Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe
Resource
win10v2004-20241007-en
General
-
Target
ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe
-
Size
315KB
-
MD5
dee785024b77dc69382a05daf8fbd366
-
SHA1
cbb852e8d62cf09953977f0210d1f0c1e4681e43
-
SHA256
ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10
-
SHA512
fdb225d1cde651deb03ac36c437613acf3c6b1baefb6e9e23b11e124ea0459483202b02101a41f9cb87c4b9b9ebff2df7cf9c478ccd9faf9dcfe4fd4f91c973f
-
SSDEEP
3072:r+AX0lLy6GyWamSxiO6GyeKWCuamS+q2iO6GyeKWCuamS+q2iO6GyeKWCua+qf0a:SAXNitqI+stesMmG
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hfjbmb32.exeMpnkopeh.exeLcdhgn32.exeDfbqgldn.exeAaflgb32.exeOhdfqbio.exeFkefbcmf.exeEmeobj32.exeKijmbnpo.exeGnfkba32.exeGcmcebkc.exeDfhdnn32.exeIjnnao32.exeHgqlafap.exeKhnapkjg.exeMhcfjnhm.exePcpbik32.exeBlniinac.exeEgfjdchi.exeFegjgkla.exePefhlcdk.exeOkhefl32.exeLibjncnc.exeBdkhjgeh.exeBllcnega.exePmkdhq32.exeMkacfiga.exeDmebcgbb.exeOqkpmaif.exeCojeomee.exeAlageg32.exeAljjjb32.exeCkbpqe32.exeDgiaefgg.exeDiqmcgca.exeJmnqje32.exeLkifkdjm.exeDilchhgg.exeGpmjcg32.exeOqgjdbpi.exeKoaclfgl.exePidaba32.exeElaeeb32.exeAbnopj32.exeJfjolf32.exeGcedad32.exeHokhbj32.exePpfafcpb.exeJjnjqb32.exeCmmcpi32.exeAiaoclgl.exeJlnmel32.exeBikjmj32.exeGhoijebj.exeJcikog32.exeCgdqpq32.exeHcojam32.exeIakino32.exeBdobdc32.exeCdchneko.exeOjmbgh32.exeIchmgl32.exeQldhkc32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpnkopeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdhgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbqgldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaflgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdfqbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emeobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kijmbnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcmcebkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhdnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnnao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgqlafap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnapkjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcfjnhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blniinac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egfjdchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fegjgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefhlcdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okhefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkhjgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bllcnega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkdhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkacfiga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmebcgbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqkpmaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojeomee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alageg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljjjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbpqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgiaefgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diqmcgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmnqje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkifkdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dilchhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpmjcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqgjdbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaclfgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidaba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elaeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfjolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcedad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hokhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppfafcpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnjqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bikjmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoijebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcikog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgdqpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcojam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakino32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdobdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdchneko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojmbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ichmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qldhkc32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Eodicd32.exeEpeekmjk.exeEdaalk32.exeFdekgjno.exeFlapkmlj.exeFiepea32.exeFapeic32.exeFkhibino.exeFhljkm32.exeFkkfgi32.exeGnkoid32.exeGkoobhhg.exeGdhdkn32.exeGjdldd32.exeGjgiidkl.exeGodaakic.exeHcajhi32.exeHjlbdc32.exeHohkmj32.exeHbggif32.exeHiqoeplo.exeHokhbj32.exeHfepod32.exeHomdhjai.exeHejmpqop.exeHjgehgnh.exeHaqnea32.exeHcojam32.exeIjibng32.exeIcafgmbe.exeIaegpaao.exeIgoomk32.exeImlhebfc.exeIbipmiek.exeImodkadq.exeIchmgl32.exeIejiodbl.exeIlcalnii.exeJbnjhh32.exeJhjbqo32.exeJpajbl32.exeJenbjc32.exeJoggci32.exeJeqopcld.exeJjnhhjjk.exeJoidhh32.exeJeclebja.exeJdflqo32.exeJjpdmi32.exeJmnqje32.exeJdhifooi.exeJhdegn32.exeJieaofmp.exeKmqmod32.exeKbmfgk32.exeKfibhjlj.exeKmcjedcg.exeKpafapbk.exeKgkonj32.exeKenoifpb.exeKlhgfq32.exeKofcbl32.exeKeqkofno.exeKilgoe32.exepid process 2004 Eodicd32.exe 2140 Epeekmjk.exe 2724 Edaalk32.exe 1764 Fdekgjno.exe 2808 Flapkmlj.exe 2572 Fiepea32.exe 376 Fapeic32.exe 300 Fkhibino.exe 532 Fhljkm32.exe 2856 Fkkfgi32.exe 1632 Gnkoid32.exe 1432 Gkoobhhg.exe 1924 Gdhdkn32.exe 912 Gjdldd32.exe 1856 Gjgiidkl.exe 1876 Godaakic.exe 632 Hcajhi32.exe 1748 Hjlbdc32.exe 2372 Hohkmj32.exe 1928 Hbggif32.exe 2988 Hiqoeplo.exe 2956 Hokhbj32.exe 2216 Hfepod32.exe 1644 Homdhjai.exe 760 Hejmpqop.exe 1584 Hjgehgnh.exe 2696 Haqnea32.exe 2668 Hcojam32.exe 2652 Ijibng32.exe 2736 Icafgmbe.exe 2516 Iaegpaao.exe 2592 Igoomk32.exe 480 Imlhebfc.exe 772 Ibipmiek.exe 1232 Imodkadq.exe 1372 Ichmgl32.exe 1956 Iejiodbl.exe 1140 Ilcalnii.exe 2940 Jbnjhh32.exe 1640 Jhjbqo32.exe 1316 Jpajbl32.exe 1820 Jenbjc32.exe 2200 Joggci32.exe 2316 Jeqopcld.exe 1332 Jjnhhjjk.exe 984 Joidhh32.exe 1824 Jeclebja.exe 288 Jdflqo32.exe 1060 Jjpdmi32.exe 2212 Jmnqje32.exe 2676 Jdhifooi.exe 2552 Jhdegn32.exe 2632 Jieaofmp.exe 2536 Kmqmod32.exe 1936 Kbmfgk32.exe 2504 Kfibhjlj.exe 1512 Kmcjedcg.exe 892 Kpafapbk.exe 2496 Kgkonj32.exe 2904 Kenoifpb.exe 1564 Klhgfq32.exe 1600 Kofcbl32.exe 1528 Keqkofno.exe 836 Kilgoe32.exe -
Loads dropped DLL 64 IoCs
Processes:
ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exeEodicd32.exeEpeekmjk.exeEdaalk32.exeFdekgjno.exeFlapkmlj.exeFiepea32.exeFapeic32.exeFkhibino.exeFhljkm32.exeFkkfgi32.exeGnkoid32.exeGkoobhhg.exeGdhdkn32.exeGjdldd32.exeGjgiidkl.exeGodaakic.exeHcajhi32.exeHjlbdc32.exeHohkmj32.exeHbggif32.exeHiqoeplo.exeHokhbj32.exeHfepod32.exeHomdhjai.exeHejmpqop.exeHjgehgnh.exeHaqnea32.exeHcojam32.exeIjibng32.exeIcafgmbe.exeIaegpaao.exepid process 2060 ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe 2060 ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe 2004 Eodicd32.exe 2004 Eodicd32.exe 2140 Epeekmjk.exe 2140 Epeekmjk.exe 2724 Edaalk32.exe 2724 Edaalk32.exe 1764 Fdekgjno.exe 1764 Fdekgjno.exe 2808 Flapkmlj.exe 2808 Flapkmlj.exe 2572 Fiepea32.exe 2572 Fiepea32.exe 376 Fapeic32.exe 376 Fapeic32.exe 300 Fkhibino.exe 300 Fkhibino.exe 532 Fhljkm32.exe 532 Fhljkm32.exe 2856 Fkkfgi32.exe 2856 Fkkfgi32.exe 1632 Gnkoid32.exe 1632 Gnkoid32.exe 1432 Gkoobhhg.exe 1432 Gkoobhhg.exe 1924 Gdhdkn32.exe 1924 Gdhdkn32.exe 912 Gjdldd32.exe 912 Gjdldd32.exe 1856 Gjgiidkl.exe 1856 Gjgiidkl.exe 1876 Godaakic.exe 1876 Godaakic.exe 632 Hcajhi32.exe 632 Hcajhi32.exe 1748 Hjlbdc32.exe 1748 Hjlbdc32.exe 2372 Hohkmj32.exe 2372 Hohkmj32.exe 1928 Hbggif32.exe 1928 Hbggif32.exe 2988 Hiqoeplo.exe 2988 Hiqoeplo.exe 2956 Hokhbj32.exe 2956 Hokhbj32.exe 2216 Hfepod32.exe 2216 Hfepod32.exe 1644 Homdhjai.exe 1644 Homdhjai.exe 760 Hejmpqop.exe 760 Hejmpqop.exe 1584 Hjgehgnh.exe 1584 Hjgehgnh.exe 2696 Haqnea32.exe 2696 Haqnea32.exe 2668 Hcojam32.exe 2668 Hcojam32.exe 2652 Ijibng32.exe 2652 Ijibng32.exe 2736 Icafgmbe.exe 2736 Icafgmbe.exe 2516 Iaegpaao.exe 2516 Iaegpaao.