqpjndio.exeC:\Windows\system32\Hqpjndio.exe79⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Hmfkbeoc.exeC:\Windows\system32\Hmfkbeoc.exe80⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Hfookk32.exeC:\Windows\system32\Hfookk32.exe81⤵PID:852
-
C:\Windows\SysWOW64\Hklhca32.exeC:\Windows\system32\Hklhca32.exe82⤵PID:2152
-
C:\Windows\SysWOW64\Hiphmf32.exeC:\Windows\system32\Hiphmf32.exe83⤵PID:936
-
C:\Windows\SysWOW64\Hibebeqb.exeC:\Windows\system32\Hibebeqb.exe84⤵PID:916
-
C:\Windows\SysWOW64\Hnomkloi.exeC:\Windows\system32\Hnomkloi.exe85⤵PID:1288
-
C:\Windows\SysWOW64\Ijenpn32.exeC:\Windows\system32\Ijenpn32.exe86⤵PID:2028
-
C:\Windows\SysWOW64\Icnbic32.exeC:\Windows\system32\Icnbic32.exe87⤵PID:1720
-
C:\Windows\SysWOW64\Icponb32.exeC:\Windows\system32\Icponb32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Ijjgkmqh.exeC:\Windows\system32\Ijjgkmqh.exe89⤵
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Ilnqhddd.exeC:\Windows\system32\Ilnqhddd.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Jiaaaicm.exeC:\Windows\system32\Jiaaaicm.exe91⤵PID:3000
-
C:\Windows\SysWOW64\Jidngh32.exeC:\Windows\system32\Jidngh32.exe92⤵PID:2596
-
C:\Windows\SysWOW64\Jblbpnhk.exeC:\Windows\system32\Jblbpnhk.exe93⤵PID:2400
-
C:\Windows\SysWOW64\Jjhgdqef.exeC:\Windows\system32\Jjhgdqef.exe94⤵PID:2424
-
C:\Windows\SysWOW64\Jlgcncli.exeC:\Windows\system32\Jlgcncli.exe95⤵PID:272
-
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe96⤵PID:1064
-
C:\Windows\SysWOW64\Kfcadq32.exeC:\Windows\system32\Kfcadq32.exe97⤵PID:1328
-
C:\Windows\SysWOW64\Kplfmfmf.exeC:\Windows\system32\Kplfmfmf.exe98⤵
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Kblooa32.exeC:\Windows\system32\Kblooa32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe100⤵PID:364
-
C:\Windows\SysWOW64\Kgjgepqm.exeC:\Windows\system32\Kgjgepqm.exe101⤵PID:1632
-
C:\Windows\SysWOW64\Koelibnh.exeC:\Windows\system32\Koelibnh.exe102⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Khnqbhdi.exeC:\Windows\system32\Khnqbhdi.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Lhpmhgbf.exeC:\Windows\system32\Lhpmhgbf.exe104⤵PID:2012
-
C:\Windows\SysWOW64\Lahaqm32.exeC:\Windows\system32\Lahaqm32.exe105⤵
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Lkafib32.exeC:\Windows\system32\Lkafib32.exe106⤵PID:2844
-
C:\Windows\SysWOW64\Ldikbhfh.exeC:\Windows\system32\Ldikbhfh.exe107⤵PID:1088
-
C:\Windows\SysWOW64\Ljfckodo.exeC:\Windows\system32\Ljfckodo.exe108⤵PID:1316
-
C:\Windows\SysWOW64\Ldlghhde.exeC:\Windows\system32\Ldlghhde.exe109⤵PID:1768
-
C:\Windows\SysWOW64\Llgllj32.exeC:\Windows\system32\Llgllj32.exe110⤵PID:1712
-
C:\Windows\SysWOW64\Mjkmfn32.exeC:\Windows\system32\Mjkmfn32.exe111⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Mnfhfmhc.exeC:\Windows\system32\Mnfhfmhc.exe112⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Mqgahh32.exeC:\Windows\system32\Mqgahh32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Nnhakp32.exeC:\Windows\system32\Nnhakp32.exe114⤵PID:2156
-
C:\Windows\SysWOW64\Ndbjgjqh.exeC:\Windows\system32\Ndbjgjqh.exe115⤵PID:2960
-
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe116⤵PID:2748
-
C:\Windows\SysWOW64\Njaoeq32.exeC:\Windows\system32\Njaoeq32.exe117⤵
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Ombhgljn.exeC:\Windows\system32\Ombhgljn.exe118⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe119⤵PID:1380
-
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe120⤵
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-