Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:53
Static task
static1
Behavioral task
behavioral1
Sample
4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe
Resource
win10v2004-20241007-en
General
-
Target
4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe
-
Size
64KB
-
MD5
5432fff48502202a48998795abaa2610
-
SHA1
cad313062688d57a9d94396771ca109a75e74eb7
-
SHA256
4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620
-
SHA512
c49a48595968375c113ba2bc8f1573c038294b3c3bb0cbbe7ac1dbe43f92aebad7847e0e073ac5e76af3ac7d2cb7d5eb19c67ac2da4d4cf22b72051e025c512f
-
SSDEEP
768:qri02mD9Bjxv0yvbArCbY5N5wEpXBKUGhKF7DTMPr42H/1H5O6XJ1IwEGp9Thfz6:Q9jTbAmbM7rxOnRXUwXfzwv
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nqjaeeog.exeCkeqga32.exeOimmjffj.exeEfljhq32.exeLpqlemaj.exeIiqldc32.exeJjnhhjjk.exeDppigchi.exeHcgmfgfd.exeKcginj32.exeEdlafebn.exeLlgljn32.exeFmdbnnlj.exeHjmlhbbg.exeIgceej32.exeJggoqimd.exeEkfpmf32.exeMloiec32.exeNnnbni32.exeBlinefnd.exeJfmkbebl.exeIclbpj32.exeJapciodd.exeEgmabg32.exeIjibng32.exeIbfmmb32.exeIjphofem.exeEmoldlmc.exeBdhleh32.exeGlbaei32.exeGfnjne32.exeOajndh32.exeBfabnl32.exeCmppehkh.exeFgjjad32.exeEphbal32.exeHghillnd.exeNdcapd32.exeAgglbp32.exeGiaidnkf.exeIfbphh32.exeGcedad32.exeHkjkle32.exeBkbdabog.exeJfgebjnm.exeKkpqlm32.exeApkgpf32.exeBnlgbnbp.exeHdecea32.exeIahceq32.exeFcqjfeja.exeJnagmc32.exeJpajbl32.exeKbpbmkan.exeOjbbmnhc.exeFdkmeiei.exeJgjkfi32.exeLkggmldl.exeLkicbk32.exeNmflee32.exeGgfpgi32.exeGnbejb32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqjaeeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckeqga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimmjffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efljhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpqlemaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjnhhjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dppigchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgmfgfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcginj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llgljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmlhbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igceej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekfpmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnnbni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blinefnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfmkbebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iclbpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmabg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijibng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfmmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emoldlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glbaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqjaeeog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oajndh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmppehkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephbal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hghillnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agglbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giaidnkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifbphh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcedad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkbdabog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfgebjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpqlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkgpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlgbnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdecea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iahceq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcqjfeja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnagmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpajbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpbmkan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbbmnhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkmeiei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiqldc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkggmldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkicbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfpgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbejb32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Eanldqgf.exeElcpbigl.exeEkfpmf32.exeEgmabg32.exeEmgioakg.exeEhlmljkm.exeEkkjheja.exeEphbal32.exeEdcnakpa.exeEipgjaoi.exeFmlbjq32.exeFdekgjno.exeFchkbg32.exeFmnopp32.exeFoolgh32.exeFeiddbbj.exeFhgppnan.exeFcmdnfad.exeFelajbpg.exeFhjmfnok.exeFkhibino.exeFabaocfl.exeFennoa32.exeFlhflleb.exeFofbhgde.exeFepjea32.exeGgagmjbq.exeGagkjbaf.exeGpjkeoha.exeGjbpne32.exeGnnlocgk.exeGckdgjeb.exeGgfpgi32.exeGjdldd32.exeGdjqamme.exeGghmmilh.exeGnbejb32.exeGconbj32.exeGfnjne32.exeGhlfjq32.exeHcajhi32.exeHfpfdeon.exeHinbppna.exeHdecea32.exeHiqoeplo.exeHfepod32.exeHegpjaac.exeHiclkp32.exeHgflflqg.exeHnpdcf32.exeHbkqdepm.exeHejmpqop.exeHghillnd.exeHjgehgnh.exeHnbaif32.exeHeliepmn.exeHcojam32.exeIkfbbjdj.exeIjibng32.exeIacjjacb.exeIeofkp32.exeIcafgmbe.exeIgmbgk32.exeIjkocg32.exepid process 2816 Eanldqgf.exe 2752 Elcpbigl.exe 2720 Ekfpmf32.exe 2628 Egmabg32.exe 2328 Emgioakg.exe 1536 Ehlmljkm.exe 2900 Ekkjheja.exe 836 Ephbal32.exe 1736 Edcnakpa.exe 2064 Eipgjaoi.exe 584 Fmlbjq32.exe 552 Fdekgjno.exe 2944 Fchkbg32.exe 2212 Fmnopp32.exe 1416 Foolgh32.exe 1436 Feiddbbj.exe 980 Fhgppnan.exe 900 Fcmdnfad.exe 956 Felajbpg.exe 1380 Fhjmfnok.exe 1708 Fkhibino.exe 2152 Fabaocfl.exe 1732 Fennoa32.exe 3032 Flhflleb.exe 2712 Fofbhgde.exe 2732 Fepjea32.exe 1704 Ggagmjbq.exe 2608 Gagkjbaf.exe 1124 Gpjkeoha.exe 1544 Gjbpne32.exe 2652 Gnnlocgk.exe 2356 Gckdgjeb.exe 2032 Ggfpgi32.exe 1036 Gjdldd32.exe 2536 Gdjqamme.exe 2740 Gghmmilh.exe 1088 Gnbejb32.exe 1876 Gconbj32.exe 764 Gfnjne32.exe 1212 Ghlfjq32.exe 2532 Hcajhi32.exe 960 Hfpfdeon.exe 1748 Hinbppna.exe 1688 Hdecea32.exe 2080 Hiqoeplo.exe 1788 Hfepod32.exe 2592 Hegpjaac.exe 2644 Hiclkp32.exe 2604 Hgflflqg.exe 2612 Hnpdcf32.exe 1800 Hbkqdepm.exe 3016 Hejmpqop.exe 2860 Hghillnd.exe 1420 Hjgehgnh.exe 288 Hnbaif32.exe 2072 Heliepmn.exe 1892 Hcojam32.exe 1668 Ikfbbjdj.exe 1816 Ijibng32.exe 1604 Iacjjacb.exe 1072 Ieofkp32.exe 2952 Icafgmbe.exe 2448 Igmbgk32.exe 1692 Ijkocg32.exe -
Loads dropped DLL 64 IoCs
Processes:
4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exeEanldqgf.exeElcpbigl.exeEkfpmf32.exeEgmabg32.exeEmgioakg.exeEhlmljkm.exeEkkjheja.exeEphbal32.exeEdcnakpa.exeEipgjaoi.exeFmlbjq32.exeFdekgjno.exeFchkbg32.exeFmnopp32.exeFoolgh32.exeFeiddbbj.exeFhgppnan.exeFcmdnfad.exeFelajbpg.exeFhjmfnok.exeFkhibino.exeFabaocfl.exeFennoa32.exeFlhflleb.exeFofbhgde.exeFepjea32.exeGgagmjbq.exeGagkjbaf.exeGpjkeoha.exeGjbpne32.exeGnnlocgk.exepid process 2704 4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe 2704 4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe 2816 Eanldqgf.exe 2816 Eanldqgf.exe 2752 Elcpbigl.exe 2752 Elcpbigl.exe 2720 Ekfpmf32.exe 2720 Ekfpmf32.exe 2628 Egmabg32.exe 2628 Egmabg32.exe 2328 Emgioakg.exe 2328 Emgioakg.exe 1536 Ehlmljkm.exe 1536 Ehlmljkm.exe 2900 Ekkjheja.exe 2900 Ekkjheja.exe 836 Ephbal32.exe 836 Ephbal32.exe 1736 Edcnakpa.exe 1736 Edcnakpa.exe 2064 Eipgjaoi.exe 2064 Eipgjaoi.exe 584 Fmlbjq32.exe 584 Fmlbjq32.exe 552 Fdekgjno.exe 552 Fdekgjno.exe 2944 Fchkbg32.exe 2944 Fchkbg32.exe 2212 Fmnopp32.exe 2212 Fmnopp32.exe 1416 Foolgh32.exe 1416 Foolgh32.exe 1436 Feiddbbj.exe 1436 Feiddbbj.exe 980 Fhgppnan.exe 980 Fhgppnan.exe 900 Fcmdnfad.exe 900 Fcmdnfad.exe 956 Felajbpg.exe 956 Felajbpg.exe 1380 Fhjmfnok.exe 1380 Fhjmfnok.exe 1708 Fkhibino.exe 1708 Fkhibino.exe 2152 Fabaocfl.exe 2152 Fabaocfl.exe 1732 Fennoa32.exe 1732 Fennoa32.exe 3032 Flhflleb.exe 3032 Flhflleb.exe 2712 Fofbhgde.exe 2712 Fofbhgde.exe 2732 Fepjea32.exe 2732 Fepjea32.exe 1704 Ggagmjbq.exe 1704 Ggagmjbq.exe 2608 Gagkjbaf.exe 2608 Gagkjbaf.exe 1124 Gpjkeoha.exe 1124 Gpjkeoha.exe 1544 Gjbpne32.exe 1544 Gjbpne32.exe 2652 Gnnlocgk.exe 2652 Gnnlocgk.