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jbphgpfg.exeLaodmoep.exePmkdhq32.exeQblfkgqb.exeCdkkcp32.exeMomfan32.exeKhnapkjg.exeAhhaobfe.exeDgfmep32.exeBogjaamh.exeBlfapfpg.exeMpphdpcf.exePjmnfk32.exeGigkbm32.exeMdmmhn32.exePpkmjlca.exeHjlbdc32.exeMgbaml32.exeLdhgnk32.exeClnehado.exeDfkclf32.exeKeqkofno.exeMcggef32.exeGiaidnkf.exeNhbciaki.exeIaegpaao.exeGkmefaan.exeEnhaeldn.exeLaahme32.exeNnokahip.exeGieommdc.exeKbnhpdke.exeOqojhp32.exeKgcnahoo.exeQldhkc32.exeJlqjkk32.exeLdpnoj32.exeOnldqejb.exeQekbgbpf.exeLhcafa32.exeDmkcil32.exeGonale32.exeIbacbcgg.exeKlecfkff.exeMploiq32.exeBedhgj32.exeCgdqpq32.exeMobomnoq.exeJcikog32.exePpfafcpb.exeQlfdac32.exeKidjdpie.exeEinlmkhp.exeJpajbl32.exeNcgcdi32.exeDhgccbhp.exeModlbmmn.exeMjilmejf.exeBknmok32.exeEepmlf32.exeIcafgmbe.exePfbfhm32.exeGdfiofhn.exeJenbjc32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Jeoeclek.exe Jbphgpfg.exe File created C:\Windows\SysWOW64\Idfibfeh.dll Laodmoep.exe File created C:\Windows\SysWOW64\Hajdhd32.dll Pmkdhq32.exe File created C:\Windows\SysWOW64\Ihcbim32.dll Qblfkgqb.exe File created C:\Windows\SysWOW64\Ckecpjdh.exe Cdkkcp32.exe File opened for modification C:\Windows\SysWOW64\Mfgnnhkc.exe Momfan32.exe File created C:\Windows\SysWOW64\Dkpnde32.dll Khnapkjg.exe File created C:\Windows\SysWOW64\Ahhaobfe.exe Ahhaobfe.exe File created C:\Windows\SysWOW64\Dfinam32.exe Dgfmep32.exe File created C:\Windows\SysWOW64\Glgcpc32.dll Bogjaamh.exe File created C:\Windows\SysWOW64\Boemlbpk.exe Blfapfpg.exe File created C:\Windows\SysWOW64\Mgjpaj32.exe Mpphdpcf.exe File created C:\Windows\SysWOW64\Aknpmobg.dll Pjmnfk32.exe File created C:\Windows\SysWOW64\Gncgbkki.exe Gigkbm32.exe File opened for modification C:\Windows\SysWOW64\Mkgeehnl.exe Mdmmhn32.exe File created C:\Windows\SysWOW64\Pfeeff32.exe Ppkmjlca.exe File created C:\Windows\SysWOW64\Hohkmj32.exe Hjlbdc32.exe File created C:\Windows\SysWOW64\Mfeaiime.exe Mgbaml32.exe File opened for modification C:\Windows\SysWOW64\Lhdcojaa.exe Ldhgnk32.exe File created C:\Windows\SysWOW64\Jmhdkakc.dll Clnehado.exe File opened for modification C:\Windows\SysWOW64\Dhiphb32.exe Dfkclf32.exe File opened for modification C:\Windows\SysWOW64\Kilgoe32.exe Keqkofno.exe File created C:\Windows\SysWOW64\Meecaa32.exe Mcggef32.exe File created C:\Windows\SysWOW64\Efdmgc32.dll Giaidnkf.exe File created C:\Windows\SysWOW64\Nomkfk32.exe Nhbciaki.exe File opened for modification C:\Windows\SysWOW64\Igoomk32.exe Iaegpaao.exe File created C:\Windows\SysWOW64\Oepbmk32.dll Gkmefaan.exe File created C:\Windows\SysWOW64\Efoifiep.exe Enhaeldn.exe File created C:\Windows\SysWOW64\Liipnb32.exe Laahme32.exe File created C:\Windows\SysWOW64\Ehddcn32.dll Nnokahip.exe File created C:\Windows\SysWOW64\Gmqkml32.exe Gieommdc.exe File created C:\Windows\SysWOW64\Jnhdiaee.dll Kbnhpdke.exe File opened for modification C:\Windows\SysWOW64\Pcnfdl32.exe Oqojhp32.exe File opened for modification C:\Windows\SysWOW64\Libjncnc.exe Kgcnahoo.exe File created C:\Windows\SysWOW64\Qbnphngk.exe Qldhkc32.exe File created C:\Windows\SysWOW64\Ibodnd32.dll Jlqjkk32.exe File created C:\Windows\SysWOW64\Nmcmif32.dll Ldpnoj32.exe File created C:\Windows\SysWOW64\Oqkpmaif.exe Onldqejb.exe File opened for modification C:\Windows\SysWOW64\Qhincn32.exe Qekbgbpf.exe File created C:\Windows\SysWOW64\Llomfpag.exe Lhcafa32.exe File created C:\Windows\SysWOW64\Dafoikjb.exe Dmkcil32.exe File created C:\Windows\SysWOW64\Hqhepmkh.dll Gonale32.exe File created C:\Windows\SysWOW64\Njboon32.dll Ibacbcgg.