Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 12:08
Behavioral task
behavioral1
Sample
311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe
-
Size
337KB
-
MD5
332f6c1f972c3fc29723ce08623d7620
-
SHA1
93195b73f6108feb3ea6b7dc6db6176f7c7fc75e
-
SHA256
311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32e
-
SHA512
06e69820afee8a2fa973a1de9cfeb9dd3f2de5a7304463d6a6d75e2e811f16d309916e908b0765eed63c8e66591f032052cdd7b9b700c8780b911dd01124cbbb
-
SSDEEP
3072:Vipg9GFaPARLX4F7gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:VwZEWLIF71+fIyG5jZkCwi8r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mfmndn32.exeOlpilg32.exeFelajbpg.exeMcodqkbi.exeDcjaeamd.exeAldfcpjn.exeEccpoo32.exeHgbfnngi.exeMbcoio32.exeLplbjm32.exeBdckobhd.exeKipmhc32.exeDcmnja32.exeAobnniji.exeFdqnkoep.exeGconbj32.exeKpojkp32.exeLkdjglfo.exeNenkqi32.exeQndkpmkm.exeGjgiidkl.exeKpbhjh32.exeNldahn32.exeBfcodkcb.exeAmfognic.exeHemqpf32.exeAlihaioe.exeKmcjedcg.exeNppofado.exeDllhhaep.exeJjbbpmgo.exeHinbppna.exeHbnmienj.exeLqqpgj32.exeOmcifpnp.exePcdkif32.exeQiflohqk.exeNbbbdcgi.exeQobdgo32.exeKdnild32.exeGgagmjbq.exeInjqmdki.exeIflmjihl.exeMhhgpc32.exeCqjhcfpc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Felajbpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcodqkbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjaeamd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aldfcpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccpoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfnngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdckobhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipmhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcmnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdqnkoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gconbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpojkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdjglfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenkqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qndkpmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjgiidkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbhjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfcodkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfognic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alihaioe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dllhhaep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbbpmgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinbppna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnmienj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqqpgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcifpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcdkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbbbdcgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnild32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggagmjbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injqmdki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iflmjihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqjhcfpc.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
Bncaekhp.exeCadjgf32.exeCebcmdlg.exeCaidaeak.exeCdgpnqpo.exeDanmmd32.exeDkfbfjdf.exeDcccpl32.exeDllhhaep.exeEheecbia.exeEhgbhbgn.exeEndjaief.exeEccpoo32.exeEcfldoph.exeEjpdai32.exeFcjeon32.exeFoafdoag.exeFbbofjnh.exeFdpkbf32.exeFnipkkdl.exeFqglggcp.exeGnkmqkbi.exeGbfiaj32.exeGnmifk32.exeGmpjagfa.exeGnpflj32.exeGmbfggdo.exeGmecmg32.exeGpcoib32.exeGmgpbf32.exeGcahoqhf.exeHinqgg32.exeHbfepmmn.exeHbiaemkk.exeHegnahjo.exeHbknkl32.exeHjfcpo32.exeIpehmebh.exeIfoqjo32.exeIipiljgf.exeIpjahd32.exeImnbbi32.exeIoooiack.exeIpokcdjn.exeIbmgpoia.exeJlelhe32.exeJabdql32.exeJniefm32.exeJaeafklf.exeJdcmbgkj.exeJkmeoa32.exeJnkakl32.exeJdejhfig.exeJjbbpmgo.exeJaijak32.exeJkbojpna.exeJjdofm32.exeJlckbh32.exeKcmcoblm.exeKpadhg32.exeKoddccaa.exeKofaicon.exeKbdmeoob.exeKjleflod.exepid Process 