Analysis
-
max time kernel
104s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 12:08
Behavioral task
behavioral1
Sample
311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe
-
Size
337KB
-
MD5
332f6c1f972c3fc29723ce08623d7620
-
SHA1
93195b73f6108feb3ea6b7dc6db6176f7c7fc75e
-
SHA256
311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32e
-
SHA512
06e69820afee8a2fa973a1de9cfeb9dd3f2de5a7304463d6a6d75e2e811f16d309916e908b0765eed63c8e66591f032052cdd7b9b700c8780b911dd01124cbbb
-
SSDEEP
3072:Vipg9GFaPARLX4F7gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:VwZEWLIF71+fIyG5jZkCwi8r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kqmkae32.exeHlpfhe32.exeFlkdfh32.exeIbobdqid.exeLijlof32.exeMeepdp32.exeLjeafb32.exeIpkdek32.exeLicfngjd.exeFpjcgm32.exeKjlopc32.exeDddllkbf.exeDgeenfog.exeJniood32.exeJqiipljg.exeJddnfd32.exeClgbmp32.exeLoighj32.exeKakmna32.exeEhcfaboo.exeIahlcaol.exeBcahmb32.exeKgnbdh32.exeBklomh32.exeEqiibjlj.exeIhgnkkbd.exeJbaojpgb.exeFbbpmb32.exeGimqajgh.exeIgdgglfl.exeHjhalefe.exeCfqmpl32.exeJgbchj32.exeDfdpad32.exeIfomll32.exeJcdjbk32.exeKnkekn32.exeEoepebho.exeHdpbon32.exeInomhbeq.exePdkoch32.exeImgicgca.exeOfkgcobj.exeAaldccip.exeFqppci32.exeNlmdbh32.exeGfhndpol.exeKhgbqkhj.exeGgpbjkpl.exePlmmif32.exeDkahilkl.exeOgcnmc32.exeLokdnjkg.exeMcpcdg32.exeMqkiok32.exeMlpokp32.exeAfkknogn.exeBohibc32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqmkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlpfhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meepdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljeafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkdek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licfngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjlopc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddllkbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jniood32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqiipljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jddnfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgbmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kakmna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehcfaboo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iahlcaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqiibjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihgnkkbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbaojpgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdgglfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhalefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfqmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifomll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdjbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knkekn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoepebho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpbon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inomhbeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdkoch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgicgca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqppci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhndpol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgbqkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggpbjkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plmmif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkahilkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokdnjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpcdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqkiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlpokp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bohibc32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
Ehcfaboo.exeEjbbmnnb.exeEpokedmj.exeEjdocm32.exeEpagkd32.exeEjflhm32.exeEpcdqd32.exeFkihnmhj.exeFacqkg32.exeFhmigagd.exeFmjaphek.exeFphnlcdo.exeFdcjlb32.exeFgbfhmll.exeFpjjac32.exeFkpool32.exeFajgkfio.exeFhdohp32.exeFmqgpgoc.exeFhflnpoi.exeGigheh32.exeGpaqbbld.exeGgkiol32.exeGaamlecg.exeGdoihpbk.exeGhkeio32.exeGilapgqb.exeGdafnpqh.exeGgpbjkpl.exeGinnfgop.exeGgbook32.exeGnlgleef.exeGpkchqdj.exeHgelek32.exeHnodaecc.exeHajpbckl.exeHdilnojp.exeHgghjjid.exeHnaqgd32.exeHpomcp32.exeHhfedm32.exeHkeaqi32.exeHjhalefe.exeHaoimcgg.exeHhiajmod.exeHglaej32.exeHjjnae32.exeHaafcb32.exeHdpbon32.exeHgnoki32.exeHjlkge32.exeHacbhb32.exeIdbodn32.exeIgqkqiai.exeIjogmdqm.exeIddljmpc.exeIjadbdoj.exeIahlcaol.exeIhbdplfi.exeIkqqlgem.exeInomhbeq.exeIqmidndd.exeIkcmbfcj.exeInainbcn.exepid Process 3380 Ehcfaboo.exe 2352 Ejbbmnnb.exe 392 Epokedmj.exe 524 Ejdocm32.exe 1368 Epagkd32.exe 1824 