Analysis
-
max time kernel
76s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exe
Resource
win10v2004-20241007-en
General
-
Target
6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exe
-
Size
314KB
-
MD5
a5e09b1c12044d52d5dace122577b7c0
-
SHA1
dac44b399f0792738aafc6a08a8803ff7e058844
-
SHA256
6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9f
-
SHA512
e9722a5fa725c8e80c87b5243c7a6d35bed7a914527605e21f2dd68aa6362be4d051e7e15d8a5af381719beee11192eeec2f758013a3592663c60e291f7b0e63
-
SSDEEP
6144:wdY7Aj6MB8MhjwszeXmr8SeNpgdyuH1lFDjC:wme6Najb87gP3C
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Qaqnkafa.exeBnochnpm.exeHiioin32.exeMlieoqgg.exeGepafc32.exeJmnqje32.exeIkgkei32.exeHlccdboi.exeFchkbg32.exeQndigd32.exeLdoimh32.exeDanmmd32.exeGfcnegnk.exeFhgifgnb.exeBehilopf.exeBgffhkoj.exePnmcfeia.exeEkfndmfb.exeFbbofjnh.exeAdfqgl32.exeLiqoflfh.exeBbgqjdce.exeNkehql32.exeNpbklabl.exeEodicd32.exeApmcefmf.exeHcgmfgfd.exeIpokcdjn.exeFkhgip32.exeClbnhmjo.exeJfdhmk32.exeKddomchg.exeBfdenafn.exeFhgppnan.exeJfmkbebl.exeJhoklnkg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqnkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnochnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlieoqgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnqje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikgkei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlccdboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fchkbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qndigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldoimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcnegnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgifgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behilopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnmcfeia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfndmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfqgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liqoflfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgqjdce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkehql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbklabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eodicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apmcefmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcgmfgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipokcdjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhgip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbnhmjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kddomchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdenafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgppnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfmkbebl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhoklnkg.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Nocpkf32.exeNdpicm32.exeNkjapglg.exeOkojkf32.exeOehklddp.exeOpnpimdf.exeOpplolac.exeOemegc32.exePdbahpec.exePohfehdi.exePnmcfeia.exePhbgcnig.exePkcpei32.exeQndigd32.exeQinjgbpg.exeAjmfad32.exeAbhkfg32.exeAmnocpdk.exeAffdle32.exeAidphq32.exeAgjmim32.exeAjhiei32.exeAgljom32.exeBnfblgca.exeBfagpiam.exeBnhoag32.exeBfccei32.exeBcgdom32.exeBjallg32.exeBbmapj32.exeBncaekhp.exeBfkifhib.exeCadjgf32.exeCikbhc32.exeCohkpj32.exeCkolek32.exeCedpbd32.exeChcloo32.exeCpnaca32.exeCheido32.exeCkcepj32.exeDanmmd32.exeDbojdmcd.exeDkfbfjdf.exeDmdnbecj.exeDdnfop32.exeDikogf32.exeDmgkgeah.exeDcccpl32.exeDgoopkgh.exeDhplhc32.exeDcfpel32.exeDedlag32.exeDlndnacm.exeDchmkkkj.exeEheecbia.exeElqaca32.exeEamilh32.exeEhgbhbgn.exeEkfndmfb.exeEapfagno.exeEdnbncmb.exeEkhkjm32.exeEjkkfjkj.exepid process 2160 Nocpkf32.exe 3004 Ndpicm32.exe 2988 Nkjapglg.exe 2768 Okojkf32.exe 2660 Oehklddp.exe 2272 Opnpimdf.exe 2640 Opplolac.exe 2520 Oemegc32.exe 1492 Pdbahpec.exe 1928 Pohfehdi.exe 840 Pnmcfeia.exe 2900 Phbgcnig.exe 1048 Pkcpei32.exe 3000 Qndigd32.exe 1308 Qinjgbpg.exe 1076 Ajmfad32.exe 1696 Abhkfg32.exe 1840 Amnocpdk.exe 892 Affdle32.exe 1532 Aidphq32.exe 1044 Agjmim32.exe 2500 Ajhiei32.exe 292 Agljom32.exe 2976 Bnfblgca.exe 1692 Bfagpiam.exe 2712 Bnhoag32.exe 2844 Bfccei32.exe 2740 Bcgdom32.exe 2604 Bjallg32.exe 2288 Bbmapj32.exe 2884 Bncaekhp.exe 1788 Bfkifhib.exe 320 Cadjgf32.exe 1908 Cikbhc32.exe 2344 Cohkpj32.exe 2908 Ckolek32.exe 2928 Cedpbd32.exe 1268 Chcloo32.exe 2244 Cpnaca32.exe 1080 Cheido32.exe 1680 Ckcepj32.exe 2008 Danmmd32.exe 1664 Dbojdmcd.exe 1968 Dkfbfjdf.exe 560 Dmdnbecj.exe 1676 Ddnfop32.exe 1740 Dikogf32.exe 3052 Dmgkgeah.exe 2836 Dcccpl32.exe 2916 Dgoopkgh.exe 2776 Dhplhc32.exe 2336 Dcfpel32.exe 2468 Dedlag32.exe 2932 Dlndnacm.exe 3068 Dchmkkkj.exe 2672 Eheecbia.exe 2920 Elqaca32.exe 2324 Eamilh32.exe 2252 Ehgbhbgn.exe 2260 Ekfndmfb.exe 1624 Eapfagno.exe 1356 Ednbncmb.exe 1688 Ekhkjm32.exe 3040 Ejkkfjkj.exe -