1892 Bncaekhp.exe 2032 Cadjgf32.exe 1644 Cebcmdlg.exe 1224 Caidaeak.exe 2832 Cdgpnqpo.exe 2648 Danmmd32.exe 2764 Dkfbfjdf.exe 2576 Dcccpl32.exe 2596 Dllhhaep.exe 2572 Eheecbia.exe 1556 Ehgbhbgn.exe 1688 Endjaief.exe 1252 Eccpoo32.exe 2880 Ecfldoph.exe 332 Ejpdai32.exe 2080 Fcjeon32.exe 448 Foafdoag.exe 2264 Fbbofjnh.exe 940 Fdpkbf32.exe 696 Fnipkkdl.exe 2200 Fqglggcp.exe 772 Gnkmqkbi.exe 1476 Gbfiaj32.exe 1868 Gnmifk32.exe 2304 Gmpjagfa.exe 2028 Gnpflj32.exe 1628 Gmbfggdo.exe 1924 Gmecmg32.exe 2176 Gpcoib32.exe 1940 Gmgpbf32.exe 2828 Gcahoqhf.exe 1884 Hinqgg32.exe 2528 Hbfepmmn.exe 2732 Hbiaemkk.exe 2524 Hegnahjo.exe 2536 Hbknkl32.exe 2700 Hjfcpo32.exe 1912 Ipehmebh.exe 1488 Ifoqjo32.exe 2908 Iipiljgf.exe 3048 Ipjahd32.exe 1960 Imnbbi32.exe 2948 Ioooiack.exe 1020 Ipokcdjn.exe 328 Ibmgpoia.exe 2072 Jlelhe32.exe 1752 Jabdql32.exe 1968 Jniefm32.exe 1860 Jaeafklf.exe 1548 Jdcmbgkj.exe 1872 Jkmeoa32.exe 2024 Jnkakl32.exe 1984 Jdejhfig.exe 2220 Jjbbpmgo.exe 804 Jaijak32.exe 2788 Jkbojpna.exe 2012 Jjdofm32.exe 2780 Jlckbh32.exe 2692 Kcmcoblm.exe 2864 Kpadhg32.exe 1612 Koddccaa.exe 2256 Kofaicon.exe 2936 Kbdmeoob.exe 1848 Kjleflod.exe -
Loads dropped DLL 64 IoCs
Processes:
311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exeBncaekhp.exeCadjgf32.exeCebcmdlg.exeCaidaeak.exeCdgpnqpo.exeDanmmd32.exeDkfbfjdf.exeDcccpl32.exeDllhhaep.exeEheecbia.exeEhgbhbgn.exeEndjaief.exeEccpoo32.exeEcfldoph.exeEjpdai32.exeFcjeon32.exeFoafdoag.exeFbbofjnh.exeFdpkbf32.exeFnipkkdl.exeFqglggcp.exeGnkmqkbi.exeGbfiaj32.exeGnmifk32.exeGmpjagfa.exeGnpflj32.exeGmbfggdo.exeGmecmg32.exeGpcoib32.exeGmgpbf32.exeGcahoqhf.exepid Process 1656 311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe 1656 311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe 1892 Bncaekhp.exe 1892 Bncaekhp.exe 2032 Cadjgf32.exe 2032 Cadjgf32.exe 1644 Cebcmdlg.exe 1644 Cebcmdlg.exe 1224 Caidaeak.exe 1224 Caidaeak.exe 2832 Cdgpnqpo.exe 2832 Cdgpnqpo.exe 2648 Danmmd32.exe 2648 Danmmd32.exe 2764 Dkfbfjdf.exe 2764 Dkfbfjdf.exe 2576 Dcccpl32.exe 2576 Dcccpl32.exe 2596 Dllhhaep.exe 2596 Dllhhaep.exe 2572 Eheecbia.exe 2572 Eheecbia.exe 1556 Ehgbhbgn.exe 1556 Ehgbhbgn.exe 1688 Endjaief.exe 1688 Endjaief.exe 1252 Eccpoo32.exe 1252 Eccpoo32.exe 2880 Ecfldoph.exe 2880 Ecfldoph.exe 332 Ejpdai32.exe 332 Ejpdai32.exe 2080 Fcjeon32.exe 2080 Fcjeon32.exe 448 Foafdoag.exe 448 Foafdoag.exe 2264 Fbbofjnh.exe 2264 Fbbofjnh.exe 940 Fdpkbf32.exe 940 Fdpkbf32.exe 696 Fnipkkdl.exe 696 Fnipkkdl.exe 2200 Fqglggcp.exe 2200 Fqglggcp.exe 772 Gnkmqkbi.exe 772 Gnkmqkbi.exe 1476 Gbfiaj32.exe 1476 Gbfiaj32.exe 1868 Gnmifk32.exe 1868 Gnmifk32.exe 2304 Gmpjagfa.exe 2304 Gmpjagfa.exe 2028 Gnpflj32.exe 2028 Gnpflj32.exe 1628 Gmbfggdo.exe 1628 Gmbfggdo.exe 1924 Gmecmg32.exe 1924 Gmecmg32.exe 2176 Gpcoib32.exe 2176 Gpcoib32.exe 1940 Gmgpbf32.exe 1940 Gmgpbf32.exe 2828 Gcahoqhf.exe 2828 Gcahoqhf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Andjgidl.exeHghillnd.exeOnnnml32.exeAdaiee32.exeGkbcbn32.exeAjnpecbj.exeLfoojj32.exeQmhahkdj.exeAlbjnplq.exePkdihhag.exeDlifadkk.exeDcokpa32.exeCjjkpe32.exeBplijcle.exeGiaidnkf.exeLghgmg32.exePimkbbpi.exeLgmeid32.exeHhcndhap.exeNefdpjkl.exeNenkqi32.exeMphiqbon.exeCncmcm32.exeJbhebfck.exeCbgmigeq.exeOlbfagca.exeQbnphngk.exePcghof32.exeIkagogco.exeFhgppnan.exeDilapopb.exeKdnild32.exeMobomnoq.exeOnlahm32.exeKipmhc32.exeGmqkml32.exeFjjpjgjj.exeQkielpdf.exeAohgfm32.exeKihpmnbb.exeDebadpeg.exeJbcjnnpl.exeDfbnoc32.exeMgegfk32.exeKngekdnf.exeCpkmcldj.exeBfabnl32.exeKckhdg32.exeEdibhmml.exeEkkjheja.exeDnkhfnck.