Analysis
-
max time kernel
103s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 23:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2de2568efb122138bd52e0f496241d21d4544c992ca15e3eb2035acdc1ccd3efN.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
2de2568efb122138bd52e0f496241d21d4544c992ca15e3eb2035acdc1ccd3efN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
2de2568efb122138bd52e0f496241d21d4544c992ca15e3eb2035acdc1ccd3efN.exe
-
Size
96KB
-
MD5
be105ffd7e9c34df0df8778144cdd480
-
SHA1
a84fce0f4c186edf07611691738f46758e29c03c
-
SHA256
2de2568efb122138bd52e0f496241d21d4544c992ca15e3eb2035acdc1ccd3ef
-
SHA512
d7c1bd5c4619636a320cad15ac0e04c1597ccbbb58c727a1345b6535aef791e98c50ebeeb6cd096d135a5a2a023ec20ad97b2e346c189f7bcbf366ff59440003
-
SSDEEP
1536:Hfsk7GMqawVdfIuUbklUUDqF+Pex2L97RZObZUUWaegPYA:HmxIuKkeUDm+GK9ClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Iqbbpm32.exeCkmehb32.exeIhdldn32.exeNmnqjp32.exePlmmif32.exeDoaneiop.exeLchfib32.exeBjbfklei.exeMfkkqmiq.exePedlgbkh.exeOfhknodl.exeAlkijdci.exeNcmhko32.exeLjilqnlm.exeDjcoai32.exeEbejfk32.exeMgnlkfal.exeMhicpg32.exeNbadcpbh.exeNpedmdab.exeFdamgb32.exePkogiikb.exePidabppl.exeKihnmohm.exeMffjcopi.exeAajhndkb.exeCponen32.exeGlbjggof.exeJoiccj32.exeMeepdp32.exeCbfgkffn.exeEbkbbmqj.exeGacepg32.exeCceddf32.exePlbmokop.exeJblmgf32.exeLhqefjpo.exeCgjjdf32.exePimfpc32.exeHdilnojp.exeIkqqlgem.exeNiakfbpa.exeHildmn32.exeJedccfqg.exeCkbncapd.exeKeonap32.exeMojhgbdl.exeIkndgg32.exeBbfmgd32.exeNgdfdmdi.exeEmlenj32.exeBmggingc.exeBqilgmdg.exeDpphjp32.exePjkmomfn.exeGaebef32.exeIndfca32.exeBffcpg32.exeDdkbmj32.exeLidmhmnp.exeMqhfoebo.exeGgkqgaol.exeCildom32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqbbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdldn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plmmif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doaneiop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbfklei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkkqmiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedlgbkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhknodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkijdci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmhko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljilqnlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcoai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnlkfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhicpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbadcpbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npedmdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdamgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkogiikb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidabppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihnmohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mffjcopi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajhndkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cponen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glbjggof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joiccj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbfgkffn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebkbbmqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cceddf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmokop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhqefjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjjdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdilnojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikqqlgem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niakfbpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedccfqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbncapd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keonap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mojhgbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikndgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbfmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdfdmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emlenj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdldn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmggingc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqilgmdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjkmomfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaebef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Indfca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddkbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lidmhmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqhfoebo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkqgaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cildom32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Ieliebnf.exeIoambknl.exeIfleoe32.exeIgmagnkg.exeJfnbdecg.exeJkkjmlan.exeJbdbjf32.exeJiokfpph.exeJoiccj32.exeJfbkpd32.exeJkodhk32.exeJfehed32.exeJgfdmlcm.exeJblijebc.exeJieagojp.exeKppici32.exeKihnmohm.exeKnefeffd.exeKeonap32.exeKpdboimg.exeKimghn32.exeKnippe32.exeKiodmn32.exeKpiljh32.exeKfcdfbqo.exeLhdqnj32.exeLnnikdnj.exeLidmhmnp.exeLlbidimc.exeLblaabdp.exeLfhnaa32.exeLppbkgcj.exeLemkcnaa.exeLhkgoiqe.exeLpbopfag.exeLflgmqhd.exeLhncdi32.exeLoglacfo.exeLeadnm32.exeMlklkgei.exeMojhgbdl.exeMedqcmki.exeMhbmphjm.exeMolelb32.exeMfcmmp32.exeMibijk32.exeMplafeil.exeMffjcopi.exeMlbbkfoq.exeMoaogand.exeMekgdl32.exeMhicpg32.exeMockmala.exeNemcjk32.exeNlglfe32.exeNbadcpbh.exeNeppokal.exeNhnlkfpp.exeNpedmdab.exeNgomin32.exeNiniei32.exeNpgabc32.exeNcfmno32.exeNipekiep.exepid Process 4980 Ieliebnf.exe 3236 Ioambknl.exe 4816 Ifleoe32.exe 3800 Igmagnkg.exe 4996 Jfnbdecg.exe 3504 Jkkjmlan.exe 1604 Jbdbjf32.exe 4188 Jiokfpph.exe 216 Joiccj32.exe 2088 Jfbkpd32.exe 3960 Jkodhk32.exe 1300 Jfehed32.exe 876 Jgfdmlcm.exe 3360 Jblijebc.exe 920 Jieagojp.exe 5008 Kppici32.exe 2732 Kihnmohm.exe 2588 Knefeffd.exe 3300 Keonap32.exe 2976 Kpdboimg.exe 2980 Kimghn32.exe 2276 Knippe32.exe 4272 Kiodmn32.exe 1880 Kpiljh32.exe 1708 Kfcdfbqo.exe 2356 Lhdqnj32.exe 4528 Lnnikdnj.exe 3344 Lidmhmnp.exe 3524 Llbidimc.exe 2888 Lblaabdp.exe 3256 Lfhnaa32.exe 4232 Lppbkgcj.exe 2124 Lemkcnaa.exe 2904 Lhkgoiqe.exe 1244 Lpbopfag.exe 3636 Lflgmqhd.exe 864 Lhncdi32.exe 4024 Loglacfo.exe 1344 Leadnm32.exe 4948 Mlklkgei.exe 4124 Mojhgbdl.exe 4056 Medqcmki.exe 3048 Mhbmphjm.exe 1896 Molelb32.exe 2700 Mfcmmp32.exe 4300 Mibijk32.exe 4332 Mplafeil.exe 4976 Mffjcopi.exe 4880 Mlbbkfoq.exe 1720 Moaogand.exe 1608 Mekgdl32.exe 4476 Mhicpg32.exe 2060 Mockmala.exe 4268 Nemcjk32.exe 392 Nlglfe32.exe 3844 Nbadcpbh.exe 4800 Neppokal.exe 4556 Nhnlkfpp.exe 3708 Npedmdab.exe 3968 Ngomin32.exe 4404 Niniei32.exe 3700 Npgabc32.exe 2452 Ncfmno32.exe 2116 Nipekiep.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kadpdp32.exeFphnlcdo.exeCodhnb32.exeGbmingjo.exeJpbjfjci.exeBopocbcq.exeOmpfej32.exeAajhndkb.exeMhckcgpj.exeJgfdmlcm.exeLppbkgcj.exeMojhgbdl.exeNhnlkfpp.exeKlcekpdo.exeOclkgccf.exeOhlqcagj.exeBdojjo32.exeOekiqccc.exeCmcolgbj.exeGkmdecbg.exeKpjgaoqm.exeLaiipofp.exeCdmoafdb.exeOhnohn32.exePlbmokop.exeMeepdp32.exeMqfpckhm.exeDhhfedil.exeEjflhm32.exeNafjjf32.exeNhpbfpka.exePjkmomfn.exeIgdnabjh.exeImkbnf32.exeKgiiiidd.exeOnmfimga.exeNbadcpbh.exeEangpgcl.exeJqiipljg.exeHmechmip.exeQhjmdp32.exeCdmfllhn.exeNqmojd32.exeNcqlkemc.exeNnhmnn32.exeEbkbbmqj.exeMpclce32.exeGbfldf32.exeKgipcogp.exeKcpahpmd.exeKeimof32.exeFibhpbea.exeFkhpfbce.exeCdjblf32.exeLfhnaa32.exeNpgabc32.exeAeddnp32.exeCkmehb32.exeMcaipa32.exeNemmoe32.exePlmmif32.exeEbimgcfi.exeLafmjp32.exePofjpl32.exedescription ioc Process File created C:\Windows\SysWOW64\Lljdai32.exe Kadpdp32.exe File created C:\Windows\SysWOW64\Fhofmq32.exe Fphnlcdo.exe File created C:\Windows\SysWOW64\Kadcjkfm.dll Codhnb32.exe File created C:\Windows\SysWOW64\Gigaka32.exe Gbmingjo.exe File opened for modification C:\Windows\SysWOW64\Jbagbebm.exe Jpbjfjci.exe File created C:\Windows\SysWOW64\Nbcpja32.dll Bopocbcq.exe File opened for modification C:\Windows\SysWOW64\Opnbae32.exe Ompfej32.exe File created C:\Windows\SysWOW64\Kajimagp.dll Aajhndkb.exe File opened for modification C:\Windows\SysWOW64\Momcpa32.exe Mhckcgpj.exe File opened for modification C:\Windows\SysWOW64\Jblijebc.exe Jgfdmlcm.exe File created C:\Windows\SysWOW64\Lemkcnaa.exe Lppbkgcj.exe File created C:\Windows\SysWOW64\Medqcmki.exe Mojhgbdl.exe File opened for modification C:\Windows\SysWOW64\Npedmdab.exe Nhnlkfpp.exe File opened for modification C:\Windows\SysWOW64\Kgiiiidd.exe Klcekpdo.exe File created C:\Windows\SysWOW64\Ofkgcobj.exe Oclkgccf.exe File created C:\Windows\SysWOW64\Pjkmomfn.exe