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ichmgl32.exeLkggmldl.exeQbnphngk.exeAlageg32.exeDaaenlng.exeDeondj32.exeEhlmljkm.exeGajqbakc.exeLcadghnk.exeFkefbcmf.exeIjnkifgp.exeLfbdci32.exePpddpd32.exePmmneg32.exeCehhdkjf.exeEihjolae.exeIjaaae32.exeHghillnd.exeLpnopm32.exeJapciodd.exeMobomnoq.exeJabponba.exeKkmmlgik.exeIfbphh32.exePlpopddd.exeEfljhq32.exeInhdgdmk.exeGnnlocgk.exeJbnjhh32.exeMopbgn32.exeDmkcil32.exeGiaidnkf.exeIogpag32.exeKenhopmf.exeFhgppnan.exeIkfbbjdj.exeJmlddeio.exeOejcpf32.exeEdidqf32.exeHgciff32.exeHjcaha32.exeJpgmpk32.exeFchkbg32.exeKbmfgk32.exeAjckilei.exeIediin32.exeJbhebfck.exeJbpfnh32.exeLncfcgeb.exeOjbbmnhc.exeFpbnjjkm.exeGnfkba32.exeKablnadm.exeHjgehgnh.exeIjphofem.exeKkpqlm32.exeOiafee32.exeElgfkhpi.exeGdnfjl32.exeFofbhgde.exeDeakjjbk.exedescription ioc process File created C:\Windows\SysWOW64\Jhndmp32.dll Ichmgl32.exe File created C:\Windows\SysWOW64\Lnecigcp.exe Lkggmldl.exe File opened for modification C:\Windows\SysWOW64\Qaapcj32.exe Qbnphngk.exe File created C:\Windows\SysWOW64\Jkcfefdg.dll Qbnphngk.exe File created C:\Windows\SysWOW64\Apmcefmf.exe Alageg32.exe File created C:\Windows\SysWOW64\Dihmpinj.exe Daaenlng.exe File created C:\Windows\SysWOW64\Jjfkgcdc.dll Deondj32.exe File created C:\Windows\SysWOW64\Gimfed32.dll Ehlmljkm.exe File created C:\Windows\SysWOW64\Hnbbcale.dll Gajqbakc.exe File opened for modification C:\Windows\SysWOW64\Lepaccmo.exe Lcadghnk.exe File opened for modification C:\Windows\SysWOW64\Fmdbnnlj.exe Fkefbcmf.exe File created C:\Windows\SysWOW64\Ecqgacgg.dll Ijnkifgp.exe File created C:\Windows\SysWOW64\Ljnqdhga.exe Lfbdci32.exe File created C:\Windows\SysWOW64\Jnpojnle.dll Ppddpd32.exe File created C:\Windows\SysWOW64\Egnpaigk.dll Pmmneg32.exe File created C:\Windows\SysWOW64\Cmppehkh.exe Cehhdkjf.exe File created C:\Windows\SysWOW64\Elgfkhpi.exe Eihjolae.exe File created C:\Windows\SysWOW64\Npneccok.dll Ijaaae32.exe File opened for modification C:\Windows\SysWOW64\Hjgehgnh.exe Hghillnd.exe File opened for modification C:\Windows\SysWOW64\Lcmklh32.exe Lpnopm32.exe File created C:\Windows\SysWOW64\Omfpmb32.dll Japciodd.exe File created C:\Windows\SysWOW64\Ofglaipf.dll Mobomnoq.exe File opened for modification C:\Windows\SysWOW64\Jpepkk32.exe Jabponba.exe File opened for modification C:\Windows\SysWOW64\Kipmhc32.exe Kkmmlgik.exe File created C:\Windows\SysWOW64\Ijnkifgp.exe Ifbphh32.exe File created C:\Windows\SysWOW64\Hjgehgnh.exe Hghillnd.exe File opened for modification C:\Windows\SysWOW64\Ponklpcg.exe Plpopddd.exe File opened for modification C:\Windows\SysWOW64\Eikfdl32.exe Efljhq32.exe File opened for modification C:\Windows\SysWOW64\Ibcphc32.exe Inhdgdmk.exe File created C:\Windows\SysWOW64\Gckdgjeb.exe Gnnlocgk.exe File opened for modification C:\Windows\SysWOW64\Jelfdc32.exe Jbnjhh32.exe File created C:\Windows\SysWOW64\Mfjkdh32.exe Mopbgn32.exe File created C:\Windows\SysWOW64\Deakjjbk.exe Dmkcil32.exe File opened for modification C:\Windows\SysWOW64\Ghdiokbq.exe Giaidnkf.exe File created C:\Windows\SysWOW64\Ibfmmb32.exe Iogpag32.exe File created C:\Windows\SysWOW64\Eghoka32.dll Kenhopmf.exe File opened for modification C:\Windows\SysWOW64\Fcmdnfad.exe Fhgppnan.exe File opened for modification C:\Windows\SysWOW64\Ijibng32.exe Ikfbbjdj.exe File created C:\Windows\SysWOW64\Jlnjjadh.dll Jmlddeio.exe File created C:\Windows\SysWOW64\Acfdii32.dll Oejcpf32.exe File created C:\Windows\SysWOW64\Efhqmadd.exe Edidqf32.exe File opened for modification C:\Windows\SysWOW64\Hnmacpfj.exe Hgciff32.exe File opened for modification C:\Windows\SysWOW64\Hmbndmkb.exe Hjcaha32.exe File created C:\Windows\SysWOW64\Jbfilffm.exe Jpgmpk32.exe File created C:\Windows\SysWOW64\Fmnopp32.exe Fchkbg32.exe File created C:\Windows\SysWOW64\Njjkajop.dll Kbmfgk32.exe File opened for modification C:\Windows\SysWOW64\Alageg32.exe Ajckilei.exe File created C:\Windows\SysWOW64\Iipejmko.exe Iediin32.exe File created C:\Windows\SysWOW64\Jefbnacn.exe Jbhebfck.exe File opened for modification C:\Windows\SysWOW64\Jacfidem.exe Jbpfnh32.exe File created C:\Windows\SysWOW64\Lpabpcdf.exe Lncfcgeb.exe File opened for modification C:\Windows\SysWOW64\Objjnkie.exe Ojbbmnhc.exe File opened for modification C:\Windows\SysWOW64\Fcqjfeja.exe Fpbnjjkm.exe File created C:\Windows\SysWOW64\Gaagcpdl.exe Gnfkba32.exe File created C:\Windows\SysWOW64\Jpnghhmn.dll Kablnadm.exe File opened for modification C:\Windows\SysWOW64\Hnbaif32.exe Hjgehgnh.exe File created C:\Windows\SysWOW64\Jlnaae32.dll Ijphofem.exe File created C:\Windows\SysWOW64\Jmgfca32.dll Kkpqlm32.exe File created C:\Windows\SysWOW64\Hbfchh32.dll Oiafee32.exe File created C:\Windows\SysWOW64\Epbbkf32.exe Elgfkhpi.exe File created C:\Windows\SysWOW64\Gglbfg32.exe Gdnfjl32.exe File created C:\Windows\SysWOW64\Kndccd32.dll Fofbhgde.exe File created C:\Windows\SysWOW64\Odmckcmq.exe Oejcpf32.exe File created C:\Windows\SysWOW64\Dcdkef32.exe Deakjjbk.