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Hekefkig.exe File opened for modification C:\Windows\SysWOW64\Bapfhg32.exe Andjgidl.exe File created C:\Windows\SysWOW64\Mfiema32.dll Hghillnd.exe File created C:\Windows\SysWOW64\Qkddnqcm.dll Onnnml32.exe File opened for modification C:\Windows\SysWOW64\Agpeaa32.exe Adaiee32.exe File opened for modification C:\Windows\SysWOW64\Gfhgpg32.exe Gkbcbn32.exe File created C:\Windows\SysWOW64\Aqhhanig.exe Ajnpecbj.exe File created C:\Windows\SysWOW64\Legdph32.dll Lfoojj32.exe File created C:\Windows\SysWOW64\Adaiee32.exe Qmhahkdj.exe File created C:\Windows\SysWOW64\Afgnkilf.exe Albjnplq.exe File created C:\Windows\SysWOW64\Nbabqihk.dll File created C:\Windows\SysWOW64\Ghcicglo.dll Pkdihhag.exe File opened for modification C:\Windows\SysWOW64\Dmkcil32.exe Dlifadkk.exe File created C:\Windows\SysWOW64\Djicmk32.exe Dcokpa32.exe File opened for modification C:\Windows\SysWOW64\Ehaolpke.exe File created C:\Windows\SysWOW64\Cmhglq32.exe Cjjkpe32.exe File created C:\Windows\SysWOW64\Bjembh32.exe Bplijcle.exe File opened for modification C:\Windows\SysWOW64\Gamnhq32.exe Giaidnkf.exe File created C:\Windows\SysWOW64\Gkeeihpg.dll Lghgmg32.exe File opened for modification C:\Windows\SysWOW64\Ppgcol32.exe Pimkbbpi.exe File created C:\Windows\SysWOW64\Fpbqcb32.exe File opened for modification C:\Windows\SysWOW64\Gkedjo32.exe File created C:\Windows\SysWOW64\Kbmamh32.dll File created C:\Windows\SysWOW64\Oipenooj.dll File created C:\Windows\SysWOW64\Ppdlmc32.dll Lgmeid32.exe File opened for modification C:\Windows\SysWOW64\Honfqb32.exe Hhcndhap.exe File created C:\Windows\SysWOW64\Gfdkid32.dll Nefdpjkl.exe File created C:\Windows\SysWOW64\Nfoghakb.exe Nenkqi32.exe File created C:\Windows\SysWOW64\Mflcaaja.dll Mphiqbon.exe File created C:\Windows\SysWOW64\Cdmepgce.exe Cncmcm32.exe File created C:\Windows\SysWOW64\Biklma32.dll Jbhebfck.exe File created C:\Windows\SysWOW64\Iaehne32.dll File created C:\Windows\SysWOW64\Plbbmj32.dll File opened for modification C:\Windows\SysWOW64\Ciaefa32.exe Cbgmigeq.exe File opened for modification C:\Windows\SysWOW64\Ofhjopbg.exe Olbfagca.exe File created C:\Windows\SysWOW64\Mehoblpm.dll Qbnphngk.exe File opened for modification C:\Windows\SysWOW64\Lbojjq32.exe File opened for modification C:\Windows\SysWOW64\Peedka32.exe Pcghof32.exe File created C:\Windows\SysWOW64\Iomcpe32.exe Ikagogco.exe File created C:\Windows\SysWOW64\Leaohdkk.dll File created C:\Windows\SysWOW64\Flclam32.exe Fhgppnan.exe File opened for modification C:\Windows\SysWOW64\Dmgmpnhl.exe Dilapopb.exe File created C:\Windows\SysWOW64\Kkgahoel.exe Kdnild32.exe File created C:\Windows\SysWOW64\Mbqkiind.exe Mobomnoq.exe File opened for modification C:\Windows\SysWOW64\Oefjdgjk.exe Onlahm32.exe File opened for modification C:\Windows\SysWOW64\Kdeaelok.exe Kipmhc32.exe File created C:\Windows\SysWOW64\Gdjcjf32.exe Gmqkml32.exe File created C:\Windows\SysWOW64\Fqdiga32.exe Fjjpjgjj.exe File opened for modification C:\Windows\SysWOW64\Qmhahkdj.exe Qkielpdf.exe File created C:\Windows\SysWOW64\Afpogk32.exe Aohgfm32.exe File created C:\Windows\SysWOW64\Kpbhjh32.exe Kihpmnbb.exe File created C:\Windows\SysWOW64\Dmijfmfi.exe Debadpeg.exe File opened for modification C:\Windows\SysWOW64\Jeafjiop.exe Jbcjnnpl.exe File created C:\Windows\SysWOW64\Dlofgj32.exe Dfbnoc32.exe File opened for modification C:\Windows\SysWOW64\Mpnkopeh.exe Mgegfk32.exe File created C:\Windows\SysWOW64\Cfgnmg32.dll Kngekdnf.exe File opened for modification C:\Windows\SysWOW64\Cfeepelg.exe Cpkmcldj.exe File created C:\Windows\SysWOW64\Bddbjhlp.exe Bfabnl32.exe File opened for modification C:\Windows\SysWOW64\Kihpmnbb.exe Kckhdg32.exe File opened for modification C:\Windows\SysWOW64\Beggec32.exe File opened for modification C:\Windows\SysWOW64\Emagacdm.exe Edibhmml.exe File created C:\Windows\SysWOW64\Eaebeoan.exe Ekkjheja.exe File created C:\Windows\SysWOW64\Kgdcgk32.dll Dnkhfnck.exe File created C:\Windows\SysWOW64\Pkhmod32.dll Kckhdg32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 2064 5212 1430 