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Klecfkff.exe File created C:\Windows\SysWOW64\Ninlepim.dll Mploiq32.exe File created C:\Windows\SysWOW64\Eeomnifk.dll Bedhgj32.exe File created C:\Windows\SysWOW64\Cjbmll32.exe Cgdqpq32.exe File created C:\Windows\SysWOW64\Mflgih32.exe Mobomnoq.exe File opened for modification C:\Windows\SysWOW64\Kjbclamj.exe Jcikog32.exe File created C:\Windows\SysWOW64\Jeomfi32.dll Ppfafcpb.exe File opened for modification C:\Windows\SysWOW64\Qmhahkdj.exe Qlfdac32.exe File opened for modification C:\Windows\SysWOW64\Kjeglh32.exe Kidjdpie.exe File created C:\Windows\SysWOW64\Bqhmfl32.dll Einlmkhp.exe File created C:\Windows\SysWOW64\Jenbjc32.exe Jpajbl32.exe File opened for modification C:\Windows\SysWOW64\Ngbpehpj.exe Ncgcdi32.exe File created C:\Windows\SysWOW64\Bjcmdmiq.dll Dhgccbhp.exe File created C:\Windows\SysWOW64\Fjhqaemi.dll Modlbmmn.exe File created C:\Windows\SysWOW64\Ffgpgl32.dll Mjilmejf.exe File created C:\Windows\SysWOW64\Bceeqi32.exe Bknmok32.exe File created C:\Windows\SysWOW64\Elieipej.exe Eepmlf32.exe File opened for modification C:\Windows\SysWOW64\Iaegpaao.exe Icafgmbe.exe File created C:\Windows\SysWOW64\Okmjae32.dll Pfbfhm32.exe File opened for modification C:\Windows\SysWOW64\Ghaeoe32.exe Gdfiofhn.exe File created C:\Windows\SysWOW64\Ghndpi32.dll Jenbjc32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 8520 8496 WerFault.exe Flnndp32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ndcapd32.exePpddpd32.exeBknmok32.exeLlbconkd.exePjoklkie.exeBoobki32.exeQlfdac32.exeFdnjkh32.exeIakino32.exeJapciodd.exeIcbipe32.exeDboeco32.exeFigocipe.exeGeqlnjcf.exeIdmlniea.exeEfmlqigc.exeDnqlmq32.exeGpogiglp.exeMjfphf32.exeAiaoclgl.exeFkefbcmf.exeLgfjggll.exeFhmldfdm.exeJenbjc32.exeFmohco32.exeFihfnp32.exeMiclhpjp.exeHagianlf.exeFhljkm32.exeBddbjhlp.exeEicpcm32.exeKipmhc32.exeOjpomh32.exeBfabnl32.exeLghgmg32.exeEnpban32.exeLaodmoep.exeOkbapi32.exeKbhbai32.exeMlieoqgg.exeAohgfm32.exeCbjnqh32.exeEqkjmcmq.exeCjhabndo.exeImodkadq.exeQncfphff.exeEgfjdchi.exeHnpgloog.exeGcgqgd32.exeDmgoif32.exeGmidlmcd.exeEfhcej32.exeIchmgl32.exeMqjefamk.exeMdmkoepk.exeIfolhann.exeJmipdo32.exeBakaaepk.exePjahakgb.exePncjad32.exeHejmpqop.exeKhadpa32.exeQbnphngk.exeIjidfpci.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndcapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppddpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknmok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbconkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjoklkie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boobki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlfdac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakino32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Japciodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dboeco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figocipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geqlnjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idmlniea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmlqigc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqlmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpogiglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaoclgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkefbcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgfjggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmldfdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenbjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miclhpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagianlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhljkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojpomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghgmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpban32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laodmoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlieoqgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqkjmcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhabndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imodkadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qncfphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egfjdchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpgloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmidlmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichmgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjefamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmkoepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifolhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmipdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakaaepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjahakgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejmpqop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khadpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbnphngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijidfpci.exe -
Modifies registry class 64 IoCs
Processes:
Bhbkpgbf.exePfnmmn32.exeApppkekc.exeIeponofk.exeFegjgkla.exeJelhmlgm.exeMiocmq32.exeMeecaa32.exeMpkhoj32.exeAiaoclgl.exeQigebglj.exeDqaode32.exeFhjoof32.exeGcppkbia.exeIipejmko.exeLgfjggll.exeAinkcf32.exeGmlablaa.exeQdpohodn.exeHoqjqhjf.exeJbphgpfg.exePlpqim32.exeHmmdin32.exeCqaiph32.exeDfinam32.exeLegaoehg.exeLkicbk32.exeFpmned32.exeObecld32.exeIchmgl32.exeKgkonj32.exeCkeqga32.exeOmiand32.exeCoafko32.exeCfknhi32.exeHokjkbkp.exeJdflqo32.exeLnkege32.exeMkcplien.exeMlieoqgg.exeAokckm32.exeBplijcle.exeDfngll32.exeLmhbgpia.exeMhfjjdjf.exeEqkjmcmq.exeNhmbdl32.exeHjaeba32.exeHmdkjmip.exeMkdioh32.exePjleclph.exeIngmmn32.exeKambcbhb.exeIejiodbl.exeGecpnp32.exeEloipb32.exeKmclmm32.exeLbgkfbbj.exeOggeokoq.exeCdngip32.exeHbggif32.exeIoeclg32.exeLofifi32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhbkpgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnmmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apppkekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieponofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fegjgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jelhmlgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbllim.dll" Miocmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjkhlkg.dll" Meecaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpkhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqfnlp32.dll" Qigebglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqaode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhjoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll" Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdah32.dll" Lgfjggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfafhc32.dll" Ainkcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmlablaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdpohodn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaiiogdj.dll" Jbphgpfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faibdo32.dll" Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqaiph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjnpn32.dll" Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkicbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpmned32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obecld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ichmgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckeqga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omiand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coafko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjh32.dll" Cfknhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifqgb32.dll" Hokjkbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmncnbh.dll" Jdflqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnkege32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkcplien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlieoqgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afokkb32.dll" Aokckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bplijcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfngll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmhbgpia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eommkfoh.dll" Mhfjjdjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmgba32.dll" Hjaeba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdkjmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfchnl32.dll" Mkdioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdhdajp.dll" Ingmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkhdaei.dll" Gecpnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eloipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedhlopf.dll" Kmclmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbgkfbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phahme32.dll" Oggeokoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdngip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbggif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll" Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lofifi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exeEodicd32.exeEpeekmjk.exeEdaalk32.exeFdekgjno.exeFlapkmlj.exeFiepea32.exeFapeic32.exeFkhibino.exeFhljkm32.exeFkkfgi32.exeGnkoid32.exeGkoobhhg.exeGdhdkn32.exeGjdldd32.exeGjgiidkl.exedescription pid process target process PID 2060 wrote to memory of 2004 2060 ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe Eodicd32.exe PID 2060 wrote to memory of 2004 2060 ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe Eodicd32.exe PID 2060 wrote to memory of 2004 2060 ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe Eodicd32.exe PID 2060 wrote to memory of 2004 2060 ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe Eodicd32.exe PID 2004 wrote to memory of 2140 2004 Eodicd32.exe Epeekmjk.exe PID 2004 wrote to memory of 2140 2004 Eodicd32.exe Epeekmjk.exe PID 2004 wrote to memory of 2140 2004 Eodicd32.exe Epeekmjk.exe PID 2004 wrote to memory of 2140 2004 Eodicd32.exe Epeekmjk.exe PID 2140 wrote to memory of 2724 2140 Epeekmjk.exe Edaalk32.exe PID 2140 wrote to memory of 2724 2140 Epeekmjk.exe Edaalk32.exe PID 2140 wrote to memory of 2724 2140 Epeekmjk.exe Edaalk32.exe PID 2140 wrote to memory of 2724 2140 Epeekmjk.exe Edaalk32.exe PID 2724 wrote to memory of 1764 2724 Edaalk32.exe Fdekgjno.exe PID 2724 wrote to memory of 1764 2724 Edaalk32.exe Fdekgjno.exe PID 2724 wrote to memory of 1764 2724 Edaalk32.exe Fdekgjno.exe PID 2724 wrote to memory of 1764 2724 Edaalk32.exe Fdekgjno.exe PID 1764 wrote to memory of 2808 1764 Fdekgjno.exe Flapkmlj.exe PID 1764 wrote to memory of 2808 1764 Fdekgjno.exe Flapkmlj.exe PID 1764 wrote to memory of 2808 1764 Fdekgjno.exe Flapkmlj.exe PID 1764 wrote to memory of 2808 1764 Fdekgjno.exe Flapkmlj.exe PID 2808 wrote to memory of 2572 2808 Flapkmlj.exe Fiepea32.exe PID 2808 wrote to memory of 2572 2808 Flapkmlj.exe Fiepea32.exe PID 2808 wrote to memory of 2572 2808 Flapkmlj.exe Fiepea32.exe PID 2808 wrote to memory of 2572 2808 Flapkmlj.exe Fiepea32.exe PID 2572 wrote to memory of 376 2572 Fiepea32.exe Fapeic32.exe PID 2572 wrote to memory of 376 2572 Fiepea32.exe Fapeic32.exe PID 2572 wrote to memory of 376 2572 Fiepea32.exe Fapeic32.exe PID 2572 wrote to memory of 376 2572 Fiepea32.exe Fapeic32.exe PID 376 wrote to memory of 300 376 Fapeic32.exe Fkhibino.exe PID 376 wrote to memory of 300 376 Fapeic32.exe Fkhibino.exe PID 376 wrote to memory of 300 