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6116 4340 WerFault.exe Lepaccmo.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Elcpbigl.exeFepjea32.exeHeliepmn.exeQmhahkdj.exeHcjilgdb.exeHinbppna.exeLljpjchg.exeMdadjd32.exeDihmpinj.exeEmaijk32.exeFmohco32.exeGhdiokbq.exeHqnjek32.exeImbjcpnn.exeGfnjne32.exeHcajhi32.exeLegaoehg.exeFofbhgde.exeApkgpf32.exeBogjaamh.exeDjocbqpb.exeFbegbacp.exeHnmacpfj.exeLifcib32.exeNnnbni32.exeKlhgfq32.exeNpbklabl.exeDcghkf32.exeHklhae32.exeJacfidem.exeNdcapd32.exeAclpaali.exeCiokijfd.exeCehhdkjf.exeHfhfhbce.exeImodkadq.exeInbnhihl.exeKajiigba.exeObeacl32.exeEbqngb32.exeHfjbmb32.exeJplfkjbd.exeKambcbhb.exeKbpbmkan.exeKcginj32.exeOmckoi32.exeEjaphpnp.exeKekkiq32.exeHcojam32.exeJpajbl32.exeKhadpa32.exeDfhdnn32.exeLcmklh32.exeEbckmaec.exeGnbejb32.exeJlkglm32.exeLdmopa32.exeNijpdfhm.exeQhilkege.exeJnmiag32.exeFennoa32.exeJfgebjnm.exeDaaenlng.exeFglfgd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcpbigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepjea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heliepmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhahkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinbppna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljpjchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdadjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihmpinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emaijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdiokbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcajhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legaoehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofbhgde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogjaamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbegbacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmacpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifcib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhgfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbklabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcghkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacfidem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndcapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpaali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciokijfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehhdkjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhfhbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imodkadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbnhihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajiigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obeacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebqngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplfkjbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kambcbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpbmkan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcginj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omckoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejaphpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcojam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpajbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khadpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmklh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebckmaec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnbejb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmopa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhilkege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fennoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfgebjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe -
Modifies registry class 64 IoCs
Processes:
Ppddpd32.exeEknpadcn.exeLpqlemaj.exeOlkifaen.exeEjcmmp32.exeLghgmg32.exeFdekgjno.exeGconbj32.exeIjkocg32.exeKenoifpb.exeCncmcm32.exeCmppehkh.exeDihmpinj.exeEfljhq32.exeFhgppnan.exeKipmhc32.exeFabaocfl.exeMopbgn32.exeNggggoda.exeQejpoi32.exeDppigchi.exeDgknkf32.exeLiipnb32.exeEphbal32.exeLonibk32.exeJbbccgmp.exeJlhkgm32.exeQlfdac32.exeImggplgm.exeIiqldc32.exePopgboae.exeGcjmmdbf.exeJpgmpk32.exeEgmabg32.exeLkjmfjmi.exeIbfmmb32.exeLkdjglfo.exeNflchkii.exePioeoi32.exeFahhnn32.exeGaagcpdl.exeHfjbmb32.exeAphjjf32.exeBdhleh32.exeHjohmbpd.exeHjcaha32.exeLdokfakl.exeNcinap32.exeCmfmojcb.exeColpld32.exeDmkcil32.exeEdidqf32.exeIediin32.exeJmnqje32.exeInbnhihl.exeObjjnkie.exePhklaacg.exePbgjgomc.exePfbfhm32.exeQhilkege.exeQmhahkdj.exeHgflflqg.exeEjaphpnp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcihn32.dll" Eknpadcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpqlemaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olkifaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkeeihpg.dll" Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdekgjno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnlcm32.dll" Gconbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijkocg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kenoifpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oieqmphd.dll" Cncmcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnmjop32.dll" Cmppehkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dihmpinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efljhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhgppnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll" Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpgka32.dll" Fabaocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijoclhk.dll" Mopbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocamldcp.dll" Nggggoda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qejpoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dppigchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgknkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liipnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ephbal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knpbpo32.dll" Lonibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbbccgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlhkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehoblpm.dll" Qlfdac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Popgboae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcjmmdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpgmpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdikdfj.dll" Lkjmfjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeiojhn.dll" Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noockemb.dll" Lkdjglfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pioeoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chpmbe32.dll" Hfjbmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdekgjno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aphjjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdhleh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjohmbpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjcaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omgfflgg.dll" Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmfmojcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Colpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnokbe32.dll" Dmkcil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edidqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iediin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maadfi32.dll" Inbnhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Objjnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkpfm32.dll" Phklaacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmjae32.dll" Pfbfhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhilkege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmhahkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgflflqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnhab32.dll" Ejaphpnp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exeEanldqgf.exeElcpbigl.exeEkfpmf32.exeEgmabg32.exeEmgioakg.exeEhlmljkm.exeEkkjheja.exeEphbal32.exeEdcnakpa.exeEipgjaoi.exeFmlbjq32.exeFdekgjno.exeFchkbg32.exeFmnopp32.exeFoolgh32.exedescription pid process target process PID 2704 wrote to memory of 2816 2704 4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe Eanldqgf.exe PID 2704 wrote to memory of 2816 2704 4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe Eanldqgf.exe PID 2704 wrote to memory of 2816 2704 4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe Eanldqgf.exe PID 2704 wrote to memory of 2816 2704 