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gmpjagfa.exeHbiaemkk.exeHbknkl32.exeKofaicon.exePmjaohol.exeFihfnp32.exeCgdqpq32.exeNpdfhhhe.exeIpeaco32.exeImjkpb32.exeHdpcokdo.exePnfnajed.exeIianmlfn.exeJgbjjf32.exeJajocl32.exeQkffng32.exeJmhnkfpa.exeNenkqi32.exeOlmela32.exeQhilkege.exeKcmcoblm.exeFcpacf32.exeGgdcbi32.exeJdcpkp32.exeGdfiofhn.exeJkmeoa32.exeKklkcn32.exePhlclgfc.exeEdlhqlfi.exeHinbppna.exeHbidne32.exeEheglk32.exeDhhhbg32.exeJhdegn32.exeModlbmmn.exeEhnfpifm.exeGhibjjnk.exeLadebd32.exeAhgofi32.exeCqdfehii.exeGjojef32.exeFcmdnfad.exeAgpeaa32.exeDgfmep32.exeAnecfgdc.exeNmlgfnal.exeFlocfmnl.exeOnlahm32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpjagfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbiaemkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbknkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofaicon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjaohol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdqpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdfhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imjkpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpcokdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfnajed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iianmlfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajocl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkffng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhnkfpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenkqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmela32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhilkege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmcoblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcpacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdcbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcpkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfiofhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkmeoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklkcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlhqlfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinbppna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbidne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheglk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhhbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdegn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modlbmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnfpifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghibjjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladebd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqdfehii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjojef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmdnfad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpeaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfmep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anecfgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlgfnal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flocfmnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlahm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Gbjojh32.exeDmcfngde.exeJoblkegc.exeBbgqjdce.exeCiaefa32.exeLjldnhid.exeJjlmkb32.exeIhniaa32.exeAoagccfn.exeKgfoie32.exeGamnhq32.exePdbmfb32.exeCnejim32.exeMcggef32.exeJeafjiop.exeLjfapjbi.exeGkmefaan.exePhqmgg32.exeBfioia32.exeKaajei32.exeAiaoclgl.exeBfcodkcb.exeJbhebfck.exeLifcib32.exeNbbbdcgi.exeAkkoig32.exeMhonngce.exeKhagijcd.exeHmjoqo32.exeKecjmodq.exeOhojmjep.exePifbjn32.exeOpglafab.exeNhepoaif.exeDjfdob32.exeCdgpnqpo.exeLmjnak32.exeCkmpkpbl.exeHbggif32.exeNjhilimb.exeAlodeacc.exeEoiiijcc.exeFooembgb.exeQjddgj32.exeAfpogk32.exeBjpaop32.exeQkielpdf.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgiha32.dll" Gbjojh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmcfngde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glmmpgoa.dll" Joblkegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikpibof.dll" Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphoebme.dll" Ciaefa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljldnhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjlmkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihniaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll" Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqnocncd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhompmdf.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epphbb32.dll" Kgfoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gamnhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnejim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcggef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljfapjbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkmefaan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngciog32.dll" Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfioia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaajei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfcodkcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpqch32.dll" Lifcib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhonm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbbbdcgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akkoig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaaie32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khagijcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkmggbfb.dll" Hmjoqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kecjmodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohojmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphkcaig.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhanokh.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opglafab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhepoaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanbhm32.dll" Djfdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdgpnqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komnbg32.dll" Lmjnak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckmpkpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olemefec.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbggif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njhilimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkobdolo.dll" Alodeacc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdgpnqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlcld32.dll" Eoiiijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdokbck.dll" Fooembgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjddgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmgphhbi.dll" Afpogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahfalc32.dll" Qkielpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghefgc32.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exeBncaekhp.exeCadjgf32.exeCebcmdlg.exeCaidaeak.exeCdgpnqpo.exeDanmmd32.exeDkfbfjdf.exeDcccpl32.exeDllhhaep.exeEheecbia.exeEhgbhbgn.exeEndjaief.exeEccpoo32.exeEcfldoph.exeEjpdai32.exedescription pid Process procid_target PID 1656 wrote to memory of 1892 1656 311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe 28 PID 1656 wrote to memory of 1892 1656 311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe 28 PID 1656 wrote to memory of 1892 1656 311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe 28 PID 1656 wrote to memory of 1892 1656 311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe 28 PID 1892 wrote to memory of 2032 1892 Bncaekhp.exe 29 PID 1892 wrote to memory of 2032 1892 Bncaekhp.exe 29 PID 1892 wrote to memory of 2032 1892 Bncaekhp.exe 29 PID 1892 wrote to memory of 2032 1892 Bncaekhp.exe 29 PID 2032 wrote to memory of 1644 2032 Cadjgf32.exe 30 PID 2032 wrote to memory of 1644 2032 Cadjgf32.exe 30 PID 2032 wrote to memory of 1644 2032 Cadjgf32.exe 30 PID 2032 wrote to memory of 1644 2032 Cadjgf32.exe 30 PID 1644 wrote to memory of 1224 1644 Cebcmdlg.exe 31 PID 1644 wrote to memory of 1224 1644 Cebcmdlg.exe 31 PID 1644 wrote to memory of 1224 1644 Cebcmdlg.exe 31 PID 1644 wrote to memory of 1224 