Ohlqcagj.exe File opened for modification C:\Windows\SysWOW64\Bkibgh32.exe Bdojjo32.exe File created C:\Windows\SysWOW64\Oflpld32.dll Oekiqccc.exe File created C:\Windows\SysWOW64\Lhhmmcaa.dll Cmcolgbj.exe File created C:\Windows\SysWOW64\Hnfdcegm.dll Gkmdecbg.exe File created C:\Windows\SysWOW64\Kgdpni32.exe Kpjgaoqm.exe File created C:\Windows\SysWOW64\Diadam32.dll Laiipofp.exe File created C:\Windows\SysWOW64\Cgklmacf.exe Cdmoafdb.exe File opened for modification C:\Windows\SysWOW64\Oohgdhfn.exe Ohnohn32.exe File opened for modification C:\Windows\SysWOW64\Pcmeke32.exe Plbmokop.exe File opened for modification C:\Windows\SysWOW64\Malpia32.exe Meepdp32.exe File created C:\Windows\SysWOW64\Jnifpf32.dll Mqfpckhm.exe File created C:\Windows\SysWOW64\Gjkmhmpl.dll Dhhfedil.exe File opened for modification C:\Windows\SysWOW64\Edopabqn.exe Ejflhm32.exe File created C:\Windows\SysWOW64\Bpecpgjp.dll Nafjjf32.exe File created C:\Windows\SysWOW64\Cmakeiil.dll Nhpbfpka.exe File opened for modification C:\Windows\SysWOW64\Pmiikh32.exe Pjkmomfn.exe File created C:\Windows\SysWOW64\Ijcjmmil.exe Igdnabjh.exe File created C:\Windows\SysWOW64\Iibccgep.exe Imkbnf32.exe File created C:\Windows\SysWOW64\Kncaec32.exe Kgiiiidd.exe File opened for modification C:\Windows\SysWOW64\Ompfej32.exe Onmfimga.exe File created C:\Windows\SysWOW64\Neppokal.exe Nbadcpbh.exe File opened for modification C:\Windows\SysWOW64\Ejflhm32.exe Eangpgcl.exe File created C:\Windows\SysWOW64\Idhmabfb.dll Jqiipljg.exe File created C:\Windows\SysWOW64\Hdokdg32.exe Hmechmip.exe File opened for modification C:\Windows\SysWOW64\Qjiipk32.exe Qhjmdp32.exe File created C:\Windows\SysWOW64\Cglbhhga.exe Cdmfllhn.exe File created C:\Windows\SysWOW64\Nbnlaldg.exe Nqmojd32.exe File opened for modification C:\Windows\SysWOW64\Njjdho32.exe Ncqlkemc.exe File created C:\Windows\SysWOW64\Nceefd32.exe Nnhmnn32.exe File opened for modification C:\Windows\SysWOW64\Ekcgkb32.exe Ebkbbmqj.exe File created C:\Windows\SysWOW64\Khlaie32.dll Mpclce32.exe File opened for modification C:\Windows\SysWOW64\Gkmdecbg.exe Gbfldf32.exe File created C:\Windows\SysWOW64\Knchpiom.exe Kgipcogp.exe File created C:\Windows\SysWOW64\Kqdaadln.exe Kcpahpmd.exe File created C:\Windows\SysWOW64\Mhelik32.dll Keimof32.exe File created C:\Windows\SysWOW64\Fjadje32.exe Fibhpbea.exe File opened for modification C:\Windows\SysWOW64\Feqeog32.exe Fkhpfbce.exe File created C:\Windows\SysWOW64\Jlojif32.dll Cdjblf32.exe File created C:\Windows\SysWOW64\Fhoqoo32.dll Lfhnaa32.exe File created C:\Windows\SysWOW64\Lmeffoid.dll Npgabc32.exe File created C:\Windows\SysWOW64\Ecqieiii.dll Aeddnp32.exe File created C:\Windows\SysWOW64\Fccfel32.dll Ckmehb32.exe File created C:\Windows\SysWOW64\Mjlalkmd.exe Mcaipa32.exe File created C:\Windows\SysWOW64\Nhkikq32.exe Nemmoe32.exe File opened for modification C:\Windows\SysWOW64\Pmoiqneg.exe Plmmif32.exe File opened for modification C:\Windows\SysWOW64\Emoadlfo.exe Ebimgcfi.exe File created C:\Windows\SysWOW64\Chgnfq32.dll Lafmjp32.exe File opened for modification C:\Windows\SysWOW64\Qqffjo32.exe Pofjpl32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 8592 6200 WerFault.exe 1000 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Pagbaglh.exeKhgbqkhj.exeNhpbfpka.exeNiooqcad.exeAajhndkb.exeLaiipofp.exeBqilgmdg.exeMblcnj32.exeDdkbmj32.exeKfcdfbqo.exeJdgafjpn.exeMjlalkmd.exeOblmdhdo.exeLoofnccf.exeOhpkmn32.exeIloidijb.exeMoaogand.exePcpikkge.exe2de2568efb122138bd52e0f496241d21d4544c992ca15e3eb2035acdc1ccd3efN.exeGpkchqdj.exeLddgmbpb.exeOhmhmh32.exeImgicgca.exeEciplm32.exeHbhijepa.exeIckglm32.exeHhdcmp32.exeKkjeomld.exePkgcea32.exeBmbiamhi.exeHdkidohn.exeLnnikdnj.exeGigaka32.exeIlccoh32.exeHlnjbedi.exeApodoq32.exeEkjded32.exePlbmokop.exeBjnmpl32.exeGgpbjkpl.exeMablfnne.exeOnocomdo.exeOodcdb32.exeJpbjfjci.exeKabcopmg.exeBjpjel32.exeNndjndbh.exeOemefcap.exeHoeieolb.exeFeqeog32.exeKeonap32.exeKilpmh32.exeNqpcjj32.exeMplafeil.exeJkaicd32.exePhdnngdn.exeJohggfha.exeCildom32.exeNeafjdkn.exePedlgbkh.exeEdplhjhi.exeOophlo32.exeNpjnhc32.exeNcjginjn.