Analysis
-
max time kernel
72s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exe
Resource
win10v2004-20241007-en
General
-
Target
c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exe
-
Size
45KB
-
MD5
36a28c7ec4f7f669830fbafee0f29740
-
SHA1
5541f858b285f997fa731a170ac192489dbde854
-
SHA256
c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371
-
SHA512
58c02ac14caa9acff248482370fcd9e9765bea235b4b8849a41932feb4679f9e2324b32bd0e3931efdc3b6efc66ec84aa2c98b69e06d02aa5f8aaae3b8053bb0
-
SSDEEP
768:DmvUKWKGBl3H6JBbm0W+Um5+OzjIlWoqz6JZcr+/1H5:kUvKw3aJBbm0FKGUlWNz6Jak
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nhebhipj.exeCdlmlidp.exeEjohdbok.exeBepjjn32.exeCmdaeo32.exeGcakbjpl.exeJcfgoadd.exeNokqidll.exeHeakefnf.exeMidnqh32.exeMhkhgd32.exePdigkk32.exeOkkkoj32.exeHdpehd32.exeOjpaeq32.exePmqffonj.exeCdamao32.exeEgflml32.exeNafiej32.exeOeoeplfn.exePmhgba32.exeQaablcej.exeGbffjmmp.exeJfojpn32.exeAnkedf32.exeOdanqb32.exeOdfofhic.exeIfhgcgjq.exeDkeoongd.exeEmgdmc32.exeBfbjdf32.exeNianjl32.exeGlijnmdj.exeNcjbba32.exeBboahbio.exeKccian32.exeHekefkig.exeOfiopaap.exeFfboohnm.exeLcffgnnc.exeLoocanbe.exeAeenapck.exeCmikpngk.exeJndhddaf.exeEfhcej32.exeLjbipolj.exeLigfakaa.exePkojoghl.exeIpqicdim.exeDbggpfci.exeEqcjaa32.exeNhnemdbf.exeBefnbd32.exeDkgldm32.exeQifpqi32.exeMpqjmh32.exeGecklbih.exeLhdcojaa.exeAjamfh32.exeHnmcli32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhebhipj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlmlidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejohdbok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepjjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmdaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcakbjpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfgoadd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nokqidll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heakefnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhkhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdigkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojpaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmqffonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egflml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafiej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeoeplfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhgba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaablcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbffjmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfojpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankedf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midnqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odanqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odfofhic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhgcgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkeoongd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emgdmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfbjdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nianjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glijnmdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjbba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bboahbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kccian32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hekefkig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofiopaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofiopaap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffboohnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcffgnnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loocanbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenapck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmikpngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndhddaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhcej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbipolj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ligfakaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkojoghl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipqicdim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbggpfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqcjaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnemdbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befnbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkgldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qifpqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpqjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfbjdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecklbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gecklbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhdcojaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajamfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmcli32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Jajocl32.exeKamlhl32.exeKlfmijae.exeKpdeoh32.exeKbenacdm.exeKhagijcd.exeLhdcojaa.exeLmcilp32.exeLaaabo32.exeLlkbcl32.exeMcggef32.exeMcidkf32.exeMopdpg32.exeMldeik32.exeMhkfnlme.exeNdafcmci.exeNnjklb32.exeNpkdnnfk.exeNqmqcmdh.exeNldahn32.exeNobndj32.exeOcpfkh32.exeOkkkoj32.exeOfaolcmh.exeOgbldk32.exeOqkpmaif.exeOjceef32.exeOggeokoq.exePmfjmake.exePfnoegaf.exePmhgba32.exePcdldknm.exePlbmom32.exeQhincn32.exeQaablcej.exeAmhcad32.exeAfqhjj32.exeAddhcn32.exeAjamfh32.exeAdiaommc.exeBogljj32.exeBimphc32.exeBefnbd32.exeCnabffeo.exeCjhckg32.exeCcqhdmbc.exeCdpdnpif.exeCnhhge32.exeCojeomee.exeCjoilfek.exeColadm32.exeDlpbna32.exeDbmkfh32.exeDdkgbc32.exeDkeoongd.exeDhiphb32.exeDkgldm32.exeDdppmclb.exeDgnminke.exeDnhefh32.exeDdbmcb32.exeDqinhcoc.exeEfffpjmk.exeEfhcej32.exepid process 2832 Jajocl32.exe 2628 Kamlhl32.exe 2916 Klfmijae.exe 2640 Kpdeoh32.exe 2888 Kbenacdm.exe 1856 Khagijcd.exe 3028 Lhdcojaa.exe 2500 Lmcilp32.exe 520 Laaabo32.exe 2904 Llkbcl32.exe 2008 Mcggef32.exe 1048 Mcidkf32.exe 264 Mopdpg32.exe 2444 Mldeik32.exe 2260 Mhkfnlme.exe 2512 Ndafcmci.exe 2504 Nnjklb32.exe 552 Npkdnnfk.exe 1468 Nqmqcmdh.exe 2352 Nldahn32.exe 2028 Nobndj32.exe 3012 Ocpfkh32.exe 556 Okkkoj32.exe 1316 Ofaolcmh.exe 304 Ogbldk32.exe 1724 Oqkpmaif.exe 2768 Ojceef32.exe 2744 Oggeokoq.exe 2196 Pmfjmake.exe 2644 Pfnoegaf.exe 2684 Pmhgba32.exe 2600 Pcdldknm.exe 1800 Plbmom32.exe 3016 Qhincn32.exe 2304 Qaablcej.exe 1700 Amhcad32.exe 1696 Afqhjj32.exe 2920 Addhcn32.exe 760 Ajamfh32.exe 460 Adiaommc.exe 2412 Bogljj32.exe 2332 Bimphc32.exe 2560 Befnbd32.exe 1328 Cnabffeo.exe 2168 Cjhckg32.exe 1772 Ccqhdmbc.exe 1312 Cdpdnpif.exe 2532 Cnhhge32.exe 1748 Cojeomee.exe 884 Cjoilfek.exe 2292 Coladm32.exe 2752 Dlpbna32.exe 2880 Dbmkfh32.exe 2756 Ddkgbc32.exe 688 Dkeoongd.exe 2072 Dhiphb32.exe 3032 Dkgldm32.exe 2608 Ddppmclb.exe 2104 Dgnminke.exe 2100 Dnhefh32.exe 1572 Ddbmcb32.exe 2096 Dqinhcoc.exe 1912 Efffpjmk.exe 820 Efhcej32.exe -
Loads dropped DLL 64 IoCs
Processes:
c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exeJajocl32.exeKamlhl32.exeKlfmijae.exeKpdeoh32.exeKbenacdm.exeKhagijcd.exeLhdcojaa.exeLmcilp32.exeLaaabo32.exeLlkbcl32.exeMcggef32.exeMcidkf32.exeMopdpg32.exeMldeik32.exeMhkfnlme.exeNdafcmci.exeNnjklb32.exeNpkdnnfk.exeNqmqcmdh.exeNldahn32.exeNobndj32.exeOcpfkh32.exeOkkkoj32.exeOfaolcmh.exeOgbldk32.exeOqkpmaif.exeOjceef32.exeOggeokoq.exePmfjmake.exePfnoegaf.exePmhgba32.exepid process 2448 c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exe 2448 c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exe 2832 Jajocl32.exe 2832 Jajocl32.exe 2628 Kamlhl32.exe 2628 Kamlhl32.exe 2916 Klfmijae.exe 2916 Klfmijae.exe 2640 Kpdeoh32.exe 2640 Kpdeoh32.exe 2888 Kbenacdm.exe 2888 Kbenacdm.exe 1856 Khagijcd.exe 1856 Khagijcd.exe 3028 Lhdcojaa.exe 3028 Lhdcojaa.exe 2500 Lmcilp32.exe 2500 Lmcilp32.exe 520 Laaabo32.exe 520 Laaabo32.exe 2904 Llkbcl32.exe 2904 Llkbcl32.exe 2008 Mcggef32.exe 2008 Mcggef32.exe 1048 Mcidkf32.exe 1048 Mcidkf32.exe 264 Mopdpg32.exe 264 Mopdpg32.exe 2444 Mldeik32.exe 2444 Mldeik32.exe 2260 Mhkfnlme.exe 2260 Mhkfnlme.exe 2512 Ndafcmci.exe 2512 Ndafcmci.exe 2504 Nnjklb32.exe 2504 Nnjklb32.exe 552 Npkdnnfk.exe 552 Npkdnnfk.exe 1468 Nqmqcmdh.exe 1468 Nqmqcmdh.exe 2352 Nldahn32.exe 2352 Nldahn32.exe 2028 Nobndj32.exe 2028 Nobndj32.exe 3012 Ocpfkh32.exe 3012 Ocpfkh32.exe 556 Okkkoj32.exe 556 Okkkoj32.exe 1316 Ofaolcmh.exe 1316 Ofaolcmh.exe 304 Ogbldk32.exe 304 Ogbldk32.exe 1724 Oqkpmaif.exe 1724 Oqkpmaif.exe 2768 Ojceef32.exe 2768 Ojceef32.exe 2744 Oggeokoq.exe 2744 Oggeokoq.exe 2196 Pmfjmake.exe 