Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:53
Static task
static1
Behavioral task
behavioral1
Sample
3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exe
Resource
win10v2004-20241007-en
General
-
Target
3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exe
-
Size
80KB
-
MD5
424b472fb70d0fd14ef04eabe314c890
-
SHA1
f3299c45ad211ecefa8035ef89fef881d8b23682
-
SHA256
3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0
-
SHA512
2f355934dd56a3a783dba2cd47f84baf933095317c8283edc233a7e192eddc3766dbe0f3ab8b34169ded92f2a473b6f4fd3621e4c48c26d487fc3c2d9f94d8c3
-
SSDEEP
1536:eKbVZFtTzp5FeiH25POt1HzHOIjxccccccccccccccKJ2LzqJ9VqDlzVxyh+Cbx5:eKfp6iWgt1auMCzqJ9IDlRxyhTb7
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bkkgfm32.exeGmidlmcd.exeMdojnm32.exeBafhff32.exeClefdcog.exeHnpgloog.exeCnflae32.exeKamlhl32.exeCbbomjnn.exeDfinam32.exePimkbbpi.exeBdfahaaa.exeCfaqfh32.exeDfhgggim.exeDcemnopj.exeEmpomd32.exePhledp32.exeCjmmffgn.exeAaipghcn.exeChgnneiq.exeDnkhfnck.exeIomcpe32.exePgibdjln.exeBdinnqon.exeQdofep32.exeDkgldm32.exeOcefpnom.exeEjdfqogm.exeLajkbp32.exeBooiep32.exeHagianlf.exeKngekdnf.exeCnabffeo.exeAfpogk32.exeAoaill32.exeIjqjgo32.exeKlhioioc.exeLkelpd32.exeBknmok32.exeDhklna32.exeCjppfl32.exeBoeoek32.exePlpqim32.exeBahelebm.exeAhhaobfe.exeAkfnkmei.exeJnemfa32.exeHhaanh32.exeIdohdhbo.exeNhkbmo32.exePfeeff32.exeKfggkc32.exeLeegbnan.exeEnneln32.exeHcblqb32.exeCppobaeb.exeMhkfnlme.exeAdjhicpo.exeIkfdkc32.exeMmjomogn.exeMgbcfdmo.exePehebbbh.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clefdcog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpgloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnflae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamlhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbbomjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfinam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfahaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhgggim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcemnopj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Empomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phledp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmmffgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaipghcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chgnneiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnkhfnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomcpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgibdjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdofep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkgldm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocefpnom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdfqogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajkbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Booiep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnkhfnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hagianlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngekdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoaill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijqjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klhioioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkelpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknmok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhklna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjppfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boeoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpqim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahelebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahhaobfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfnkmei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnemfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clefdcog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idohdhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkbmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfggkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leegbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcblqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppobaeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhkfnlme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adjhicpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfdkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmjomogn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbcfdmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehebbbh.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Nhepoaif.exeNoohlkpc.exeNnahgh32.exeNgjlpmnn.exeNqbaic32.exeNcamen32.exeOepjoa32.exeOgofkm32.exeOmlncc32.exeOcefpnom.exeOjpomh32.exeOmnkicen.exeOffpbi32.exeOielnd32.exeOpodknco.exeOcjpkm32.exeOleepo32.exePndalkgf.exePenihe32.exePhledp32.exePbajbi32.exePilbocej.exePjmnfk32.exePaggce32.exePllkpn32.exePdhpdq32.exePjahakgb.exePhehko32.exeQjddgj32.exeQdlipplq.exeQfkelkkd.exeQlgndbil.exeQdofep32.exeApefjqob.exeAohgfm32.exeAfpogk32.exeAphcppmo.exeAaipghcn.exeAipgifcp.exeAaklmhak.exeAdjhicpo.exeAhedjb32.exeAanibhoh.exeAhhaobfe.exeAkfnkmei.exeAoaill32.exeAndjgidl.exeBdobdc32.exeBhjneadb.exeBgmnpn32.exeBikjmj32.exeBabbng32.exeBdaojbjf.exeBccoeo32.exeBkkgfm32.exeBnicbh32.exeBllcnega.exeBdckobhd.exeBcflko32.exeBedhgj32.exeBnlphh32.exeBlnpddeo.exeBomlppdb.exeBchhqo32.exepid process 2788 Nhepoaif.exe 2836 Noohlkpc.exe 2596 Nnahgh32.exe 2576 Ngjlpmnn.exe 3052 Nqbaic32.exe 276 Ncamen32.exe 2040 Oepjoa32.exe 1140 Ogofkm32.exe 2480 Omlncc32.exe 2644 Ocefpnom.exe 2380 Ojpomh32.exe 1876 Omnkicen.exe 784 Offpbi32.exe 2196 Oielnd32.exe 2036 Opodknco.exe 2052 Ocjpkm32.exe 1304 Oleepo32.exe 1752 Pndalkgf.exe 1804 Penihe32.exe 1500 Phledp32.exe 1964 Pbajbi32.exe 2488 Pilbocej.exe 2140 Pjmnfk32.exe 708 Paggce32.exe 2980 Pllkpn32.exe 2572 Pdhpdq32.exe 2640 Pjahakgb.exe 2604 Phehko32.exe 1488 Qjddgj32.exe 3024 Qdlipplq.exe 2396 Qfkelkkd.exe 2376 Qlgndbil.exe 620 Qdofep32.exe 1952 Apefjqob.exe 2096 Aohgfm32.exe 1416 Afpogk32.exe 1092 Aphcppmo.exe 264 Aaipghcn.exe 1144 Aipgifcp.exe 2340 Aaklmhak.exe 2436 Adjhicpo.exe 2260 Ahedjb32.exe 304 Aanibhoh.exe 1948 Ahhaobfe.exe 2344 Akfnkmei.exe 3048 Aoaill32.exe 2996 Andjgidl.exe 2768 Bdobdc32.exe 2688 Bhjneadb.exe 2588 Bgmnpn32.exe 2948 Bikjmj32.exe 2324 Babbng32.exe 640 Bdaojbjf.exe 1236 Bccoeo32.exe 348 Bkkgfm32.exe 1760 Bnicbh32.exe 1708 Bllcnega.exe 2236 Bdckobhd.exe 2424 Bcflko32.exe 852 Bedhgj32.exe 1868 Bnlphh32.exe 1660 Blnpddeo.exe 1128 Bomlppdb.exe 2932 Bchhqo32.exe -
Loads dropped DLL 64 IoCs
Processes:
3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exeNhepoaif.exeNoohlkpc.exeNnahgh32.exeNgjlpmnn.exeNqbaic32.exeNcamen32.exeOepjoa32.exeOgofkm32.exeOmlncc32.exeOcefpnom.exeOjpomh32.exeOmnkicen.exeOffpbi32.exeOielnd32.exeOpodknco.exeOcjpkm32.exeOleepo32.exePndalkgf.exePenihe32.exePhledp32.exePbajbi32.exePilbocej.exePjmnfk32.exePaggce32.exePnkglj32.exePdhpdq32.exePjahakgb.exePhehko32.exeQjddgj32.exeQdlipplq.exeQfkelkkd.exepid process 2184 3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exe 2184 3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exe 2788 Nhepoaif.exe 2788 Nhepoaif.exe 2836 Noohlkpc.exe 2836 Noohlkpc.exe 2596 Nnahgh32.exe 2596 Nnahgh32.exe 2576 Ngjlpmnn.exe 2576 Ngjlpmnn.exe 3052 Nqbaic32.exe 3052 Nqbaic32.exe 276 Ncamen32.exe 276 Ncamen32.exe 2040 Oepjoa32.exe 2040 Oepjoa32.exe 1140 Ogofkm32.exe 1140 Ogofkm32.exe 2480 Omlncc32.exe 2480 Omlncc32.exe 2644 Ocefpnom.exe 2644 Ocefpnom.exe 2380 Ojpomh32.exe 2380 Ojpomh32.exe 1876 Omnkicen.exe 1876 Omnkicen.exe 784 Offpbi32.exe 784 Offpbi32.exe 2196 Oielnd32.exe 2196 Oielnd32.exe 2036 Opodknco.exe 2036 Opodknco.exe 2052 Ocjpkm32.exe 2052 Ocjpkm32.exe 1304 Oleepo32.exe 1304 Oleepo32.exe 1752 Pndalkgf.exe 1752 Pndalkgf.exe 1804 Penihe32.exe 1804 Penihe32.exe 1500 Phledp32.exe 1500 Phledp32.exe 1964 Pbajbi32.exe 1964 Pbajbi32.exe 2488 Pilbocej.exe 2488 Pilbocej.exe 2140 Pjmnfk32.exe 2140 Pjmnfk32.exe 708 Paggce32.exe 708 Paggce32.exe 1548 Pnkglj32.exe 1548 Pnkglj32.exe 2572 Pdhpdq32.exe 2572 Pdhpdq32.exe 2640 Pjahakgb.exe 2640 Pjahakgb.exe 2604 Phehko32.exe 2604 Phehko32.exe 1488 Qjddgj32.exe 1488 Qjddgj32.exe 3024 Qdlipplq.exe 3024 Qdlipplq.exe 2396 Qfkelkkd.exe 2396 Qfkelkkd.