1644 Cebcmdlg.exe 31 PID 1224 wrote to memory of 2832 1224 Caidaeak.exe 32 PID 1224 wrote to memory of 2832 1224 Caidaeak.exe 32 PID 1224 wrote to memory of 2832 1224 Caidaeak.exe 32 PID 1224 wrote to memory of 2832 1224 Caidaeak.exe 32 PID 2832 wrote to memory of 2648 2832 Cdgpnqpo.exe 33 PID 2832 wrote to memory of 2648 2832 Cdgpnqpo.exe 33 PID 2832 wrote to memory of 2648 2832 Cdgpnqpo.exe 33 PID 2832 wrote to memory of 2648 2832 Cdgpnqpo.exe 33 PID 2648 wrote to memory of 2764 2648 Danmmd32.exe 34 PID 2648 wrote to memory of 2764 2648 Danmmd32.exe 34 PID 2648 wrote to memory of 2764 2648 Danmmd32.exe 34 PID 2648 wrote to memory of 2764 2648 Danmmd32.exe 34 PID 2764 wrote to memory of 2576 2764 Dkfbfjdf.exe 35 PID 2764 wrote to memory of 2576 2764 Dkfbfjdf.exe 35 PID 2764 wrote to memory of 2576 2764 Dkfbfjdf.exe 35 PID 2764 wrote to memory of 2576 2764 Dkfbfjdf.exe 35 PID 2576 wrote to memory of 2596 2576 Dcccpl32.exe 36 PID 2576 wrote to memory of 2596 2576 Dcccpl32.exe 36 PID 2576 wrote to memory of 2596 2576 Dcccpl32.exe 36 PID 2576 wrote to memory of 2596 2576 Dcccpl32.exe 36 PID 2596 wrote to memory of 2572 2596 Dllhhaep.exe 37 PID 2596 wrote to memory of 2572 2596 Dllhhaep.exe 37 PID 2596 wrote to memory of 2572 2596 Dllhhaep.exe 37 PID 2596 wrote to memory of 2572 2596 Dllhhaep.exe 37 PID 2572 wrote to memory of 1556 2572 Eheecbia.exe 38 PID 2572 wrote to memory of 1556 2572 Eheecbia.exe 38 PID 2572 wrote to memory of 1556 2572 Eheecbia.exe 38 PID 2572 wrote to memory of 1556 2572 Eheecbia.exe 38 PID 1556 wrote to memory of 1688 1556 Ehgbhbgn.exe 39 PID 1556 wrote to memory of 1688 1556 Ehgbhbgn.exe 39 PID 1556 wrote to memory of 1688 1556 Ehgbhbgn.exe 39 PID 1556 wrote to memory of 1688 1556 Ehgbhbgn.exe 39 PID 1688 wrote to memory of 1252 1688 Endjaief.exe 40 PID 1688 wrote to memory of 1252 1688 Endjaief.exe 40 PID 1688 wrote to memory of 1252 1688 Endjaief.exe 40 PID 1688 wrote to memory of 1252 1688 Endjaief.exe 40 PID 1252 wrote to memory of 2880 1252 Eccpoo32.exe 41 PID 1252 wrote to memory of 2880 1252 Eccpoo32.exe 41 PID 1252 wrote to memory of 2880 1252 Eccpoo32.exe 41 PID 1252 wrote to memory of 2880 1252 Eccpoo32.exe 41 PID 2880 wrote to memory of 332 2880 Ecfldoph.exe 42 PID 2880 wrote to memory of 332 2880 Ecfldoph.exe 42 PID 2880 wrote to memory of 332 2880 Ecfldoph.exe 42 PID 2880 wrote to memory of 332 2880 Ecfldoph.exe 42 PID 332 wrote to memory of 2080 332 Ejpdai32.exe 43 PID 332 wrote to memory of 2080 332 Ejpdai32.exe 43 PID 332 wrote to memory of 2080 332 Ejpdai32.exe 43 PID 332 wrote to memory of 2080 332 Ejpdai32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe"C:\Users\Admin\AppData\Local\Temp\311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe33⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe34⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe36⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe38⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe39⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe40⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe41⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe42⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe43⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe44⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe45⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe46⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe47⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe48⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe49⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe50⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe51⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe53⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe54⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe56⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe57⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe58⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe59⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe61⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe62⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe64⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe65⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe66⤵PID:1160