Ejflhm32.exe 116 Epcdqd32.exe 112 Fkihnmhj.exe 3844 Facqkg32.exe 2680 Fhmigagd.exe 2068 Fmjaphek.exe 5104 Fphnlcdo.exe 2152 Fdcjlb32.exe 372 Fgbfhmll.exe 4980 Fpjjac32.exe 3816 Fkpool32.exe 1500 Fajgkfio.exe 860 Fhdohp32.exe 2600 Fmqgpgoc.exe 3140 Fhflnpoi.exe 3392 Gigheh32.exe 2880 Gpaqbbld.exe 1944 Ggkiol32.exe 436 Gaamlecg.exe 3324 Gdoihpbk.exe 3448 Ghkeio32.exe 3604 Gilapgqb.exe 4104 Gdafnpqh.exe 3620 Ggpbjkpl.exe 3288 Ginnfgop.exe 5012 Ggbook32.exe 3936 Gnlgleef.exe 1172 Gpkchqdj.exe 1512 Hgelek32.exe 4300 Hnodaecc.exe 5088 Hajpbckl.exe 3304 Hdilnojp.exe 4616 Hgghjjid.exe 388 Hnaqgd32.exe 5064 Hpomcp32.exe 3664 Hhfedm32.exe 1560 Hkeaqi32.exe 1112 Hjhalefe.exe 2272 Haoimcgg.exe 1612 Hhiajmod.exe 1420 Hglaej32.exe 3388 Hjjnae32.exe 3032 Haafcb32.exe 1908 Hdpbon32.exe 912 Hgnoki32.exe 3612 Hjlkge32.exe 2404 Hacbhb32.exe 3588 Idbodn32.exe 664 Igqkqiai.exe 1252 Ijogmdqm.exe 348 Iddljmpc.exe 4316 Ijadbdoj.exe 3436 Iahlcaol.exe 2712 Ihbdplfi.exe 4468 Ikqqlgem.exe 2432 Inomhbeq.exe 1648 Iqmidndd.exe 1464 Ikcmbfcj.exe 312 Inainbcn.exe -
Drops file in System32 directory 64 IoCs
Processes:
Eghkjdoa.exeHicpgc32.exeJpnakk32.exeEhcfaboo.exeJlobkg32.exeLqpamb32.exeGgbook32.exeEbnfbcbc.exeLddgmbpb.exeHolfoqcm.exeKpoalo32.exeOcgbld32.exeCpdgqmnb.exeLljdai32.exeEppqqn32.exeAmjillkj.exeAknifq32.exeBblnindg.exeDmoohe32.exeGfeaopqo.exeIbaeen32.exeCggimh32.exeGpkchqdj.exeOldamm32.exeAjbmdn32.exeHbgkei32.exeBmofagfp.exeIinqbn32.exeOlanmgig.exeLancko32.exe311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exeKageaj32.exeOlbdhn32.exePlmmif32.exeLjqhkckn.exeAdfgdpmi.exeFijdjfdb.exeDbndfl32.exeFfaong32.exeMjdebfnd.exeAkpoaj32.exeBnoddcef.exeLohqnd32.exeMbenmk32.exeAlnmjjdb.exeElgaeolp.exeOhlqcagj.exeEhlhih32.exeJhkbdmbg.exeEgcaod32.exeGghdaa32.exeEfccmidp.exeNhmofj32.exeHbohpn32.exeFacqkg32.exeEbgpad32.exeIeojgc32.exedescription ioc Process File created C:\Windows\SysWOW64\Fnbcgn32.exe Eghkjdoa.exe File opened for modification C:\Windows\SysWOW64\Hhfpbpdo.exe Hicpgc32.exe File created C:\Windows\SysWOW64\Flinad32.dll Jpnakk32.exe File created C:\Windows\SysWOW64\Pafkgphl.exe File opened for modification C:\Windows\SysWOW64\Ejbbmnnb.exe Ehcfaboo.exe File opened for modification C:\Windows\SysWOW64\Jcikgacl.exe Jlobkg32.exe File created C:\Windows\SysWOW64\Lekmnajj.exe Lqpamb32.exe File created C:\Windows\SysWOW64\Gnlgleef.exe Ggbook32.exe File created C:\Windows\SysWOW64\Felbnn32.exe Ebnfbcbc.exe File opened for modification C:\Windows\SysWOW64\Mapppn32.exe File created C:\Windows\SysWOW64\Hjcbmgnb.dll File created C:\Windows\SysWOW64\Lgccinoe.exe Lddgmbpb.exe File opened for modification C:\Windows\SysWOW64\Hfcnpn32.exe Holfoqcm.exe File created C:\Windows\SysWOW64\Ekfkeh32.dll Kpoalo32.exe File created C:\Windows\SysWOW64\Flhkmbmp.dll Ocgbld32.exe File created C:\Windows\SysWOW64\Cgnomg32.exe Cpdgqmnb.exe File created C:\Windows\SysWOW64\Lohqnd32.exe Lljdai32.exe File created C:\Windows\SysWOW64\Ebommi32.exe Eppqqn32.exe File created C:\Windows\SysWOW64\Aeaanjkl.exe Amjillkj.exe File created C:\Windows\SysWOW64\Amoljp32.dll Aknifq32.exe File created C:\Windows\SysWOW64\Bjbfklei.exe Bblnindg.exe File created C:\Windows\SysWOW64\Dcigeooj.exe Dmoohe32.exe File created C:\Windows\SysWOW64\Aknhkd32.dll Gfeaopqo.exe File created C:\Windows\SysWOW64\Qfgllk32.dll Ibaeen32.exe File created C:\Windows\SysWOW64\Cnaaib32.exe Cggimh32.exe File created C:\Windows\SysWOW64\Hgelek32.exe Gpkchqdj.exe File created C:\Windows\SysWOW64\Ajjjof32.dll Oldamm32.exe File opened for modification C:\Windows\SysWOW64\Akcjkfij.exe Ajbmdn32.exe File created C:\Windows\SysWOW64\Eajbghaq.dll Hbgkei32.exe File created C:\Windows\SysWOW64\Bcinna32.exe Bmofagfp.exe File created C:\Windows\SysWOW64\Nhmhbpmi.dll Iinqbn32.exe File created C:\Windows\SysWOW64\Hjpefo32.dll Olanmgig.exe File opened for modification C:\Windows\SysWOW64\Ljdkll32.exe Lancko32.exe File opened for modification C:\Windows\SysWOW64\Pcegclgp.exe File created C:\Windows\SysWOW64\Ehcfaboo.exe 311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe File created C:\Windows\SysWOW64\Blhdmebn.dll Kageaj32.exe File created C:\Windows\SysWOW64\Oblmdhdo.exe Olbdhn32.exe File created C:\Windows\SysWOW64\Ddalgo32.dll Plmmif32.exe File opened for modification C:\Windows\SysWOW64\Lnldla32.exe Ljqhkckn.exe File created C:\Windows\SysWOW64\Ahaceo32.exe Adfgdpmi.exe File created C:\Windows\SysWOW64\Jibclo32.dll Fijdjfdb.exe File created C:\Windows\SysWOW64\Dfjpfj32.exe Dbndfl32.exe File created C:\Windows\SysWOW64\Fpjcgm32.exe Ffaong32.exe File created C:\Windows\SysWOW64\Mmbanbmg.exe Mjdebfnd.exe File opened for modification