Loads dropped DLL 64 IoCs
Processes:
6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exeNocpkf32.exeNdpicm32.exeNkjapglg.exeOkojkf32.exeOehklddp.exeOpnpimdf.exeOpplolac.exeOemegc32.exePdbahpec.exePohfehdi.exePnmcfeia.exePhbgcnig.exePkcpei32.exeQndigd32.exeQinjgbpg.exeAjmfad32.exeAbhkfg32.exeAmnocpdk.exeAffdle32.exeAidphq32.exeAgjmim32.exeAjhiei32.exeAgljom32.exeBnfblgca.exeBfagpiam.exeBnhoag32.exeBfccei32.exeBcgdom32.exeBjallg32.exeBbmapj32.exeBncaekhp.exepid process 2316 6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exe 2316 6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exe 2160 Nocpkf32.exe 2160 Nocpkf32.exe 3004 Ndpicm32.exe 3004 Ndpicm32.exe 2988 Nkjapglg.exe 2988 Nkjapglg.exe 2768 Okojkf32.exe 2768 Okojkf32.exe 2660 Oehklddp.exe 2660 Oehklddp.exe 2272 Opnpimdf.exe 2272 Opnpimdf.exe 2640 Opplolac.exe 2640 Opplolac.exe 2520 Oemegc32.exe 2520 Oemegc32.exe 1492 Pdbahpec.exe 1492 Pdbahpec.exe 1928 Pohfehdi.exe 1928 Pohfehdi.exe 840 Pnmcfeia.exe 840 Pnmcfeia.exe 2900 Phbgcnig.exe 2900 Phbgcnig.exe 1048 Pkcpei32.exe 1048 Pkcpei32.exe 3000 Qndigd32.exe 3000 Qndigd32.exe 1308 Qinjgbpg.exe 1308 Qinjgbpg.exe 1076 Ajmfad32.exe 1076 Ajmfad32.exe 1696 Abhkfg32.exe 1696 Abhkfg32.exe 1840 Amnocpdk.exe 1840 Amnocpdk.exe 892 Affdle32.exe 892 Affdle32.exe 1532 Aidphq32.exe 1532 Aidphq32.exe 1044 Agjmim32.exe 1044 Agjmim32.exe 2500 Ajhiei32.exe 2500 Ajhiei32.exe 292 Agljom32.exe 292 Agljom32.exe 2976 Bnfblgca.exe 2976 Bnfblgca.exe 1692 Bfagpiam.exe 1692 Bfagpiam.exe 2712 Bnhoag32.exe 2712 Bnhoag32.exe 2844 Bfccei32.exe 2844 Bfccei32.exe 2740 Bcgdom32.exe 2740 Bcgdom32.exe 2604 Bjallg32.exe 2604 Bjallg32.exe 2288 Bbmapj32.exe 2288 Bbmapj32.exe 2884 Bncaekhp.exe 2884 Bncaekhp.exe -
Drops file in System32 directory 64 IoCs
Processes:
Eelkeeah.exeLhlqjone.exeMgegfk32.exeDbojdmcd.exePcghof32.exeBoljgg32.exeBoemlbpk.exeGiiglhjb.exeEecafd32.exeKlbdgb32.exeLgqkbb32.exeMlelda32.exeLnpgeopa.exeClpabm32.exeHmalldcn.exeEheecbia.exeIaeegh32.exeBgffhkoj.exeOibohdmd.exePkdihhag.exeKgnkci32.exeLhfnkqgk.exeNfahomfd.exeKhabghdl.exeLiqoflfh.exeDgbeiiqe.exeBjmeiq32.exeEgajnfoe.exeGdcjpncm.exeGnkmqkbi.exeAdnpkjde.exeIgebkiof.exeMbpipp32.exeJbcjnnpl.exeDdfebnoo.exeGaojnq32.exedescription ioc process File created C:\Windows\SysWOW64\Ehkhaqpk.exe Eelkeeah.exe File created C:\Windows\SysWOW64\Lhlqjone.exe Lhlqjone.exe File created C:\Windows\SysWOW64\Mnpobefe.exe Mgegfk32.exe File created C:\Windows\SysWOW64\Bmcoed32.dll File created C:\Windows\SysWOW64\Dkfbfjdf.exe Dbojdmcd.exe File created C:\Windows\SysWOW64\Hkibpkho.dll Pcghof32.exe File opened for modification C:\Windows\SysWOW64\Ehkhaqpk.exe Eelkeeah.exe File created C:\Windows\SysWOW64\Bffbdadk.exe Boljgg32.exe File opened for modification C:\Windows\SysWOW64\Eblpke32.exe File created C:\Windows\SysWOW64\Keappgmg.exe File opened for modification C:\Windows\SysWOW64\Bcpimq32.exe Boemlbpk.exe File opened for modification C:\Windows\SysWOW64\Djafaf32.exe File created C:\Windows\SysWOW64\Jpopml32.dll File created C:\Windows\SysWOW64\Ailqfooi.exe File created C:\Windows\SysWOW64\Cpgidb32.dll File created C:\Windows\SysWOW64\Jkcfcend.dll Giiglhjb.exe File opened for modification C:\Windows\SysWOW64\Fhbnbpjc.exe Eecafd32.exe File opened for modification C:\Windows\SysWOW64\Kncaojfb.exe Klbdgb32.exe File created C:\Windows\SysWOW64\Lohccp32.exe Lgqkbb32.exe File created C:\Windows\SysWOW64\Galfie32.dll Mlelda32.exe File created C:\Windows\SysWOW64\Hepmik32.dll File opened for modification C:\Windows\SysWOW64\Ldjpbign.exe Lnpgeopa.exe File opened for modification C:\Windows\SysWOW64\Cnnnnh32.exe Clpabm32.exe File created C:\Windows\SysWOW64\Hpphhp32.exe Hmalldcn.exe File created C:\Windows\SysWOW64\Pmekeg32.dll File created C:\Windows\SysWOW64\Onejdijo.dll Eheecbia.exe File created