376 Fapeic32.exe Fkhibino.exe PID 376 wrote to memory of 300 376 Fapeic32.exe Fkhibino.exe PID 300 wrote to memory of 532 300 Fkhibino.exe Fhljkm32.exe PID 300 wrote to memory of 532 300 Fkhibino.exe Fhljkm32.exe PID 300 wrote to memory of 532 300 Fkhibino.exe Fhljkm32.exe PID 300 wrote to memory of 532 300 Fkhibino.exe Fhljkm32.exe PID 532 wrote to memory of 2856 532 Fhljkm32.exe Fkkfgi32.exe PID 532 wrote to memory of 2856 532 Fhljkm32.exe Fkkfgi32.exe PID 532 wrote to memory of 2856 532 Fhljkm32.exe Fkkfgi32.exe PID 532 wrote to memory of 2856 532 Fhljkm32.exe Fkkfgi32.exe PID 2856 wrote to memory of 1632 2856 Fkkfgi32.exe Gnkoid32.exe PID 2856 wrote to memory of 1632 2856 Fkkfgi32.exe Gnkoid32.exe PID 2856 wrote to memory of 1632 2856 Fkkfgi32.exe Gnkoid32.exe PID 2856 wrote to memory of 1632 2856 Fkkfgi32.exe Gnkoid32.exe PID 1632 wrote to memory of 1432 1632 Gnkoid32.exe Gkoobhhg.exe PID 1632 wrote to memory of 1432 1632 Gnkoid32.exe Gkoobhhg.exe PID 1632 wrote to memory of 1432 1632 Gnkoid32.exe Gkoobhhg.exe PID 1632 wrote to memory of 1432 1632 Gnkoid32.exe Gkoobhhg.exe PID 1432 wrote to memory of 1924 1432 Gkoobhhg.exe Gdhdkn32.exe PID 1432 wrote to memory of 1924 1432 Gkoobhhg.exe Gdhdkn32.exe PID 1432 wrote to memory of 1924 1432 Gkoobhhg.exe Gdhdkn32.exe PID 1432 wrote to memory of 1924 1432 Gkoobhhg.exe Gdhdkn32.exe PID 1924 wrote to memory of 912 1924 Gdhdkn32.exe Gjdldd32.exe PID 1924 wrote to memory of 912 1924 Gdhdkn32.exe Gjdldd32.exe PID 1924 wrote to memory of 912 1924 Gdhdkn32.exe Gjdldd32.exe PID 1924 wrote to memory of 912 1924 Gdhdkn32.exe Gjdldd32.exe PID 912 wrote to memory of 1856 912 Gjdldd32.exe Gjgiidkl.exe PID 912 wrote to memory of 1856 912 Gjdldd32.exe Gjgiidkl.exe PID 912 wrote to memory of 1856 912 Gjdldd32.exe Gjgiidkl.exe PID 912 wrote to memory of 1856 912 Gjdldd32.exe Gjgiidkl.exe PID 1856 wrote to memory of 1876 1856 Gjgiidkl.exe Godaakic.exe PID 1856 wrote to memory of 1876 1856 Gjgiidkl.exe Godaakic.exe PID 1856 wrote to memory of 1876 1856 Gjgiidkl.exe Godaakic.exe PID 1856 wrote to memory of 1876 1856 Gjgiidkl.exe Godaakic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe"C:\Users\Admin\AppData\Local\Temp\ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe33⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe34⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe35⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe39⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe40⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe41⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe44⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe45⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe46⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe47⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Jeclebja.exeC:\Windows\system32\Jeclebja.exe48⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe50⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe52⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe53⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe54⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe55⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe56⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Kfibhjlj.exeC:\Windows\system32\Kfibhjlj.exe57⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe58⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe59⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe61⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Klhgfq32.exeC:\Windows\system32\Klhgfq32.exe62⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe63⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe65⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe66⤵PID:1260
-
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe67⤵PID:1972
-