C:\Windows\SysWOW64\Aokkahlo.exe Akpoaj32.exe File created C:\Windows\SysWOW64\Eehnaq32.dll Bnoddcef.exe File created C:\Windows\SysWOW64\Lafmjp32.exe Lohqnd32.exe File created C:\Windows\SysWOW64\Mecjif32.exe Mbenmk32.exe File opened for modification C:\Windows\SysWOW64\Aomifecf.exe Alnmjjdb.exe File created C:\Windows\SysWOW64\Ijagjini.dll Elgaeolp.exe File created C:\Windows\SysWOW64\Bdlgcp32.dll Ohlqcagj.exe File opened for modification C:\Windows\SysWOW64\Ekjded32.exe Ehlhih32.exe File created C:\Windows\SysWOW64\Joekag32.exe Jhkbdmbg.exe File opened for modification C:\Windows\SysWOW64\Ekonpckp.exe Egcaod32.exe File created C:\Windows\SysWOW64\Fmbdpnaj.dll Gghdaa32.exe File opened for modification C:\Windows\SysWOW64\Pfepdg32.exe File created C:\Windows\SysWOW64\Eiaoid32.exe Efccmidp.exe File created C:\Windows\SysWOW64\Gehcdm32.dll Nhmofj32.exe File created C:\Windows\SysWOW64\Jjofoqdn.dll Hbohpn32.exe File created C:\Windows\SysWOW64\Kednfemc.dll Facqkg32.exe File created C:\Windows\SysWOW64\Ghcjeh32.dll Ebgpad32.exe File created C:\Windows\SysWOW64\Gejimf32.dll File opened for modification C:\Windows\SysWOW64\Ilibdmgp.exe Ieojgc32.exe File created C:\Windows\SysWOW64\Fjoiip32.dll -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 5836 5320 1195 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Haodle32.exeIqmidndd.exeKbbhqn32.exeBohbhmfm.exeEmjgim32.exeBgelgi32.exeIeojgc32.exeOklkdi32.exeBlhpqhlh.exeKjepjkhf.exeAokkahlo.exeEgcaod32.exeEnfckp32.exeMngegmbc.exeInjmcmej.exeIlmmni32.exeLekmnajj.exeAhmjjoig.exeGhkeio32.exeOhmhmh32.exeDkndie32.exeKabcopmg.exeQcaofebg.exeKkeldnpi.exeLqpamb32.exeEqncnj32.exeHiacacpg.exeKkpbin32.exeLqojclne.exeDhdbhifj.exeGeldkfpi.exeIbjqaf32.exeGppcmeem.exeNabfjpak.exeEkkkoj32.exeKcmfnd32.exeNobdbkhf.exeBhamkipi.exeEplgeokq.exeHolfoqcm.exeMjcngpjh.exeJbaojpgb.exePlejdkmm.exeEghkjdoa.exeHicpgc32.exeIjqmhnko.exeCofnik32.exeHlepcdoa.exeCaojpaij.exeKqmkae32.exeCacckp32.exeJkjcbe32.exeFbbpmb32.exeNpgmpf32.exePdhkcb32.exeFiggdg32.exeNaecop32.exeAhippdbe.exeKckqbj32.exeOlfghg32.exeBnoddcef.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haodle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmidndd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbhqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohbhmfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgelgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieojgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oklkdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blhpqhlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepjkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enfckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngegmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injmcmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmmni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekmnajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmjjoig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkeio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmhmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkndie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabcopmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcaofebg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeldnpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqpamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqncnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiacacpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpbin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqojclne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdbhifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geldkfpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjqaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gppcmeem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmfnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobdbkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhamkipi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplgeokq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holfoqcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbaojpgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plejdkmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eghkjdoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hicpgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqmhnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlepcdoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caojpaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmkae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjcbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhkcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figgdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naecop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahippdbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckqbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoddcef.exe -