4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe Eanldqgf.exe PID 2816 wrote to memory of 2752 2816 Eanldqgf.exe Elcpbigl.exe PID 2816 wrote to memory of 2752 2816 Eanldqgf.exe Elcpbigl.exe PID 2816 wrote to memory of 2752 2816 Eanldqgf.exe Elcpbigl.exe PID 2816 wrote to memory of 2752 2816 Eanldqgf.exe Elcpbigl.exe PID 2752 wrote to memory of 2720 2752 Elcpbigl.exe Ekfpmf32.exe PID 2752 wrote to memory of 2720 2752 Elcpbigl.exe Ekfpmf32.exe PID 2752 wrote to memory of 2720 2752 Elcpbigl.exe Ekfpmf32.exe PID 2752 wrote to memory of 2720 2752 Elcpbigl.exe Ekfpmf32.exe PID 2720 wrote to memory of 2628 2720 Ekfpmf32.exe Egmabg32.exe PID 2720 wrote to memory of 2628 2720 Ekfpmf32.exe Egmabg32.exe PID 2720 wrote to memory of 2628 2720 Ekfpmf32.exe Egmabg32.exe PID 2720 wrote to memory of 2628 2720 Ekfpmf32.exe Egmabg32.exe PID 2628 wrote to memory of 2328 2628 Egmabg32.exe Emgioakg.exe PID 2628 wrote to memory of 2328 2628 Egmabg32.exe Emgioakg.exe PID 2628 wrote to memory of 2328 2628 Egmabg32.exe Emgioakg.exe PID 2628 wrote to memory of 2328 2628 Egmabg32.exe Emgioakg.exe PID 2328 wrote to memory of 1536 2328 Emgioakg.exe Ehlmljkm.exe PID 2328 wrote to memory of 1536 2328 Emgioakg.exe Ehlmljkm.exe PID 2328 wrote to memory of 1536 2328 Emgioakg.exe Ehlmljkm.exe PID 2328 wrote to memory of 1536 2328 Emgioakg.exe Ehlmljkm.exe PID 1536 wrote to memory of 2900 1536 Ehlmljkm.exe Ekkjheja.exe PID 1536 wrote to memory of 2900 1536 Ehlmljkm.exe Ekkjheja.exe PID 1536 wrote to memory of 2900 1536 Ehlmljkm.exe Ekkjheja.exe PID 1536 wrote to memory of 2900 1536 Ehlmljkm.exe Ekkjheja.exe PID 2900 wrote to memory of 836 2900 Ekkjheja.exe Ephbal32.exe PID 2900 wrote to memory of 836 2900 Ekkjheja.exe Ephbal32.exe PID 2900 wrote to memory of 836 2900 Ekkjheja.exe Ephbal32.exe PID 2900 wrote to memory of 836 2900 Ekkjheja.exe Ephbal32.exe PID 836 wrote to memory of 1736 836 Ephbal32.exe Edcnakpa.exe PID 836 wrote to memory of 1736 836 Ephbal32.exe Edcnakpa.exe PID 836 wrote to memory of 1736 836 Ephbal32.exe Edcnakpa.exe PID 836 wrote to memory of 1736 836 Ephbal32.exe Edcnakpa.exe PID 1736 wrote to memory of 2064 1736 Edcnakpa.exe Eipgjaoi.exe PID 1736 wrote to memory of 2064 1736 Edcnakpa.exe Eipgjaoi.exe PID 1736 wrote to memory of 2064 1736 Edcnakpa.exe Eipgjaoi.exe PID 1736 wrote to memory of 2064 1736 Edcnakpa.exe Eipgjaoi.exe PID 2064 wrote to memory of 584 2064 Eipgjaoi.exe Fmlbjq32.exe PID 2064 wrote to memory of 584 2064 Eipgjaoi.exe Fmlbjq32.exe PID 2064 wrote to memory of 584 2064 Eipgjaoi.exe Fmlbjq32.exe PID 2064 wrote to memory of 584 2064 Eipgjaoi.exe Fmlbjq32.exe PID 584 wrote to memory of 552 584 Fmlbjq32.exe Fdekgjno.exe PID 584 wrote to memory of 552 584 Fmlbjq32.exe Fdekgjno.exe PID 584 wrote to memory of 552 584 Fmlbjq32.exe Fdekgjno.exe PID 584 wrote to memory of 552 584 Fmlbjq32.exe Fdekgjno.exe PID 552 wrote to memory of 2944 552 Fdekgjno.exe Fchkbg32.exe PID 552 wrote to memory of 2944 552 Fdekgjno.exe Fchkbg32.exe PID 552 wrote to memory of 2944 552 Fdekgjno.exe Fchkbg32.exe PID 552 wrote to memory of 2944 552 Fdekgjno.exe Fchkbg32.exe PID 2944 wrote to memory of 2212 2944 Fchkbg32.exe Fmnopp32.exe PID 2944 wrote to memory of 2212 2944 Fchkbg32.exe Fmnopp32.exe PID 2944 wrote to memory of 2212 2944 Fchkbg32.exe Fmnopp32.exe PID 2944 wrote to memory of 2212 2944 Fchkbg32.exe Fmnopp32.exe PID 2212 wrote to memory of 1416 2212 Fmnopp32.exe Foolgh32.exe PID 2212 wrote to memory of 1416 2212 Fmnopp32.exe Foolgh32.exe PID 2212 wrote to memory of 1416 2212 Fmnopp32.exe Foolgh32.exe PID 2212 wrote to memory of 1416 2212 Fmnopp32.exe Foolgh32.exe PID 1416 wrote to memory of 1436 1416 Foolgh32.exe Feiddbbj.exe PID 1416 wrote to memory of 1436 1416 Foolgh32.exe Feiddbbj.exe PID 1416 wrote to memory of 1436 1416 Foolgh32.exe Feiddbbj.exe PID 1416 wrote to memory of 1436 1416 Foolgh32.exe Feiddbbj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe"C:\Users\Admin\AppData\Local\Temp\4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe33⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe35⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe36⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe37⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:764 