C:\Windows\SysWOW64\Ibfaopoi.exe Iaeegh32.exe File created C:\Windows\SysWOW64\Bjebdfnn.exe Bgffhkoj.exe File created C:\Windows\SysWOW64\Mnadcd32.dll File created C:\Windows\SysWOW64\Lkmldbcj.exe File opened for modification C:\Windows\SysWOW64\Oplgeoea.exe Oibohdmd.exe File created C:\Windows\SysWOW64\Ogdgeded.dll Pkdihhag.exe File created C:\Windows\SysWOW64\Nhbcdh32.dll Kgnkci32.exe File created C:\Windows\SysWOW64\Lkdjglfo.exe Lhfnkqgk.exe File created C:\Windows\SysWOW64\Lmphha32.dll File created C:\Windows\SysWOW64\Abinjdad.exe File created C:\Windows\SysWOW64\Qlfgce32.dll Nfahomfd.exe File created C:\Windows\SysWOW64\Goigjpaa.dll File created C:\Windows\SysWOW64\Bknmok32.exe File opened for modification C:\Windows\SysWOW64\Cnflae32.exe File created C:\Windows\SysWOW64\Omnmal32.exe File opened for modification C:\Windows\SysWOW64\Ihnjmf32.exe File created C:\Windows\SysWOW64\Hmmobd32.dll File opened for modification C:\Windows\SysWOW64\Kokjdb32.exe Khabghdl.exe File created C:\Windows\SysWOW64\Lqhfhigj.exe Liqoflfh.exe File created C:\Windows\SysWOW64\Dmmmfc32.exe Dgbeiiqe.exe File opened for modification C:\Windows\SysWOW64\Bmlael32.exe Bjmeiq32.exe File created C:\Windows\SysWOW64\Eipgjaoi.exe Egajnfoe.exe File opened for modification C:\Windows\SysWOW64\Gkmbmh32.exe Gdcjpncm.exe File created C:\Windows\SysWOW64\Ggcaiqhj.exe Gnkmqkbi.exe File opened for modification C:\Windows\SysWOW64\Bgllgedi.exe Adnpkjde.exe File created C:\Windows\SysWOW64\Kbclpfop.dll Igebkiof.exe File created C:\Windows\SysWOW64\Oqbejojq.dll File opened for modification C:\Windows\SysWOW64\Qjgcecja.exe File opened for modification C:\Windows\SysWOW64\Aiqjao32.exe File opened for modification C:\Windows\SysWOW64\Meoell32.exe Mbpipp32.exe File created C:\Windows\SysWOW64\Jeafjiop.exe Jbcjnnpl.exe File created C:\Windows\SysWOW64\Qdofep32.exe File created C:\Windows\SysWOW64\Lmalgq32.exe File created C:\Windows\SysWOW64\Ohnaohff.dll File created C:\Windows\SysWOW64\Dkqnoh32.exe Ddfebnoo.exe File created C:\Windows\SysWOW64\Gkmbmh32.exe Gdcjpncm.exe File created C:\Windows\SysWOW64\Gekfnoog.exe Gaojnq32.exe File created C:\Windows\SysWOW64\Andjgidl.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 1628 8716 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gbdhjm32.exeKmkihbho.exeImnbbi32.exeCjgoje32.exeGqahqd32.exeJmdepg32.exeGgcaiqhj.exeGaojnq32.exeGkglnm32.exeMphiqbon.exeLhcafa32.exeJondnnbk.exeDoecog32.exeGgkibhjf.exeLoaokjjg.exeNmcmgm32.exeLcaiiejc.exeFpmbfbgo.exeIacjjacb.exeDnjoco32.exeOgknoe32.exeAjhiei32.exeCeeieced.exePhcilf32.exeJniefm32.exeQndkpmkm.exeCbgobp32.exeMicklk32.exeNameek32.exeDaplkmbg.exeJhoklnkg.exeOplgeoea.exeAffdle32.exeJkkija32.exeEopphehb.exeHcojam32.exePpcbgkka.exeAbegfa32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkihbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgoje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqahqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggcaiqhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaojnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkglnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphiqbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcafa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jondnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doecog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkibhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaokjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcmgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcaiiejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmbfbgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iacjjacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogknoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhiei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeieced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndkpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micklk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nameek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daplkmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhoklnkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplgeoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affdle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkija32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopphehb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcojam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcbgkka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abegfa32.exe -