Modifies registry class 64 IoCs
Processes:
Igqkqiai.exePefhlaie.exePkcadhgm.exeQikgco32.exeDmcain32.exeDngjff32.exeNnafno32.exeAdhdjpjf.exeFilapfbo.exeGfhndpol.exeLqojclne.exeJgcamf32.exeGdaociml.exeLnadagbm.exeEnpmld32.exeAagkhd32.exeIkejgf32.exeQkjgegae.exeOhcegi32.exeCamddhoi.exeMjodla32.exeOjajin32.exeFdnhih32.exeLicfngjd.exeEeelnp32.exeKeimof32.exeNmfcok32.exePjdpelnc.exeDdgibkpc.exeKnenkbio.exeFbbicl32.exeIbcjqgnm.exeHnaqgd32.exeIkcmbfcj.exeJlobkg32.exeKkconn32.exeOlanmgig.exeFeoodn32.exeJhkbdmbg.exeKnhakh32.exeGmojkj32.exeMqkiok32.exeNcqlkemc.exeKoonge32.exeIjogmdqm.exeLndham32.exeBcddcbab.exeDfefkkqp.exeAolblopj.exeEfpomccg.exeEpmmqheb.exeHlpfhe32.exeKjblje32.exeNafjjf32.exeOehlkc32.exePhganm32.exeLekmnajj.exeOodcdb32.exeIfomll32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmemic32.dll" Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfmjef32.dll" Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feaabknn.dll" Pkcadhgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qikgco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmcain32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dngjff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnafno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filapfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmchiim.dll" Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmolo32.dll" Lqojclne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgcamf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdaociml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnadagbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboeai32.dll" Dngjff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmhkg32.dll" Ikejgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djpphb32.dll" Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmbmpbk.dll" Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Camddhoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjodla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjodla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojajin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildolk32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Licfngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbdfl32.dll" Eeelnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keimof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmfcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjdpelnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgibkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiedd32.dll" Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbbicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibcjqgnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jedohked.dll" Hnaqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaegbjb.dll" Ikcmbfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnpclpq.dll" Jlobkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleoiomo.dll" Kkconn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olanmgig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafnnj32.dll" Knhakh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqkiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll" Koonge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piomhofd.dll" Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmgnn32.dll" Bcddcbab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfefkkqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaciolc.dll" Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epmmqheb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nafjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingcceof.dll" Oehlkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phganm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekmnajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfiop32.dll" Ifomll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exeEhcfaboo.exeEjbbmnnb.exeEpokedmj.exeEjdocm32.exeEpagkd32.exeEjflhm32.exeEpcdqd32.exeFkihnmhj.exeFacqkg32.exeFhmigagd.exeFmjaphek.exeFphnlcdo.exeFdcjlb32.exeFgbfhmll.exeFpjjac32.exeFkpool32.exeFajgkfio.exeFhdohp32.exeFmqgpgoc.exeFhflnpoi.exeGigheh32.exedescription pid Process procid_target PID 1228 wrote to memory of 3380 1228 