2196 Pmfjmake.exe 2644 Pfnoegaf.exe 2644 Pfnoegaf.exe 2684 Pmhgba32.exe 2684 Pmhgba32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bpengf32.exeDlbaljhn.exeIokahhac.exeJndhddaf.exeNobndj32.exeFnjnkkbk.exeOqepgk32.exeOklmhcdf.exeFfboohnm.exeFkldgi32.exeOkkkoj32.exeBkkioeig.exeCelpqbon.exeEnngdgim.exeFgcdlj32.exeJcocgkbp.exeCodeih32.exeFqhclqnc.exeGfdhck32.exeHolldk32.exeOmjbihpn.exeOfaolcmh.exeDdppmclb.exeOjndpqpq.exePmqffonj.exeNndgeplo.exeEbcmfj32.exeFamcbf32.exeJmgfgham.exeNcdpdcfh.exeKfdfdf32.exeNoifmmec.exeHpdbmooo.exePjofjm32.exeOgbldk32.exeCnabffeo.exeGllnnc32.exeCniajdkg.exeAbbhje32.exeAeenapck.exeBdodmlcm.exeCgbfcjag.exeLaaabo32.exeMbdcepcm.exeMhcicf32.exeEnpdjfgj.exeHeakefnf.exeLjeoimeg.exeKpdeoh32.exeDkgldm32.exeDglbmg32.exeNhnemdbf.exeNpkdnnfk.exeCnhhge32.exeAilqfooi.exeNianjl32.exeGplebjbk.exeKlfmijae.exeIlmlfcel.exeMidnqh32.exedescription ioc process File created C:\Windows\SysWOW64\Bjoohdbd.exe Bpengf32.exe File opened for modification C:\Windows\SysWOW64\Dglbmg32.exe Dlbaljhn.exe File opened for modification C:\Windows\SysWOW64\Ihcfan32.exe Iokahhac.exe File opened for modification C:\Windows\SysWOW64\Jcaqmkpn.exe Jndhddaf.exe File created C:\Windows\SysWOW64\Fmmdpala.dll Nobndj32.exe File created C:\Windows\SysWOW64\Fipbhd32.exe Fnjnkkbk.exe File created C:\Windows\SysWOW64\Ojndpqpq.exe Oqepgk32.exe File created C:\Windows\SysWOW64\Kcpabfbj.dll Oklmhcdf.exe File opened for modification C:\Windows\SysWOW64\Fqhclqnc.exe Ffboohnm.exe File created C:\Windows\SysWOW64\Aalbfa32.dll Fkldgi32.exe File created C:\Windows\SysWOW64\Ofaolcmh.exe Okkkoj32.exe File opened for modification C:\Windows\SysWOW64\Bfbjdf32.exe Bkkioeig.exe File opened for modification C:\Windows\SysWOW64\Codeih32.exe Celpqbon.exe File created C:\Windows\SysWOW64\Bbijkm32.dll Enngdgim.exe File opened for modification C:\Windows\SysWOW64\Fnmmidhm.exe Fgcdlj32.exe File created C:\Windows\SysWOW64\Jndhddaf.exe Jcocgkbp.exe File created C:\Windows\SysWOW64\Jqlidcln.dll Codeih32.exe File created C:\Windows\SysWOW64\Fcfohlmg.exe Fqhclqnc.exe File created C:\Windows\SysWOW64\Ghddnnfi.exe Gfdhck32.exe File created C:\Windows\SysWOW64\Honiikpa.exe Holldk32.exe File opened for modification C:\Windows\SysWOW64\Odckfb32.exe Omjbihpn.exe File opened for modification C:\Windows\SysWOW64\Ogbldk32.exe Ofaolcmh.exe File created C:\Windows\SysWOW64\Kabgha32.dll Ddppmclb.exe File created C:\Windows\SysWOW64\Nhjdcghg.dll Ojndpqpq.exe File opened for modification C:\Windows\SysWOW64\Qgfkchmp.exe Pmqffonj.exe File created C:\Windows\SysWOW64\Igjeji32.dll Nndgeplo.exe File created C:\Windows\SysWOW64\Pggcij32.dll Ebcmfj32.exe File opened for modification C:\Windows\SysWOW64\Fjfhkl32.exe Famcbf32.exe File created C:\Windows\SysWOW64\Fgpcof32.dll Jmgfgham.exe File created C:\Windows\SysWOW64\Gimpofjk.dll Ncdpdcfh.exe File created C:\Windows\SysWOW64\Lloimaiq.dll Kfdfdf32.exe File created C:\Windows\SysWOW64\Ninjjf32.exe Noifmmec.exe File opened for modification C:\Windows\SysWOW64\Heakefnf.exe Hpdbmooo.exe File opened for modification C:\Windows\SysWOW64\Pdigkk32.exe Pjofjm32.exe File opened for modification C:\Windows\SysWOW64\Oqkpmaif.exe Ogbldk32.exe File created C:\Windows\SysWOW64\Dnknlm32.dll Cnabffeo.exe File opened for modification C:\Windows\SysWOW64\Gbffjmmp.exe Gllnnc32.exe File opened for modification C:\Windows\SysWOW64\Cgbfcjag.exe Cniajdkg.exe File created C:\Windows\SysWOW64\Ailqfooi.exe Abbhje32.exe File created C:\Windows\SysWOW64\Dmknff32.dll Aeenapck.exe File created C:\Windows\SysWOW64\Fbflbd32.dll Bdodmlcm.exe File opened for modification C:\Windows\SysWOW64\Dpaqmnap.exe Cgbfcjag.exe File opened for modification C:\Windows\SysWOW64\Llkbcl32.exe Laaabo32.exe File created C:\Windows\SysWOW64\Mdepmh32.exe Mbdcepcm.exe File opened for modification C:\Windows\SysWOW64\Mkaeob32.exe Mhcicf32.exe File created C:\Windows\SysWOW64\Ekddck32.exe Enpdjfgj.exe File created C:\Windows\SysWOW64\Bdldhfli.dll Heakefnf.exe File opened for modification C:\Windows\SysWOW64\Lekcffem.exe Ljeoimeg.exe File opened for modification C:\Windows\SysWOW64\Kbenacdm.exe Kpdeoh32.exe File created C:\Windows\SysWOW64\Ddppmclb.exe Dkgldm32.exe File opened for modification C:\Windows\SysWOW64\Dpdfemkm.exe