-
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe67⤵PID:2096
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe68⤵PID:1264
-
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe69⤵PID:1720
-
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe70⤵PID:1032
-
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe71⤵PID:2604
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe72⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe73⤵PID:2464
-
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe74⤵PID:2816
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe75⤵PID:2000
-
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe76⤵PID:2384
-
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe78⤵PID:376
-
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe79⤵PID:2492
-
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe80⤵PID:1724
-
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe81⤵PID:1664
-
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe82⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe83⤵PID:2868
-
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe84⤵
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe85⤵PID:1840
-
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe86⤵PID:936
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe87⤵PID:1552
-
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe88⤵PID:2352
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe89⤵PID:1424
-
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe90⤵PID:2360
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe91⤵PID:2804
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe92⤵PID:1996
-
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe93⤵PID:2952
-
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe94⤵PID:2532
-
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe95⤵PID:1932
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe96⤵PID:2580
-
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe97⤵PID:484
-
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe98⤵PID:540
-
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe99⤵PID:1948
-
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe100⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe101⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe102⤵PID:1028
-
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe103⤵PID:2184
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe104⤵PID:2192
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe105⤵PID:2784
-
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe106⤵PID:2336
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe107⤵PID:2660
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe108⤵PID:2040
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe109⤵PID:1864
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe110⤵PID:2944
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe111⤵PID:1080
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe112⤵PID:2140
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe113⤵
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe115⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe116⤵PID:1436
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe117⤵PID:792
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe118⤵PID:2456
-
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe119⤵PID:2772
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe120⤵PID:2564
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe121⤵PID:1408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-