311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe 84 PID 1228 wrote to memory of 3380 1228 311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe 84 PID 1228 wrote to memory of 3380 1228 311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe 84 PID 3380 wrote to memory of 2352 3380 Ehcfaboo.exe 85 PID 3380 wrote to memory of 2352 3380 Ehcfaboo.exe 85 PID 3380 wrote to memory of 2352 3380 Ehcfaboo.exe 85 PID 2352 wrote to memory of 392 2352 Ejbbmnnb.exe 86 PID 2352 wrote to memory of 392 2352 Ejbbmnnb.exe 86 PID 2352 wrote to memory of 392 2352 Ejbbmnnb.exe 86 PID 392 wrote to memory of 524 392 Epokedmj.exe 87 PID 392 wrote to memory of 524 392 Epokedmj.exe 87 PID 392 wrote to memory of 524 392 Epokedmj.exe 87 PID 524 wrote to memory of 1368 524 Ejdocm32.exe 88 PID 524 wrote to memory of 1368 524 Ejdocm32.exe 88 PID 524 wrote to memory of 1368 524 Ejdocm32.exe 88 PID 1368 wrote to memory of 1824 1368 Epagkd32.exe 89 PID 1368 wrote to memory of 1824 1368 Epagkd32.exe 89 PID 1368 wrote to memory of 1824 1368 Epagkd32.exe 89 PID 1824 wrote to memory of 116 1824 Ejflhm32.exe 90 PID 1824 wrote to memory of 116 1824 Ejflhm32.exe 90 PID 1824 wrote to memory of 116 1824 Ejflhm32.exe 90 PID 116 wrote to memory of 112 116 Epcdqd32.exe 91 PID 116 wrote to memory of 112 116 Epcdqd32.exe 91 PID 116 wrote to memory of 112 116 Epcdqd32.exe 91 PID 112 wrote to memory of 3844 112 Fkihnmhj.exe 92 PID 112 wrote to memory of 3844 112 Fkihnmhj.exe 92 PID 112 wrote to memory of 3844 112 Fkihnmhj.exe 92 PID 3844 wrote to memory of 2680 3844 Facqkg32.exe 93 PID 3844 wrote to memory of 2680 3844 Facqkg32.exe 93 PID 3844 wrote to memory of 2680 3844 Facqkg32.exe 93 PID 2680 wrote to memory of 2068 2680 Fhmigagd.exe 94 PID 2680 wrote to memory of 2068 2680 Fhmigagd.exe 94 PID 2680 wrote to memory of 2068 2680 Fhmigagd.exe 94 PID 2068 wrote to memory of 5104 2068 Fmjaphek.exe 95 PID 2068 wrote to memory of 5104 2068 Fmjaphek.exe 95 PID 2068 wrote to memory of 5104 2068 Fmjaphek.exe 95 PID 5104 wrote to memory of 2152 5104 Fphnlcdo.exe 97 PID 5104 wrote to memory of 2152 5104 Fphnlcdo.exe 97 PID 5104 wrote to memory of 2152 5104 Fphnlcdo.exe 97 PID 2152 wrote to memory of 372 2152 Fdcjlb32.exe 98 PID 2152 wrote to memory of 372 2152 Fdcjlb32.exe 98 PID 2152 wrote to memory of 372 2152 Fdcjlb32.exe 98 PID 372 wrote to memory of 4980 372 Fgbfhmll.exe 99 PID 372 wrote to memory of 4980 372 Fgbfhmll.exe 99 PID 372 wrote to memory of 4980 372 Fgbfhmll.exe 99 PID 4980 wrote to memory of 3816 4980 Fpjjac32.exe 100 PID 4980 wrote to memory of 3816 4980 Fpjjac32.exe 100 PID 4980 wrote to memory of 3816 4980 Fpjjac32.exe 100 PID 3816 wrote to memory of 1500 3816 Fkpool32.exe 102 PID 3816 wrote to memory of 1500 3816 Fkpool32.exe 102 PID 3816 wrote to memory of 1500 3816 Fkpool32.exe 102 PID 1500 wrote to memory of 860 1500 Fajgkfio.exe 103 PID 1500 wrote to memory of 860 1500 Fajgkfio.exe 103 PID 1500 wrote to memory of 860 1500 Fajgkfio.exe 103 PID 860 wrote to memory of 2600 860 Fhdohp32.exe 104 PID 860 wrote to memory of 2600 860 Fhdohp32.exe 104 PID 860 wrote to memory of 2600 860 Fhdohp32.exe 104 PID 2600 wrote to memory of 3140 2600 Fmqgpgoc.exe 105 PID 2600 wrote to memory of 3140 2600 Fmqgpgoc.exe 105 PID 2600 wrote to memory of 3140 2600 Fmqgpgoc.exe 105 PID 3140 wrote to memory of 3392 3140 Fhflnpoi.exe 107 PID 3140 wrote to memory of 3392 3140 Fhflnpoi.exe 107 PID 3140 wrote to memory of 3392 3140 Fhflnpoi.exe 107 PID 3392 wrote to memory of 2880 3392 Gigheh32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe"C:\Users\Admin\AppData\Local\Temp\311b212e0e782ebc29bbee9ca949af52b318adb70b395fb311c2086936a5f32eN.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe23⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe24⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe25⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe26⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3448 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe28⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe29⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe31⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5012 