Dglbmg32.exe File created C:\Windows\SysWOW64\Gmadkcmq.dll Nhnemdbf.exe File opened for modification C:\Windows\SysWOW64\Nqmqcmdh.exe Npkdnnfk.exe File created C:\Windows\SysWOW64\Cojeomee.exe Cnhhge32.exe File created C:\Windows\SysWOW64\Aljmbknm.exe Ailqfooi.exe File created C:\Windows\SysWOW64\Omhbed32.dll Cgbfcjag.exe File created C:\Windows\SysWOW64\Ihggkhle.dll Nianjl32.exe File created C:\Windows\SysWOW64\Dglbmg32.exe Dlbaljhn.exe File created C:\Windows\SysWOW64\Djfkkmab.dll Jndhddaf.exe File opened for modification C:\Windows\SysWOW64\Oddbqhkf.exe Oklmhcdf.exe File opened for modification C:\Windows\SysWOW64\Glcfgk32.exe Gplebjbk.exe File opened for modification C:\Windows\SysWOW64\Kpdeoh32.exe Klfmijae.exe File created C:\Windows\SysWOW64\Eacmfp32.dll Ilmlfcel.exe File created C:\Windows\SysWOW64\Moqgiopk.exe Midnqh32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2008 2004 WerFault.exe Ockdmn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Moqgiopk.exeAemafjeg.exeCojeomee.exeNloachkf.exeIopeoknn.exeGbffjmmp.exeGkedjo32.exeJcfgoadd.exeKimlqfeq.exeMidnqh32.exeOjceef32.exeAfqhjj32.exeGllnnc32.exeNkbcgnie.exeGecklbih.exeHdhnal32.exeLffohikd.exeCpejfjha.exeCpidai32.exeGplebjbk.exeJndhddaf.exeCcqhdmbc.exePajeanhf.exeKpgdnp32.exeCcecheeb.exeDlbaljhn.exeBogljj32.exeDkeoongd.exeBgdfjfmi.exeGlijnmdj.exeCmdaeo32.exeNhfdqb32.exeJqnhmgmk.exePoacighp.exeEkfaij32.exeFnjnkkbk.exeOdcimipf.exeFfghjg32.exeLcffgnnc.exeMcggef32.exeDbmkfh32.exeEclcon32.exeLoocanbe.exeFefcmehe.exeCelpqbon.exeAmkbpm32.exeBjfpdf32.exeIlmlfcel.exeMoccnoni.exeFfpkob32.exeHagepa32.exeMcidkf32.exeHekefkig.exeKnfopnkk.exeAakhkj32.exeGbmoceol.exeIkmibjkm.exeNpkdnnfk.exeOomjng32.exeEgflml32.exeKjhopjqi.exeIebmpcjc.exeJkobgm32.exeLmqgec32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moqgiopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aemafjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojeomee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nloachkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopeoknn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbffjmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkedjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfgoadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimlqfeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Midnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojceef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllnnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbcgnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecklbih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhnal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffohikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpejfjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpidai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplebjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndhddaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccqhdmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeanhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgdnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccecheeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbaljhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeoongd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdfjfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glijnmdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdaeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhfdqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqnhmgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poacighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekfaij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjnkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odcimipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffghjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcffgnnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcggef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclcon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loocanbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefcmehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celpqbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amkbpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmlfcel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moccnoni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagepa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcidkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekefkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfopnkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakhkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmoceol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikmibjkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkdnnfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egflml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhopjqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebmpcjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkobgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmqgec32.exe -
Modifies registry class 64 IoCs
Processes:
Nnjklb32.exeMbdfni32.exeNobndj32.exeJgnchplb.exeJgppmpjp.exeJfbinf32.exeJcfgoadd.exeOmqjgl32.exeAbbhje32.exeNdafcmci.exePfnoegaf.exePmhgba32.exeJmgfgham.exeNcdpdcfh.exeFqhclqnc.exeFjqhef32.exeHpdbmooo.exeMcidkf32.exeAdiaommc.exeFpbqcb32.exeMdoccg32.exeDbmkfh32.exeFfpkob32.exeGlijnmdj.exeAakhkj32.exeHhlcal32.exeIhlpqonl.exeMfkebkjk.exePnimpcke.exeLaaabo32.exeEfhcej32.exeLjplkonl.exeHchoop32.exeMllhne32.exeFpmpnmck.exeAddhcn32.exeAnjojphb.exePkojoghl.exeCggcofkf.exeCabaec32.exeDbggpfci.exeOjceef32.exeFipbhd32.exePdigkk32.exeLmlnjcgg.exeGegaeabe.exeCdpdnpif.exeLdjmidcj.exeGcchgini.exeOjpaeq32.exeKhagijcd.exeHdbbnd32.exeNakikpin.exeNafiej32.exeOahbjmjp.exeMganfp32.exeMldeik32.exeNldahn32.exeEclcon32.exeLbojjq32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebeffboh.dll" Mbdfni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmdpala.dll" Nobndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifjfmcm.dll" Jgnchplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgppmpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfbinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmggp32.dll" Jcfgoadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhjbc32.dll" Omqjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpfecckm.dll" Abbhje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndafcmci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojoligof.dll" Pmhgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmgfgham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncdpdcfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqhclqnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjqhef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpdbmooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcidkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhnkcm32.dll" Adiaommc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhopnc32.dll" Fpbqcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccligqak.dll" Mdoccg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnoff32.dll" Ffpkob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfdbg32.dll" Glijnmdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aakhkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobecg32.dll" Hhlcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihlpqonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfkebkjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikicmc32.dll" Pnimpcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclgbcdk.dll" Fqhclqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopbmapo.dll" Laaabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnedp32.dll" Efhcej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljplkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqhclqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laoekk32.dll" Hchoop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mllhne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmidlkkk.dll" Fpmpnmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Addhcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qghagobg.dll" Anjojphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkojoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cggcofkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cabaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilgcb32.dll" Dbggpfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojceef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldeka32.dll" Fipbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdigkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmggpigb.dll" Lmlnjcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldjmidcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbggpfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfhdk32.dll" Gcchgini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojpaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncgfge32.dll" Khagijcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqmojc32.dll" Hdbbnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nakikpin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nafiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oahbjmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnnepij.dll" Mganfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnhaca.dll" Nldahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjdobp.dll" Eclcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhihab32.dll" Lbojjq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exeJajocl32.exeKamlhl32.exeKlfmijae.exeKpdeoh32.exeKbenacdm.exeKhagijcd.exeLhdcojaa.exeLmcilp32.exeLaaabo32.exeLlkbcl32.exeMcggef32.exeMcidkf32.exeMopdpg32.exeMldeik32.exeMhkfnlme.exedescription pid process target process PID 2448 wrote to memory of 2832 2448 c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exe Jajocl32.exe PID 2448 wrote to memory of 2832 2448 c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exe Jajocl32.exe PID 2448 wrote to memory of 2832 2448 c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exe Jajocl32.exe PID 2448 wrote to memory of 2832 2448 c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exe Jajocl32.exe PID 2832 wrote to memory of 2628 2832 Jajocl32.exe Kamlhl32.exe PID 2832 wrote to memory of 2628 2832 Jajocl32.exe Kamlhl32.exe PID 2832 wrote to memory of 2628 2832 Jajocl32.exe Kamlhl32.exe PID 2832 wrote to memory of 2628 2832 Jajocl32.exe Kamlhl32.exe PID 2628 wrote to memory of 2916 2628 Kamlhl32.exe Klfmijae.exe PID 2628 wrote to memory of 2916 2628 Kamlhl32.exe Klfmijae.exe PID 2628 wrote to memory of 2916 2628 Kamlhl32.exe Klfmijae.exe PID 2628 wrote to memory of 2916 2628 Kamlhl32.exe Klfmijae.exe PID 2916 wrote to memory of 2640 2916 Klfmijae.exe Kpdeoh32.exe PID 2916 wrote to memory of 2640 2916 Klfmijae.exe Kpdeoh32.exe PID 2916 wrote to memory of 2640 2916 Klfmijae.exe Kpdeoh32.exe PID 2916 wrote to memory of 2640 2916 Klfmijae.exe Kpdeoh32.exe PID 2640 wrote to memory of 2888 2640 Kpdeoh32.exe Kbenacdm.exe PID 2640 wrote to memory of 2888 2640 Kpdeoh32.exe Kbenacdm.exe PID 2640 wrote to memory of 2888 2640 Kpdeoh32.exe Kbenacdm.exe PID 2640 wrote to memory of 2888 2640 Kpdeoh32.exe Kbenacdm.exe PID 2888 wrote to memory of 1856 2888 Kbenacdm.exe Khagijcd.exe PID 2888 wrote to memory of 1856 2888 Kbenacdm.exe Khagijcd.exe PID 2888 wrote to memory of 1856 2888 Kbenacdm.exe Khagijcd.exe PID 2888 wrote to memory of 1856 2888 Kbenacdm.exe Khagijcd.exe PID 1856 wrote to memory of 3028 1856 Khagijcd.exe Lhdcojaa.exe PID 1856 wrote to memory of 3028 1856 Khagijcd.exe Lhdcojaa.exe PID 1856 wrote to memory of 3028 1856 Khagijcd.exe Lhdcojaa.exe PID 1856 wrote to memory of 3028 1856 Khagijcd.exe Lhdcojaa.exe PID 3028 wrote to memory of 2500 3028 Lhdcojaa.exe Lmcilp32.exe PID 3028 wrote to memory of 2500 3028 Lhdcojaa.exe Lmcilp32.exe PID 3028 wrote to memory of 2500 3028 Lhdcojaa.exe Lmcilp32.exe PID 3028 wrote to memory of 2500 3028 Lhdcojaa.exe Lmcilp32.exe PID 2500 wrote to memory of 520 2500 Lmcilp32.exe Laaabo32.exe PID 2500 wrote to memory of 520 2500 Lmcilp32.exe Laaabo32.exe PID 2500 wrote to memory of 520 2500 Lmcilp32.exe Laaabo32.exe PID 2500 wrote to memory of 520 2500 Lmcilp32.exe Laaabo32.exe PID 520 wrote to memory of 2904 520 Laaabo32.exe Llkbcl32.exe PID 520 wrote to memory of 2904 520 Laaabo32.exe Llkbcl32.exe PID 520 wrote to memory of 2904 520 Laaabo32.exe Llkbcl32.exe PID 520 wrote to memory of 2904 520 Laaabo32.exe Llkbcl32.exe PID 2904 wrote to memory of 2008 2904 Llkbcl32.exe Mcggef32.exe