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pagbaglh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgbqkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpbfpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niooqcad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajhndkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laiipofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqilgmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkbmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcdfbqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdgafjpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlalkmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmdhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loofnccf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohpkmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iloidijb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moaogand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpikkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2de2568efb122138bd52e0f496241d21d4544c992ca15e3eb2035acdc1ccd3efN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkchqdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddgmbpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmhmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgicgca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eciplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhijepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdcmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjeomld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkgcea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbiamhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkidohn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnikdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigaka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilccoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnjbedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apodoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbmokop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggpbjkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mablfnne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onocomdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodcdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbjfjci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabcopmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndjndbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemefcap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoeieolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feqeog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keonap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpcjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mplafeil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkaicd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdnngdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johggfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cildom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neafjdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedlgbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edplhjhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjnhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjginjn.exe -
Modifies registry class 64 IoCs
Processes:
Oemefcap.exeBbiado32.exeMgehfkop.exeJblmgf32.exeJbagbebm.exeDhhfedil.exeLieccf32.exeGbnhoj32.exeAjohfcpj.exeKofkbk32.exeNnojho32.exeIlccoh32.exeGiecfejd.exeNgomin32.exeKkcfid32.exeOlbdhn32.exeHmbfbn32.exeKjblje32.exeQodeajbg.exeLpbopfag.exeNheble32.exeAmodep32.exeOaajed32.exePkcadhgm.exeCmhigf32.exeMgloefco.exeOanokhdb.exeKihnmohm.exeOocddono.exeKgjgne32.exeEclmamod.exeJngbjd32.exeLhenai32.exeNjedbjej.exeJbdbjf32.exeGgpbjkpl.exeAkoqpg32.exeIggjga32.exePfiddm32.exeFkjmlaac.exeLaiipofp.exeBfkbfd32.exeJfbkpd32.exeBjlgdc32.exeCkbncapd.exeOhpkmn32.exeOflmnh32.exeMplafeil.exeOllnhb32.exeOodcdb32.exeEkkkoj32.exeAaenbd32.exeDolmodpi.exeOlgemcli.exeFjmkoeqi.exeKgipcogp.exeOdmbaj32.exeNcqlkemc.exePfdjinjo.exeApodoq32.exeAmpaho32.exeBmbiamhi.exeHmechmip.exeDcffnbee.