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe33⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe35⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe36⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe37⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe38⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe39⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe41⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe42⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe43⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe45⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe46⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe47⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe48⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe49⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe51⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe52⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe53⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe54⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe57⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe58⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe60⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe61⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe65⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe66⤵PID:1740
-
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe67⤵PID:1272
-
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4788 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe69⤵
- Modifies registry class
PID:4576 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe70⤵PID:728
-
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1128 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe72⤵PID:4032
-
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe73⤵PID:2780
-
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe75⤵PID:2620
-
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe76⤵
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe77⤵PID:1888
-
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe78⤵PID:1472
-
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe79⤵PID:2912
-
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe80⤵PID:3852
-
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4948 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe82⤵
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe83⤵PID:2676
-
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe84⤵PID:3092
-
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe85⤵PID:4324
-
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe86⤵PID:4296
-
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe87⤵PID:4308
-
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe88⤵PID:4716
-
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe89⤵PID:5128
-
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe90⤵PID:5172
-
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe91⤵PID:5216
-
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe92⤵PID:5252
-
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe93⤵PID:5308
-
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe94⤵PID:5348
-
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe95⤵PID:5392
-
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe96⤵PID:5456
-
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe97⤵PID:5516
-
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe98⤵
- System Location Discovery: System Language Discovery
PID:5552 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe99⤵PID:5628
-
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe100⤵PID:5688
-
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe101⤵PID:5752
-
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe102⤵PID:5828
-
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe103⤵
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe104⤵PID:5944
-
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe105⤵PID:5980
-
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe106⤵PID:6032
-
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6080 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe108⤵PID:6132
-
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe109⤵PID:1120
-
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe110⤵PID:5228
-
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe111⤵PID:5296
-
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5380 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe113⤵PID:5448
-
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe114⤵PID:5536
-
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe115⤵PID:5660
-
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe116⤵PID:5736
-
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe117⤵PID:5868
-
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe118⤵PID:5940
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe119⤵PID:6028
-
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe120⤵
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-