PID 2904 wrote to memory of 2008 2904 Llkbcl32.exe Mcggef32.exe PID 2904 wrote to memory of 2008 2904 Llkbcl32.exe Mcggef32.exe PID 2904 wrote to memory of 2008 2904 Llkbcl32.exe Mcggef32.exe PID 2008 wrote to memory of 1048 2008 Mcggef32.exe Mcidkf32.exe PID 2008 wrote to memory of 1048 2008 Mcggef32.exe Mcidkf32.exe PID 2008 wrote to memory of 1048 2008 Mcggef32.exe Mcidkf32.exe PID 2008 wrote to memory of 1048 2008 Mcggef32.exe Mcidkf32.exe PID 1048 wrote to memory of 264 1048 Mcidkf32.exe Mopdpg32.exe PID 1048 wrote to memory of 264 1048 Mcidkf32.exe Mopdpg32.exe PID 1048 wrote to memory of 264 1048 Mcidkf32.exe Mopdpg32.exe PID 1048 wrote to memory of 264 1048 Mcidkf32.exe Mopdpg32.exe PID 264 wrote to memory of 2444 264 Mopdpg32.exe Mldeik32.exe PID 264 wrote to memory of 2444 264 Mopdpg32.exe Mldeik32.exe PID 264 wrote to memory of 2444 264 Mopdpg32.exe Mldeik32.exe PID 264 wrote to memory of 2444 264 Mopdpg32.exe Mldeik32.exe PID 2444 wrote to memory of 2260 2444 Mldeik32.exe Mhkfnlme.exe PID 2444 wrote to memory of 2260 2444 Mldeik32.exe Mhkfnlme.exe PID 2444 wrote to memory of 2260 2444 Mldeik32.exe Mhkfnlme.exe PID 2444 wrote to memory of 2260 2444 Mldeik32.exe Mhkfnlme.exe PID 2260 wrote to memory of 2512 2260 Mhkfnlme.exe Ndafcmci.exe PID 2260 wrote to memory of 2512 2260 Mhkfnlme.exe Ndafcmci.exe PID 2260 wrote to memory of 2512 2260 Mhkfnlme.exe Ndafcmci.exe PID 2260 wrote to memory of 2512 2260 Mhkfnlme.exe Ndafcmci.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exe"C:\Users\Admin\AppData\Local\Temp\c8837c2e8adf3fbb0ae1045ef394311980267b5a0666d6f3bee7f7f38f675371N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Jajocl32.exeC:\Windows\system32\Jajocl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Kamlhl32.exeC:\Windows\system32\Kamlhl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Llkbcl32.exeC:\Windows\system32\Llkbcl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Mcggef32.exeC:\Windows\system32\Mcggef32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Mcidkf32.exeC:\Windows\system32\Mcidkf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Mhkfnlme.exeC:\Windows\system32\Mhkfnlme.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Ndafcmci.exeC:\Windows\system32\Ndafcmci.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Npkdnnfk.exeC:\Windows\system32\Npkdnnfk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:552 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Ocpfkh32.exeC:\Windows\system32\Ocpfkh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:304 -
C:\Windows\SysWOW64\Oqkpmaif.exeC:\Windows\system32\Oqkpmaif.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Pmfjmake.exeC:\Windows\system32\Pmfjmake.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Pfnoegaf.exeC:\Windows\system32\Pfnoegaf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Pmhgba32.exeC:\Windows\system32\Pmhgba32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Pcdldknm.exeC:\Windows\system32\Pcdldknm.exe33⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe34⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Qhincn32.exeC:\Windows\system32\Qhincn32.exe35⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Qaablcej.exeC:\Windows\system32\Qaablcej.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Amhcad32.exeC:\Windows\system32\Amhcad32.exe37⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Afqhjj32.exeC:\Windows\system32\Afqhjj32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Addhcn32.exeC:\Windows\system32\Addhcn32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Adiaommc.exeC:\Windows\system32\Adiaommc.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:460 -