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oemefcap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbiado32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgehfkop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll" Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhfedil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lieccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbnhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkhop32.dll" Ajohfcpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofkbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnojho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnfjkma.dll" Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giecfejd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngomin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgaiiq32.dll" Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll" Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdcmnil.dll" Lpbopfag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nheble32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amodep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdpoaed.dll" Oaajed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkcadhgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oanokhdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhnncno.dll" Kihnmohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oocddono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqnnno32.dll" Kgjgne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eclmamod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmkff32.dll" Jngbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhenai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njedbjej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbdbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggpbjkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfinqm32.dll" Akoqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accailfj.dll" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkjmlaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laiipofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podbibma.dll" Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfbkpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlgdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll" Ckbncapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohpkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll" Oflmnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mplafeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilqdd32.dll" Ollnhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinclj32.dll" Dolmodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olgemcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmiogmig.dll" Fjmkoeqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgipcogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keldkigj.dll" Odmbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgemej32.dll" Ncqlkemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdjinjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll" Apodoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ampaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdnljan.dll" Bmbiamhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmechmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcffnbee.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2de2568efb122138bd52e0f496241d21d4544c992ca15e3eb2035acdc1ccd3efN.exeIeliebnf.exeIoambknl.exeIfleoe32.exeIgmagnkg.exeJfnbdecg.exeJkkjmlan.exeJbdbjf32.exeJiokfpph.exeJoiccj32.exeJfbkpd32.exeJkodhk32.exeJfehed32.exeJgfdmlcm.exeJblijebc.exeJieagojp.exeKppici32.exeKihnmohm.exeKnefeffd.exeKeonap32.exeKpdboimg.exeKimghn32.exedescription pid Process procid_target PID 2880 wrote to memory of 4980 2880 2de2568efb122138bd52e0f496241d21d4544c992ca15e3eb2035acdc1ccd3efN.exe 84 PID 2880 wrote to memory of 4980 2880 2de2568efb122138bd52e0f496241d21d4544c992ca15e3eb2035acdc1ccd3efN.exe 84 PID 2880 wrote to memory of 4980 2880 2de2568efb122138bd52e0f496241d21d4544c992ca15e3eb2035acdc1ccd3efN.exe 84 PID 4980 wrote to memory of 3236 4980 Ieliebnf.exe 85 PID 4980 wrote to memory of 3236 4980 Ieliebnf.exe 85 PID 4980 wrote to memory of 3236 4980 Ieliebnf.exe 85 PID 3236 wrote to memory of 4816 3236 Ioambknl.exe 86 PID 3236 wrote to memory of 4816 3236 Ioambknl.exe 86 PID 3236 wrote to memory of 4816 3236 Ioambknl.exe 86 PID 4816 wrote to memory of 3800 4816 Ifleoe32.exe 87 PID 4816 wrote to memory of 3800 4816 Ifleoe32.exe 87 PID 4816 wrote to memory of 3800 4816 Ifleoe32.exe 