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dfinam32.exeGhoijebj.exeIdmlniea.exeJgpndg32.exePlpqim32.exeBhpqcpkm.exeEgfjdchi.exeGenlgnhd.exeJeaahk32.exeJjnjqb32.exeNgpcohbm.exePbglpg32.exeCjhckg32.exeDlpbna32.exeDcemnopj.exeEmjhmipi.exeFapgblob.exeIblola32.exeOfobgc32.exeBafhff32.exeFpgnoo32.exePilbocej.exePjmnfk32.exeBllcnega.exeDphhka32.exeKfggkc32.exeKlkfdi32.exeOqojhp32.exePbepkh32.exeAnecfgdc.exeCpiaipmh.exeBomlppdb.exeOmfnnnhj.exePfeeff32.exeAhngomkd.exeAicmadmm.exeCnabffeo.exeAaipghcn.exeGgdekbgb.exeHpcpdfhj.exeOdflmp32.exeFiqibj32.exeMlmoilni.exeNqmqcmdh.exePiohgbng.exeDkjhjm32.exeDmmbge32.exeAfpogk32.exeAhedjb32.exeChjjde32.exeDmebcgbb.exeFicehj32.exeAahimb32.exeCaokmd32.exeDgqion32.exeIqfiii32.exeJnemfa32.exeJecnnk32.exeChggdoee.exeDpfkeb32.exeFfgfancd.exeKpbhjh32.exeAeokba32.exeBoeoek32.exedescription ioc process File created C:\Windows\SysWOW64\Dnpebj32.exe Dfinam32.exe File created C:\Windows\SysWOW64\Mpmpji32.dll Ghoijebj.exe File created C:\Windows\SysWOW64\Icplje32.exe Idmlniea.exe File opened for modification C:\Windows\SysWOW64\Jjnjqb32.exe Jgpndg32.exe File created C:\Windows\SysWOW64\Pnnmeh32.exe Plpqim32.exe File created C:\Windows\SysWOW64\Bknmok32.exe Bhpqcpkm.exe File created C:\Windows\SysWOW64\Fkldcapk.dll Egfjdchi.exe File opened for modification C:\Windows\SysWOW64\Hhmhcigh.exe Genlgnhd.exe File created C:\Windows\SysWOW64\Jgpndg32.exe Jeaahk32.exe File created C:\Windows\SysWOW64\Jnifaajh.exe Jjnjqb32.exe File created C:\Windows\SysWOW64\Kembmblk.dll Ngpcohbm.exe File created C:\Windows\SysWOW64\Ajfoacnc.dll Pbglpg32.exe File created C:\Windows\SysWOW64\Caokmd32.exe Cjhckg32.exe File created C:\Windows\SysWOW64\Dkbbinig.exe Dlpbna32.exe File created C:\Windows\SysWOW64\Dgqion32.exe Dcemnopj.exe File created C:\Windows\SysWOW64\Pdnpjc32.dll Emjhmipi.exe File opened for modification C:\Windows\SysWOW64\Fhjoof32.exe Fapgblob.exe File created C:\Windows\SysWOW64\Fnejdq32.dll Iblola32.exe File opened for modification C:\Windows\SysWOW64\Ohmoco32.exe Ofobgc32.exe File created C:\Windows\SysWOW64\Bimphc32.exe Bafhff32.exe File created C:\Windows\SysWOW64\Fiakeijo.dll Fpgnoo32.exe File opened for modification C:\Windows\SysWOW64\Pjmnfk32.exe Pilbocej.exe File created C:\Windows\SysWOW64\Cqoebm32.dll Pjmnfk32.exe File opened for modification C:\Windows\SysWOW64\Bdckobhd.exe Bllcnega.exe File opened for modification C:\Windows\SysWOW64\Dnkhfnck.exe Dphhka32.exe File opened for modification C:\Windows\SysWOW64\Kjbclamj.exe Kfggkc32.exe File created C:\Windows\SysWOW64\Cahcle32.dll Klkfdi32.exe File opened for modification C:\Windows\SysWOW64\Oekehomj.exe Oqojhp32.exe File opened for modification C:\Windows\SysWOW64\Pjlgle32.exe Pbepkh32.exe File created C:\Windows\SysWOW64\Aadobccg.exe Anecfgdc.exe File created C:\Windows\SysWOW64\Ccgnelll.exe Cpiaipmh.exe File opened for modification C:\Windows\SysWOW64\Bchhqo32.exe Bomlppdb.exe File created C:\Windows\SysWOW64\Oodjjign.exe Omfnnnhj.exe File created C:\Windows\SysWOW64\Qklhgdgp.dll Pfeeff32.exe File created C:\Windows\SysWOW64\Amjpgdik.exe Ahngomkd.exe File created C:\Windows\SysWOW64\Mbendkpn.dll Aicmadmm.exe File opened for modification C:\Windows\SysWOW64\Cppobaeb.exe Cnabffeo.exe File opened for modification C:\Windows\SysWOW64\Aipgifcp.exe Aaipghcn.exe File created C:\Windows\SysWOW64\Bgdkfk32.dll Ggdekbgb.exe File opened for modification C:\Windows\SysWOW64\Hcblqb32.exe Hpcpdfhj.exe File created C:\Windows\SysWOW64\Oiahnnji.exe Odflmp32.exe File created C:\Windows\SysWOW64\Aedkomok.dll Fiqibj32.exe File created C:\Windows\SysWOW64\Mpikik32.exe Mlmoilni.exe File opened for modification C:\Windows\SysWOW64\Nckmpicl.exe Nqmqcmdh.exe File created C:\Windows\SysWOW64\Fimelc32.dll Piohgbng.exe File opened for modification C:\Windows\SysWOW64\Djmiejji.exe Dkjhjm32.exe File created C:\Windows\SysWOW64\Olahgd32.dll