Modifies registry class 64 IoCs
Processes:
Phcpgm32.exeDmojkc32.exeNqmnjd32.exeBfkifhib.exeGljpncgc.exeFabaocfl.exeAaejojjq.exeDpegcq32.exeInjndk32.exeCgnnab32.exeIfgpnmom.exeGckdgjeb.exeBgoime32.exeEicpcm32.exeEoiiijcc.exeHemqpf32.exePmmeon32.exeAhpbkd32.exeOajlkojn.exeMimgeigj.exeFpmbfbgo.exeFhgppnan.exeIpehmebh.exeLldmleam.exeBoemlbpk.exeOpplolac.exeBeackp32.exeJijokbfp.exeBkpeci32.exeNnoiio32.exeAknngo32.exeCopjdhib.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcfig32.dll" Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkgen32.dll" Dmojkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbaleid.dll" Bfkifhib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmbdjfi.dll" Fabaocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaejojjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fodkno32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpegcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgahbgk.dll" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epokjceb.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnpf32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chobpcbd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpincmg.dll" Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahojmggk.dll" Gckdgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haenec32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkggemii.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgdoqqo.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgoime32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblfonpc.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoiiijcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hemqpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpbkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeaokpb.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oajlkojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimgeigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjpaefk.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhgppnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbllim.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipehmebh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boemlbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficfbkij.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opplolac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beackp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jijokbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclnhnji.dll" Bkpeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjdbf32.dll" Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfeilp32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Copjdhib.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exeNocpkf32.exeNdpicm32.exeNkjapglg.exeOkojkf32.exeOehklddp.exeOpnpimdf.exeOpplolac.exeOemegc32.exePdbahpec.exePohfehdi.exePnmcfeia.exePhbgcnig.exePkcpei32.exeQndigd32.exeQinjgbpg.exedescription pid process target process PID 2316 wrote to memory of 2160 2316 6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exe Nocpkf32.exe PID 2316 wrote to memory of 2160 2316 6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exe Nocpkf32.exe PID 2316 wrote to memory of 2160 2316 6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exe Nocpkf32.exe PID 2316 wrote to memory of 2160 2316 6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exe Nocpkf32.exe PID 2160 wrote to memory of 3004 2160 Nocpkf32.exe Ndpicm32.exe PID 2160 wrote to memory of 3004 2160 Nocpkf32.exe Ndpicm32.exe PID 2160 wrote to memory of 3004 2160 Nocpkf32.exe Ndpicm32.exe PID 2160 wrote to memory of 3004 2160 Nocpkf32.exe Ndpicm32.exe PID 3004 wrote to memory of 2988 3004 Ndpicm32.exe Nkjapglg.exe PID 3004 wrote to memory of 2988 3004 Ndpicm32.exe Nkjapglg.exe PID 3004 wrote to memory of 2988 3004 Ndpicm32.exe Nkjapglg.exe PID 3004 wrote to memory of 2988 3004 Ndpicm32.exe Nkjapglg.exe PID 2988 wrote to memory of 2768 2988 Nkjapglg.exe Okojkf32.exe PID 2988 wrote to memory of 2768 