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe68⤵PID:1988
-
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe70⤵PID:2720
-
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe71⤵PID:2708
-
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe72⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Llomfpag.exeC:\Windows\system32\Llomfpag.exe73⤵PID:2520
-
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe74⤵PID:1216
-
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe75⤵
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe76⤵PID:3068
-
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe77⤵PID:3048
-
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe78⤵PID:2952
-
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe79⤵PID:1052
-
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe80⤵PID:340
-
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe81⤵PID:1096
-
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe82⤵PID:1800
-
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe83⤵PID:2364
-
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe84⤵
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Lljpjchg.exeC:\Windows\system32\Lljpjchg.exe85⤵PID:2320
-
C:\Windows\SysWOW64\Lcdhgn32.exeC:\Windows\system32\Lcdhgn32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Lfbdci32.exeC:\Windows\system32\Lfbdci32.exe87⤵PID:2636
-
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe88⤵PID:2692
-
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe89⤵PID:1180
-
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe90⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe91⤵PID:2612
-
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe92⤵
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe93⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe94⤵PID:1204
-
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe95⤵
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe96⤵PID:1608
-
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe97⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe98⤵PID:1484
-
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe99⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe100⤵PID:2680
-
C:\Windows\SysWOW64\Mhjcec32.exeC:\Windows\system32\Mhjcec32.exe101⤵PID:2540
-
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe102⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Mbchni32.exeC:\Windows\system32\Mbchni32.exe103⤵PID:2588
-
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe104⤵PID:2296
-
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe105⤵PID:1476
-
C:\Windows\SysWOW64\Nnjicjbf.exeC:\Windows\system32\Nnjicjbf.exe106⤵PID:2288
-
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe107⤵
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Ncfalqpm.exeC:\Windows\system32\Ncfalqpm.exe108⤵PID:1744
-
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe109⤵PID:2368
-
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe110⤵PID:1592
-
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe111⤵PID:308
-
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe112⤵PID:2544
-
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe113⤵PID:2924
-
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe114⤵PID:1044
-
C:\Windows\SysWOW64\Nggggoda.exeC:\Windows\system32\Nggggoda.exe115⤵PID:1788
-
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe116⤵PID:1612
-
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe117⤵PID:1264
-
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe118⤵PID:2280
-
C:\Windows\SysWOW64\Nflchkii.exeC:\Windows\system32\Nflchkii.exe119⤵PID:1068
-
C:\Windows\SysWOW64\Nmflee32.exeC:\Windows\system32\Nmflee32.exe120⤵PID:2428
-
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe121⤵PID:2624
-
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe122⤵PID:2172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-