Dmmbge32.exe File created C:\Windows\SysWOW64\Pollhnif.dll Afpogk32.exe File created C:\Windows\SysWOW64\Aanibhoh.exe Ahedjb32.exe File created C:\Windows\SysWOW64\Clefdcog.exe Chjjde32.exe File opened for modification C:\Windows\SysWOW64\Docopbaf.exe Dmebcgbb.exe File created C:\Windows\SysWOW64\Fmnahilc.exe Ficehj32.exe File created C:\Windows\SysWOW64\Bpajjg32.dll Aahimb32.exe File created C:\Windows\SysWOW64\Ppaloola.dll Caokmd32.exe File opened for modification C:\Windows\SysWOW64\Djoeki32.exe Dgqion32.exe File opened for modification C:\Windows\SysWOW64\Icdeee32.exe Iqfiii32.exe File created C:\Windows\SysWOW64\Nhocol32.dll Jnemfa32.exe File created C:\Windows\SysWOW64\Jgbjjf32.exe Jecnnk32.exe File created C:\Windows\SysWOW64\Cgjgol32.exe Chggdoee.exe File opened for modification C:\Windows\SysWOW64\Dbdham32.exe Dpfkeb32.exe File created C:\Windows\SysWOW64\Ifcmmf32.dll Ffgfancd.exe File created C:\Windows\SysWOW64\Kcmdjgbh.exe Kpbhjh32.exe File opened for modification C:\Windows\SysWOW64\Ahngomkd.exe Aeokba32.exe File created C:\Windows\SysWOW64\Bbqkeioh.exe Boeoek32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5520 5720 WerFault.exe Flnndp32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hnnjfo32.exeLaaabo32.exeMaanab32.exeAfeaei32.exeEmpomd32.exeAaipghcn.exeHjlemlnk.exeKpbhjh32.exeOoggpiek.exeBhjneadb.exeQblfkgqb.exeEfoifiep.exeCjppfl32.exeDnpebj32.exeOodjjign.exeDjafaf32.exeCodbqonk.exeHnpgloog.exeMdojnm32.exeBhdjno32.exeHpcpdfhj.exeObecld32.exeAfpogk32.exeApilcoho.exeAhhaobfe.exeEjioln32.exeGmlablaa.exeIfengpdh.exeBafhff32.exeDkbbinig.exeOmlncc32.exeGlfgnh32.exeJelhmlgm.exeBplijcle.exeJihdnk32.exeAlbjnplq.exePhehko32.exeAaklmhak.exeEhmpeb32.exeLolofd32.exeOiahnnji.exePhgannal.exeBknmok32.exeFlnndp32.exeDqfabdaf.exeFenphjei.exeIcplje32.exeCaokmd32.exeQlgndbil.exeJbnlaqhi.exePncjad32.exeDbbklnpj.exeJpmooind.exePjlgle32.exeNgjlpmnn.exePaggce32.exeEgebjmdn.exeLdkdckff.exeLhfpdi32.exeDfngll32.exeKbbakc32.exeNlohmonb.exeEkghcq32.exeDmjlof32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnjfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laaabo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maanab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaipghcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlemlnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpbhjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooggpiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjneadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qblfkgqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoifiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjppfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodjjign.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djafaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codbqonk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpgloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdojnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdjno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcpdfhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obecld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpogk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apilcoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhaobfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejioln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlablaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifengpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafhff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbbinig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omlncc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelhmlgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bplijcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jihdnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albjnplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phehko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaklmhak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehmpeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolofd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiahnnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgannal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknmok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqfabdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fenphjei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icplje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caokmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgndbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnlaqhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbklnpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmooind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlgle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjlpmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paggce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egebjmdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldkdckff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfpdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfngll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlohmonb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekghcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjlof32.exe -
Modifies registry class 64 IoCs
Processes:
Pjjkfe32.exeQaofgc32.exeEgebjmdn.exeOgofkm32.exePhehko32.exeDbbklnpj.exeKihpmnbb.exeLcdjpfgh.exeNqmqcmdh.exeOqojhp32.exeAiaqle32.exeCbjnqh32.exeDfhgggim.exeDocopbaf.exeDnkhfnck.exeEhkcpc32.exeBnofaf32.exeBikjmj32.exeFfdilo32.exeIqfiii32.exeAddhcn32.exeCdpdnpif.exeGmidlmcd.exeIcfbkded.exePpgcol32.exeBemkle32.exeCbdkbjkl.exeDqfabdaf.exeCqjhcfpc.exeCkomqopi.exeGmlablaa.exeGenlgnhd.exePmfjmake.exeDfkclf32.exeOcjpkm32.exeKngekdnf.exeLdkdckff.exeCceapl32.exePilbocej.exeEmgkhj32.exeHalcmn32.exeObhpad32.exeQbobaf32.exeCnflae32.exeOjpomh32.exeEloipb32.exeJeaahk32.exeJajocl32.exeNfglfdeb.exeNnodgbed.exeAfeaei32.exeEifobe32.exeGdjcjf32.exeJihdnk32.exeJacibm32.exeKmaphmln.exeKpbhjh32.exeLonlkcho.exeQjgjpi32.exeAmoibc32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjjkfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaofgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egebjmdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogofkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coefaghp.dll" Phehko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbklnpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdjpfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngemqa32.dll" Oqojhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiaqle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbogaf32.dll" Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baboljno.dll" Dfhgggim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Docopbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbgghlmq.dll" Dnkhfnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knqcng32.dll" Ehkcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedoacoi.dll" Bnofaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bikjmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffdilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqfiii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Addhcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljamifd.dll" Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnonkf32.dll" Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmip32.dll" Icfbkded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qobbcpoc.dll" Ppgcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppgcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccpbd32.dll" Bemkle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdkbjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiaqle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqfabdaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqjhcfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckomqopi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmlablaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Genlgnhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmfjmake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfkclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocjpkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngekdnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldkdckff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cceapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaihlkop.dll" Pilbocej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pilbocej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emgkhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Halcmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obhpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgihifq.dll" Qbobaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnflae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojpomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eloipb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeaahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggedf32.dll" Jajocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfglfdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnodgbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdpbking.dll" Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbdkbjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpflghlp.dll" Gdjcjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jihdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jacibm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmaphmln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpbhjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lonlkcho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjgjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olqdoelc.dll" Amoibc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exeNhepoaif.exeNoohlkpc.exeNnahgh32.exeNgjlpmnn.exeNqbaic32.exeNcamen32.exeOepjoa32.exeOgofkm32.exeOmlncc32.exeOcefpnom.exeOjpomh32.exeOmnkicen.exeOffpbi32.exeOielnd32.exeOpodknco.exedescription pid process target process PID 2184 wrote to memory of 2788 2184 3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exe Nhepoaif.exe PID 2184 wrote to memory of 2788 2184 3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exe Nhepoaif.exe PID 2184 wrote to memory of 2788 2184 3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exe Nhepoaif.exe PID 2184 wrote to memory of 2788 2184 3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exe Nhepoaif.exe PID 2788 wrote to memory of 2836 2788 Nhepoaif.exe Noohlkpc.exe PID 2788 wrote to memory of 2836 2788 Nhepoaif.exe Noohlkpc.exe PID 2788 wrote to memory of 2836 2788 Nhepoaif.exe Noohlkpc.exe PID 2788 wrote to memory of 2836 2788 Nhepoaif.exe Noohlkpc.exe PID 2836 wrote to memory of 2596 2836 Noohlkpc.exe Nnahgh32.exe PID 2836 wrote to memory of 2596 2836 Noohlkpc.exe Nnahgh32.exe PID 2836 wrote to memory of 2596 2836 Noohlkpc.exe Nnahgh32.exe PID 2836 wrote to memory of 2596 2836 Noohlkpc.exe Nnahgh32.exe PID 2596 wrote to memory of 2576 2596 Nnahgh32.exe Ngjlpmnn.exe PID 2596 wrote to memory of 2576 2596 Nnahgh32.exe Ngjlpmnn.exe PID 2596 wrote to memory of 2576 2596 Nnahgh32.exe Ngjlpmnn.exe PID 2596 wrote to memory of 2576 2596 Nnahgh32.exe Ngjlpmnn.exe PID 2576 wrote to memory of 3052 2576 Ngjlpmnn.exe Nqbaic32.exe PID 2576 wrote to memory of 3052 2576 Ngjlpmnn.exe Nqbaic32.exe PID 2576 wrote to memory of 3052 2576 Ngjlpmnn.exe Nqbaic32.exe PID 2576 wrote to memory of 3052 2576 Ngjlpmnn.exe Nqbaic32.exe PID 3052 wrote to memory of 276 3052 Nqbaic32.exe Ncamen32.exe PID 3052 wrote to memory of 276 3052 Nqbaic32.exe Ncamen32.exe PID 3052 wrote to memory of 276 3052 Nqbaic32.exe Ncamen32.exe PID 3052 wrote to memory of 276 3052 Nqbaic32.exe Ncamen32.exe PID 276 wrote to memory of 2040 276 Ncamen32.exe Oepjoa32.exe PID 276 wrote to memory of 2040 276 Ncamen32.exe Oepjoa32.exe PID 276 wrote to memory of 2040 276 Ncamen32.exe Oepjoa32.exe PID 276 