2988 Nkjapglg.exe Okojkf32.exe PID 2988 wrote to memory of 2768 2988 Nkjapglg.exe Okojkf32.exe PID 2988 wrote to memory of 2768 2988 Nkjapglg.exe Okojkf32.exe PID 2768 wrote to memory of 2660 2768 Okojkf32.exe Oehklddp.exe PID 2768 wrote to memory of 2660 2768 Okojkf32.exe Oehklddp.exe PID 2768 wrote to memory of 2660 2768 Okojkf32.exe Oehklddp.exe PID 2768 wrote to memory of 2660 2768 Okojkf32.exe Oehklddp.exe PID 2660 wrote to memory of 2272 2660 Oehklddp.exe Opnpimdf.exe PID 2660 wrote to memory of 2272 2660 Oehklddp.exe Opnpimdf.exe PID 2660 wrote to memory of 2272 2660 Oehklddp.exe Opnpimdf.exe PID 2660 wrote to memory of 2272 2660 Oehklddp.exe Opnpimdf.exe PID 2272 wrote to memory of 2640 2272 Opnpimdf.exe Opplolac.exe PID 2272 wrote to memory of 2640 2272 Opnpimdf.exe Opplolac.exe PID 2272 wrote to memory of 2640 2272 Opnpimdf.exe Opplolac.exe PID 2272 wrote to memory of 2640 2272 Opnpimdf.exe Opplolac.exe PID 2640 wrote to memory of 2520 2640 Opplolac.exe Oemegc32.exe PID 2640 wrote to memory of 2520 2640 Opplolac.exe Oemegc32.exe PID 2640 wrote to memory of 2520 2640 Opplolac.exe Oemegc32.exe PID 2640 wrote to memory of 2520 2640 Opplolac.exe Oemegc32.exe PID 2520 wrote to memory of 1492 2520 Oemegc32.exe Pdbahpec.exe PID 2520 wrote to memory of 1492 2520 Oemegc32.exe Pdbahpec.exe PID 2520 wrote to memory of 1492 2520 Oemegc32.exe Pdbahpec.exe PID 2520 wrote to memory of 1492 2520 Oemegc32.exe Pdbahpec.exe PID 1492 wrote to memory of 1928 1492 Pdbahpec.exe Pohfehdi.exe PID 1492 wrote to memory of 1928 1492 Pdbahpec.exe Pohfehdi.exe PID 1492 wrote to memory of 1928 1492 Pdbahpec.exe Pohfehdi.exe PID 1492 wrote to memory of 1928 1492 Pdbahpec.exe Pohfehdi.exe PID 1928 wrote to memory of 840 1928 Pohfehdi.exe Pnmcfeia.exe PID 1928 wrote to memory of 840 1928 Pohfehdi.exe Pnmcfeia.exe PID 1928 wrote to memory of 840 1928 Pohfehdi.exe Pnmcfeia.exe PID 1928 wrote to memory of 840 1928 Pohfehdi.exe Pnmcfeia.exe PID 840 wrote to memory of 2900 840 Pnmcfeia.exe Phbgcnig.exe PID 840 wrote to memory of 2900 840 Pnmcfeia.exe Phbgcnig.exe PID 840 wrote to memory of 2900 840 Pnmcfeia.exe Phbgcnig.exe PID 840 wrote to memory of 2900 840 Pnmcfeia.exe Phbgcnig.exe PID 2900 wrote to memory of 1048 2900 Phbgcnig.exe Pkcpei32.exe PID 2900 wrote to memory of 1048 2900 Phbgcnig.exe Pkcpei32.exe PID 2900 wrote to memory of 1048 2900 Phbgcnig.exe Pkcpei32.exe PID 2900 wrote to memory of 1048 2900 Phbgcnig.exe Pkcpei32.exe PID 1048 wrote to memory of 3000 1048 Pkcpei32.exe Qndigd32.exe PID 1048 wrote to memory of 3000 1048 Pkcpei32.exe Qndigd32.exe PID 1048 wrote to memory of 3000 1048 Pkcpei32.exe Qndigd32.exe PID 1048 wrote to memory of 3000 1048 Pkcpei32.exe Qndigd32.exe PID 3000 wrote to memory of 1308 3000 Qndigd32.exe Qinjgbpg.exe PID 3000 wrote to memory of 1308 3000 Qndigd32.exe Qinjgbpg.exe PID 3000 wrote to memory of 1308 3000 Qndigd32.exe Qinjgbpg.exe PID 3000 wrote to memory of 1308 3000 Qndigd32.exe Qinjgbpg.exe PID 1308 wrote to memory of 1076 1308 Qinjgbpg.exe Ajmfad32.exe PID 1308 wrote to memory of 1076 1308 Qinjgbpg.exe Ajmfad32.exe PID 1308 wrote to memory of 1076 1308 Qinjgbpg.exe Ajmfad32.exe PID 1308 wrote to memory of 1076 1308 Qinjgbpg.exe Ajmfad32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exe"C:\Users\Admin\AppData\Local\Temp\6d529b829b335754d6e2409c5566ecd48a003d270fe2245b36897d49e151fd9fN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe34⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe35⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe36⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe37⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe38⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe39⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe40⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe41⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe42⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe45⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe46⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe47⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe48⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe49⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe50⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe51⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe52⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe53⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe54⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe55⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe56⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe57⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe59⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe60⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe61⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe63⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe64⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe65⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe66⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe67⤵PID:2956
-
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe68⤵PID:876
-
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe69⤵PID:2696
-
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe70⤵PID:2876
-
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe71⤵PID:2796
-
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe72⤵PID:2824
-
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe73⤵PID:2652
-
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe74⤵PID:3064
-
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe75⤵PID:2256
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe76⤵PID:2912
-
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe77⤵PID:2784
-
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe78⤵PID:2952
-
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe79⤵PID:2456
-
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe80⤵PID:2492
-
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe81⤵PID:408
-
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe84⤵PID:2392
-
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe85⤵PID:2524
-
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe86⤵PID:1592
-
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe87⤵PID:2732
-
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe88⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe89⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe90⤵PID:1792
-
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe91⤵PID:2352
-
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe92⤵PID:1904
-
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe93⤵PID:1748
-
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe94⤵PID:1272
-
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe95⤵PID:1944
-
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe96⤵PID:956
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe97⤵PID:628
-
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe98⤵PID:2216
-
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe99⤵PID:768
-
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe100⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe101⤵PID:2728
-
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe102⤵PID:2772
-
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe103⤵PID:1728
-
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe104⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe105⤵PID:2032
-
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe107⤵PID:1260
-
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe108⤵PID:496
-
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe109⤵PID:800
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe110⤵PID:772
-
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe111⤵PID:2868
-
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe112⤵PID:1984
-
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe113⤵PID:2548
-
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe114⤵PID:2648
-
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe115⤵PID:2596
-
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe116⤵PID:2888
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe117⤵PID:1924
-
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe118⤵PID:1252
-
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe120⤵PID:1668
-
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe121⤵PID:1536
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe122⤵PID:1632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-