C:\Windows\SysWOW64\Bogljj32.exeC:\Windows\system32\Bogljj32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe43⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe46⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Cjoilfek.exeC:\Windows\system32\Cjoilfek.exe51⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe52⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe53⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe55⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe57⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Ddppmclb.exeC:\Windows\system32\Ddppmclb.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Dgnminke.exeC:\Windows\system32\Dgnminke.exe60⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe61⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe62⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe63⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Efffpjmk.exeC:\Windows\system32\Efffpjmk.exe64⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Efhcej32.exeC:\Windows\system32\Efhcej32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Eclcon32.exeC:\Windows\system32\Eclcon32.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe67⤵PID:1728
-
C:\Windows\SysWOW64\Emgdmc32.exeC:\Windows\system32\Emgdmc32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Ebcmfj32.exeC:\Windows\system32\Ebcmfj32.exe69⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe70⤵PID:2584
-
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe72⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe73⤵PID:1540
-
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe74⤵
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe75⤵
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe76⤵PID:2688
-
C:\Windows\SysWOW64\Fpbqcb32.exeC:\Windows\system32\Fpbqcb32.exe77⤵
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Fjhdpk32.exeC:\Windows\system32\Fjhdpk32.exe78⤵PID:1708
-
C:\Windows\SysWOW64\Fpemhb32.exeC:\Windows\system32\Fpemhb32.exe79⤵PID:2956
-
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe82⤵PID:2192
-
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe83⤵PID:2288
-
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe85⤵PID:892
-
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1056 -
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe87⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe88⤵PID:2268
-
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe89⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe91⤵PID:2656
-
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe92⤵PID:2344
-
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Ipqicdim.exeC:\Windows\system32\Ipqicdim.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2328 -
C:\Windows\SysWOW64\Ijimli32.exeC:\Windows\system32\Ijimli32.exe95⤵PID:2912
-
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe96⤵PID:2576
-
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe97⤵PID:1608
-
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe98⤵PID:2128
-
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe99⤵PID:1012
-
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe100⤵
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe101⤵PID:360
-
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe102⤵PID:2052
-
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe104⤵PID:2724
-
C:\Windows\SysWOW64\Jfojpn32.exeC:\Windows\system32\Jfojpn32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Jmibmhoj.exeC:\Windows\system32\Jmibmhoj.exe106⤵PID:2664
-
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe107⤵PID:756
-
C:\Windows\SysWOW64\Jipcbidn.exeC:\Windows\system32\Jipcbidn.exe108⤵PID:2200
-
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Kghmhegc.exeC:\Windows\system32\Kghmhegc.exe110⤵PID:1744
-
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe111⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe112⤵PID:1676
-
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe113⤵PID:1332
-
C:\Windows\SysWOW64\Ljplkonl.exeC:\Windows\system32\Ljplkonl.exe114⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Lbkaoalg.exeC:\Windows\system32\Lbkaoalg.exe115⤵PID:1976
-
C:\Windows\SysWOW64\Ljbipolj.exeC:\Windows\system32\Ljbipolj.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1808 -
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe117⤵PID:2780
-
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe118⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Lodnjboi.exeC:\Windows\system32\Lodnjboi.exe120⤵PID:2708
-
C:\Windows\SysWOW64\Lbojjq32.exeC:\Windows\system32\Lbojjq32.exe121⤵
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Liibgkoo.exeC:\Windows\system32\Liibgkoo.exe122⤵PID:1956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-