87 PID 3800 wrote to memory of 4996 3800 Igmagnkg.exe 88 PID 3800 wrote to memory of 4996 3800 Igmagnkg.exe 88 PID 3800 wrote to memory of 4996 3800 Igmagnkg.exe 88 PID 4996 wrote to memory of 3504 4996 Jfnbdecg.exe 89 PID 4996 wrote to memory of 3504 4996 Jfnbdecg.exe 89 PID 4996 wrote to memory of 3504 4996 Jfnbdecg.exe 89 PID 3504 wrote to memory of 1604 3504 Jkkjmlan.exe 90 PID 3504 wrote to memory of 1604 3504 Jkkjmlan.exe 90 PID 3504 wrote to memory of 1604 3504 Jkkjmlan.exe 90 PID 1604 wrote to memory of 4188 1604 Jbdbjf32.exe 91 PID 1604 wrote to memory of 4188 1604 Jbdbjf32.exe 91 PID 1604 wrote to memory of 4188 1604 Jbdbjf32.exe 91 PID 4188 wrote to memory of 216 4188 Jiokfpph.exe 92 PID 4188 wrote to memory of 216 4188 Jiokfpph.exe 92 PID 4188 wrote to memory of 216 4188 Jiokfpph.exe 92 PID 216 wrote to memory of 2088 216 Joiccj32.exe 93 PID 216 wrote to memory of 2088 216 Joiccj32.exe 93 PID 216 wrote to memory of 2088 216 Joiccj32.exe 93 PID 2088 wrote to memory of 3960 2088 Jfbkpd32.exe 95 PID 2088 wrote to memory of 3960 2088 Jfbkpd32.exe 95 PID 2088 wrote to memory of 3960 2088 Jfbkpd32.exe 95 PID 3960 wrote to memory of 1300 3960 Jkodhk32.exe 96 PID 3960 wrote to memory of 1300 3960 Jkodhk32.exe 96 PID 3960 wrote to memory of 1300 3960 Jkodhk32.exe 96 PID 1300 wrote to memory of 876 1300 Jfehed32.exe 97 PID 1300 wrote to memory of 876 1300 Jfehed32.exe 97 PID 1300 wrote to memory of 876 1300 Jfehed32.exe 97 PID 876 wrote to memory of 3360 876 Jgfdmlcm.exe 98 PID 876 wrote to memory of 3360 876 Jgfdmlcm.exe 98 PID 876 wrote to memory of 3360 876 Jgfdmlcm.exe 98 PID 3360 wrote to memory of 920 3360 Jblijebc.exe 99 PID 3360 wrote to memory of 920 3360 Jblijebc.exe 99 PID 3360 wrote to memory of 920 3360 Jblijebc.exe 99 PID 920 wrote to memory of 5008 920 Jieagojp.exe 100 PID 920 wrote to memory of 5008 920 Jieagojp.exe 100 PID 920 wrote to memory of 5008 920 Jieagojp.exe 100 PID 5008 wrote to memory of 2732 5008 Kppici32.exe 101 PID 5008 wrote to memory of 2732 5008 Kppici32.exe 101 PID 5008 wrote to memory of 2732 5008 Kppici32.exe 101 PID 2732 wrote to memory of 2588 2732 Kihnmohm.exe 103 PID 2732 wrote to memory of 2588 2732 Kihnmohm.exe 103 PID 2732 wrote to memory of 2588 2732 Kihnmohm.exe 103 PID 2588 wrote to memory of 3300 2588 Knefeffd.exe 104 PID 2588 wrote to memory of 3300 2588 Knefeffd.exe 104 PID 2588 wrote to memory of 3300 2588 Knefeffd.exe 104 PID 3300 wrote to memory of 2976 3300 Keonap32.exe 106 PID 3300 wrote to memory of 2976 3300 Keonap32.exe 106 PID 3300 wrote to memory of 2976 3300 Keonap32.exe 106 PID 2976 wrote to memory of 2980 2976 Kpdboimg.exe 107 PID 2976 wrote to memory of 2980 2976 Kpdboimg.exe 107 PID 2976 wrote to memory of 2980 2976 Kpdboimg.exe 107 PID 2980 wrote to memory of 2276 2980 Kimghn32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2de2568efb122138bd52e0f496241d21d4544c992ca15e3eb2035acdc1ccd3efN.exe"C:\Users\Admin\AppData\Local\Temp\2de2568efb122138bd52e0f496241d21d4544c992ca15e3eb2035acdc1ccd3efN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe23⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe24⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe25⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe27⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4528 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe30⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe31⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4232 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe34⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe35⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe37⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe38⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe39⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe40⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe41⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe43⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe44⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe45⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe46⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe47⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe50⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe52⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe54⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe55⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe56⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe58⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4556 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe62⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3700 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe64⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe65⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe66⤵