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe41⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe43⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe46⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe47⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe48⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe49⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe51⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe52⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe53⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe56⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe61⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe62⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe63⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe64⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe66⤵PID:2272
-
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe67⤵PID:2708
-
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe68⤵PID:2572
-
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe70⤵
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:296 -
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe73⤵PID:2756
-
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe74⤵PID:1032
-
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Iichjc32.exeC:\Windows\system32\Iichjc32.exe76⤵PID:1256
-
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe77⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe78⤵PID:2524
-
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe79⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe80⤵PID:1528
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe81⤵PID:2476
-
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe82⤵PID:2876
-
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe83⤵PID:2824
-
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe85⤵
- Drops file in System32 directory
PID:664 -
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe86⤵PID:112
-
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe87⤵PID:1284
-
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe88⤵PID:2540
-
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe90⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe91⤵
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe92⤵PID:2516
-
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe93⤵
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe94⤵PID:2968
-
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe95⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe96⤵PID:2832
-
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1484 -
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe99⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Jeclebja.exeC:\Windows\system32\Jeclebja.exe100⤵PID:1572
-
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe101⤵PID:2208
-
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe102⤵PID:1468
-
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe103⤵PID:1720
-
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe104⤵
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe105⤵PID:1232
-
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe106⤵PID:3064
-
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe108⤵PID:1144
-
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe109⤵PID:1832
-
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe110⤵PID:3044
-
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe111⤵PID:480
-
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe112⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe113⤵PID:1984
-
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe114⤵PID:1320
-
C:\Windows\SysWOW64\Kbpbmkan.exeC:\Windows\system32\Kbpbmkan.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:568 -
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe116⤵
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Klhgfq32.exeC:\Windows\system32\Klhgfq32.exe117⤵
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe118⤵PID:616
-
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe119⤵PID:1864
-
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe120⤵PID:3052
-
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe121⤵PID:1860
-
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe122⤵PID:1796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-