wrote to memory of 2040 276 Ncamen32.exe Oepjoa32.exe PID 2040 wrote to memory of 1140 2040 Oepjoa32.exe Ogofkm32.exe PID 2040 wrote to memory of 1140 2040 Oepjoa32.exe Ogofkm32.exe PID 2040 wrote to memory of 1140 2040 Oepjoa32.exe Ogofkm32.exe PID 2040 wrote to memory of 1140 2040 Oepjoa32.exe Ogofkm32.exe PID 1140 wrote to memory of 2480 1140 Ogofkm32.exe Omlncc32.exe PID 1140 wrote to memory of 2480 1140 Ogofkm32.exe Omlncc32.exe PID 1140 wrote to memory of 2480 1140 Ogofkm32.exe Omlncc32.exe PID 1140 wrote to memory of 2480 1140 Ogofkm32.exe Omlncc32.exe PID 2480 wrote to memory of 2644 2480 Omlncc32.exe Ocefpnom.exe PID 2480 wrote to memory of 2644 2480 Omlncc32.exe Ocefpnom.exe PID 2480 wrote to memory of 2644 2480 Omlncc32.exe Ocefpnom.exe PID 2480 wrote to memory of 2644 2480 Omlncc32.exe Ocefpnom.exe PID 2644 wrote to memory of 2380 2644 Ocefpnom.exe Ojpomh32.exe PID 2644 wrote to memory of 2380 2644 Ocefpnom.exe Ojpomh32.exe PID 2644 wrote to memory of 2380 2644 Ocefpnom.exe Ojpomh32.exe PID 2644 wrote to memory of 2380 2644 Ocefpnom.exe Ojpomh32.exe PID 2380 wrote to memory of 1876 2380 Ojpomh32.exe Omnkicen.exe PID 2380 wrote to memory of 1876 2380 Ojpomh32.exe Omnkicen.exe PID 2380 wrote to memory of 1876 2380 Ojpomh32.exe Omnkicen.exe PID 2380 wrote to memory of 1876 2380 Ojpomh32.exe Omnkicen.exe PID 1876 wrote to memory of 784 1876 Omnkicen.exe Offpbi32.exe PID 1876 wrote to memory of 784 1876 Omnkicen.exe Offpbi32.exe PID 1876 wrote to memory of 784 1876 Omnkicen.exe Offpbi32.exe PID 1876 wrote to memory of 784 1876 Omnkicen.exe Offpbi32.exe PID 784 wrote to memory of 2196 784 Offpbi32.exe Oielnd32.exe PID 784 wrote to memory of 2196 784 Offpbi32.exe Oielnd32.exe PID 784 wrote to memory of 2196 784 Offpbi32.exe Oielnd32.exe PID 784 wrote to memory of 2196 784 Offpbi32.exe Oielnd32.exe PID 2196 wrote to memory of 2036 2196 Oielnd32.exe Opodknco.exe PID 2196 wrote to memory of 2036 2196 Oielnd32.exe Opodknco.exe PID 2196 wrote to memory of 2036 2196 Oielnd32.exe Opodknco.exe PID 2196 wrote to memory of 2036 2196 Oielnd32.exe Opodknco.exe PID 2036 wrote to memory of 2052 2036 Opodknco.exe Ocjpkm32.exe PID 2036 wrote to memory of 2052 2036 Opodknco.exe Ocjpkm32.exe PID 2036 wrote to memory of 2052 2036 Opodknco.exe Ocjpkm32.exe PID 2036 wrote to memory of 2052 2036 Opodknco.exe Ocjpkm32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exe"C:\Users\Admin\AppData\Local\Temp\3c54673aa48a8fc74067c38f3b258e3c629193b8856a0070951737029240a2b0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Nhepoaif.exeC:\Windows\system32\Nhepoaif.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ncamen32.exeC:\Windows\system32\Ncamen32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Omlncc32.exeC:\Windows\system32\Omlncc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Omnkicen.exeC:\Windows\system32\Omnkicen.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Pbajbi32.exeC:\Windows\system32\Pbajbi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Pjmnfk32.exeC:\Windows\system32\Pjmnfk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Paggce32.exeC:\Windows\system32\Paggce32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:708 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe26⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe27⤵
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Pdhpdq32.exeC:\Windows\system32\Pdhpdq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe36⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe37⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe39⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe41⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Aanibhoh.exeC:\Windows\system32\Aanibhoh.exe45⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe49⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe50⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe52⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe54⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe55⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe56⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Bnicbh32.exeC:\Windows\system32\Bnicbh32.exe58⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe60⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe61⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe62⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Bnlphh32.exeC:\Windows\system32\Bnlphh32.exe63⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe64⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe66⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe67⤵PID:2832
-
C:\Windows\SysWOW64\Bjbqmi32.exeC:\Windows\system32\Bjbqmi32.exe68⤵PID:2892
-
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe69⤵PID:580
-
C:\Windows\SysWOW64\Bplijcle.exeC:\Windows\system32\Bplijcle.exe70⤵
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe72⤵PID:2112
-
C:\Windows\SysWOW64\Bjembh32.exeC:\Windows\system32\Bjembh32.exe73⤵PID:2460
-
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1884 -
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe75⤵PID:1004
-
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe76⤵PID:2532
-
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe77⤵PID:484
-
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe78⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2228 -
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe80⤵
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:684 -
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe82⤵PID:1060
-
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe83⤵PID:2160
-
C:\Windows\SysWOW64\Cbdkbjkl.exeC:\Windows\system32\Cbdkbjkl.exe84⤵
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe85⤵PID:3008
-
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe86⤵PID:2372
-
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Cnklgkap.exeC:\Windows\system32\Cnklgkap.exe88⤵PID:1688
-
C:\Windows\SysWOW64\Cqjhcfpc.exeC:\Windows\system32\Cqjhcfpc.exe89⤵
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe90⤵PID:1084
-
C:\Windows\SysWOW64\Ckomqopi.exeC:\Windows\system32\Ckomqopi.exe91⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe92⤵PID:976
-
C:\Windows\SysWOW64\Cqleifna.exeC:\Windows\system32\Cqleifna.exe93⤵PID:1748
-
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe94⤵PID:1912
-
C:\Windows\SysWOW64\Dfinam32.exeC:\Windows\system32\Dfinam32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Dnpebj32.exeC:\Windows\system32\Dnpebj32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Dqobnf32.exeC:\Windows\system32\Dqobnf32.exe97⤵PID:3020
-
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe98⤵PID:1700
-
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe99⤵PID:2856
-
C:\Windows\SysWOW64\Dfkjgm32.exeC:\Windows\system32\Dfkjgm32.exe100⤵PID:1872
-
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe101⤵PID:604
-
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe102⤵
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe103⤵
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe106⤵PID:1852
-
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe107⤵PID:2624
-
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe108⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Dbdham32.exeC:\Windows\system32\Dbdham32.exe109⤵PID:2940
-
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe110⤵PID:1172
-
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe112⤵
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe114⤵PID:1696
-
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe115⤵PID:588
-
C:\Windows\SysWOW64\Eloipb32.exeC:\Windows\system32\Eloipb32.exe116⤵
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe118⤵PID:2840
-
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe119⤵PID:2872
-
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe120⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1056 -
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe122⤵PID:920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-