- System Location Discovery: System Language Discovery
PID:3136 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe68⤵
- Modifies registry class
PID:3772 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe69⤵
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe70⤵PID:4460
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe71⤵PID:4492
-
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe72⤵PID:2352
-
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe73⤵PID:2580
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe74⤵
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe75⤵PID:1956
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe76⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe77⤵PID:4408
-
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe78⤵PID:1044
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe79⤵PID:312
-
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe80⤵PID:720
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe81⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe82⤵PID:2792
-
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe83⤵PID:4324
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe84⤵PID:4084
-
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe85⤵PID:2436
-
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe86⤵PID:1500
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe87⤵PID:1488
-
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe88⤵PID:4964
-
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe89⤵PID:4784
-
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe90⤵PID:5028
-
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe91⤵
- System Location Discovery: System Language Discovery
PID:4972 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe92⤵PID:2272
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe93⤵
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe94⤵PID:1744
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe95⤵PID:1180
-
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe96⤵PID:5128
-
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe97⤵PID:5172
-
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe98⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe99⤵PID:5260
-
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe100⤵PID:5308
-
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe101⤵PID:5344
-
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe102⤵PID:5400
-
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe103⤵PID:5444
-
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe104⤵PID:5492
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe105⤵PID:5544
-
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe106⤵PID:5588
-
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe107⤵PID:5636
-
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe108⤵PID:5680
-
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe109⤵PID:5724
-
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe110⤵PID:5764
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe111⤵
- Modifies registry class
PID:5808 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe112⤵PID:5852
-
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe113⤵PID:5904
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe114⤵PID:5948
-
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5992 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe116⤵PID:6036
-
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe117⤵PID:6088
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe118⤵PID:6132
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe119⤵PID:5168
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe121⤵PID:5288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-