Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe
Resource
win10v2004-20241007-en
General
-
Target
9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe
-
Size
323KB
-
MD5
8546e20d6c206c008a8d5a6083af835b
-
SHA1
02fe1bf5d8da5e3a196d09cae0e92a55ddf43592
-
SHA256
9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53
-
SHA512
5b3d69289c30549b0a5f6f1691f9027752ee7a5b345df3138544169d2f31b22fd5746b3dae47efe59374c99f3019c4b34f55bbfe1436599c0cb02626eb0c499f
-
SSDEEP
6144:qmT0fnCj97yPSJclljd3rKzwN8Jlljd3njPX9ZAk3fs:qmT0fn8sPSkjpKXjtjP9Zt0
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ibejdjln.exeJfliim32.exeOlebgfao.exeCjakccop.exeOaqbln32.exeAijbfo32.exeBcmfmlen.exeDhiomn32.exeGgicgopd.exeJeafjiop.exeKklkcn32.exeAndgop32.exeObgkpb32.exeBjkhdacm.exeFfodjh32.exePkaehb32.exeGcgnnlle.exeBfncpcoc.exeHqfaldbo.exeAmaelomh.exeFdkklp32.exeGblkoham.exeGneijien.exeJikeeh32.exeCnckjddd.exeDmmmfc32.exeJondnnbk.exeOhhmcinf.exeEdfbaabj.exeGjojef32.exeIeomef32.exeIimfld32.exePafdjmkq.exe9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exeGdhkfd32.exeBiaign32.exeCgfkmgnj.exeMfokinhf.exeGbhbdi32.exeHjlioj32.exeIhbcmaje.exeAfffenbp.exeOeckfndj.exeLfhhjklc.exeOpihgfop.exePaiaplin.exeDphmloih.exeCfeepelg.exeGhajacmo.exeJdnmma32.exeAihfap32.exeIfgpnmom.exeBdcifi32.exeBehilopf.exeAkiobk32.exeBjebdfnn.exeEoepnk32.exeFajbke32.exeGepafc32.exeLnjcomcf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibejdjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfliim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olebgfao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaqbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijbfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcmfmlen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kklkcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andgop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgkpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhdacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffodjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcgnnlle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfncpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqfaldbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaelomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblkoham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikeeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnckjddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhmcinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfbaabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieomef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhkfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biaign32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfokinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbcmaje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkaehb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afffenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeckfndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhhjklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opihgfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paiaplin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphmloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfeepelg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghajacmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimfld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjkhdacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgpnmom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhmcinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behilopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akiobk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoepnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjcomcf.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Ooicid32.exeOeckfndj.exeObgkpb32.exeOeehln32.exeOhcdhi32.exeOmqlpp32.exeOehdan32.exeOhfqmi32.exeOhhmcinf.exeOkgjodmi.exeOmefkplm.exeOaqbln32.exePdonhj32.exePilfpqaa.exePecgea32.exePnjofo32.exePoklngnf.exePcghof32.exePeedka32.exePhcpgm32.exePlolgk32.exePomhcg32.exePciddedl.exePhfmllbd.exePckajebj.exePhhjblpa.exePldebkhj.exeQobbofgn.exeQnebjc32.exeQdojgmfe.exeQgmfchei.exeQngopb32.exeQackpado.exeQdaglmcb.exeAgpcihcf.exeAbegfa32.exeAdcdbl32.exeAcfdnihk.exeAknlofim.exeAnlhkbhq.exeAfgmodel.exeAnneqafn.exeAmaelomh.exeAopahjll.exeAggiigmn.exeAihfap32.exeAmcbankf.exeAqonbm32.exeAbpjjeim.exeAflfjc32.exeAijbfo32.exeAkiobk32.exeBcpgdhpp.exeBfncpcoc.exeBeackp32.exeBmhkmm32.exeBnihdemo.exeBfqpecma.exeBecpap32.exeBiolanld.exeBkmhnjlh.exeBoidnh32.exeBbgqjdce.exeBajqfq32.exepid process 1840 Ooicid32.exe 2356 Oeckfndj.exe 3060 Obgkpb32.exe 2704 Oeehln32.exe 2752 Ohcdhi32.exe 2904 Omqlpp32.exe 2712 Oehdan32.exe 2676 Ohfqmi32.exe 2460 Ohhmcinf.exe 2996 Okgjodmi.exe 2952 Omefkplm.exe 1448 Oaqbln32.exe 2504 Pdonhj32.exe 3056 Pilfpqaa.exe 2328 Pecgea32.exe 2316 Pnjofo32.exe 884 Poklngnf.exe 308 Pcghof32.exe 664 Peedka32.exe 2156 Phcpgm32.exe 2580 Plolgk32.exe 1696 Pomhcg32.exe 2092 Pciddedl.exe 2324 Phfmllbd.exe 1512 Pckajebj.exe 2532 Phhjblpa.exe 2124 Pldebkhj.exe 2684 Qobbofgn.exe 2800 Qnebjc32.exe 1552 Qdojgmfe.exe 2280 Qgmfchei.exe 2868 Qngopb32.exe 2628 Qackpado.exe 3008 Qdaglmcb.exe 2960 Agpcihcf.exe 1868 Abegfa32.exe 2980 Adcdbl32.exe 2332 Acfdnihk.exe 2312 Aknlofim.exe 1096 Anlhkbhq.exe 1980 Afgmodel.exe 1992 Anneqafn.exe 1444 Amaelomh.exe 2012 Aopahjll.exe 2104 Aggiigmn.exe 1456 Aihfap32.exe 2640 Amcbankf.exe 2780 Aqonbm32.exe 660 Abpjjeim.exe 2240 Aflfjc32.exe 2964 Aijbfo32.exe 2772 Akiobk32.exe 352 Bcpgdhpp.exe 872 Bfncpcoc.exe 2768 Beackp32.exe 532 Bmhkmm32.exe 1524 Bnihdemo.exe 2652 Bfqpecma.exe 1176 Becpap32.exe 1828 Biolanld.exe 2056 Bkmhnjlh.exe 1656 Boidnh32.exe 1516 Bbgqjdce.exe 340 Bajqfq32.exe -
Loads dropped DLL 64 IoCs
Processes:
9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exeOoicid32.exeOeckfndj.exeObgkpb32.exeOeehln32.exeOhcdhi32.exeOmqlpp32.exeOehdan32.exeOhfqmi32.exeOhhmcinf.exeOkgjodmi.exeOmefkplm.exeOaqbln32.exePdonhj32.exePilfpqaa.exePecgea32.exePnjofo32.exePoklngnf.exePcghof32.exePeedka32.exePhcpgm32.exePlolgk32.exePomhcg32.exePciddedl.exePhfmllbd.exePckajebj.exePhhjblpa.exePldebkhj.exeQobbofgn.exeQnebjc32.exeQdojgmfe.exeQgmfchei.exepid process 2568 9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe 2568 9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe 1840 Ooicid32.exe 1840 Ooicid32.exe 2356 Oeckfndj.exe 2356 Oeckfndj.exe 3060 Obgkpb32.exe 3060 Obgkpb32.exe 2704 Oeehln32.exe 2704 Oeehln32.exe 2752 Ohcdhi32.exe 2752 Ohcdhi32.exe 2904 Omqlpp32.exe 2904 Omqlpp32.exe 2712 Oehdan32.exe 2712 Oehdan32.exe 2676 Ohfqmi32.exe 2676 Ohfqmi32.exe 2460 Ohhmcinf.exe 2460 Ohhmcinf.exe 2996 Okgjodmi.exe 2996 Okgjodmi.exe 2952 Omefkplm.exe 2952 Omefkplm.exe 1448 Oaqbln32.exe 1448 Oaqbln32.exe 2504 Pdonhj32.exe 2504 Pdonhj32.exe 3056 Pilfpqaa.exe 3056 Pilfpqaa.exe 2328 Pecgea32.exe 2328 Pecgea32.exe 2316 Pnjofo32.exe 2316 Pnjofo32.exe 884 Poklngnf.exe 884 Poklngnf.exe 308 Pcghof32.exe 308 Pcghof32.exe 664 Peedka32.exe 664 Peedka32.exe 2156 Phcpgm32.exe 2156 Phcpgm32.exe 2580 Plolgk32.exe 2580 Plolgk32.exe 1696 Pomhcg32.exe 1696 Pomhcg32.exe 2092 Pciddedl.exe 2092 Pciddedl.exe 2324 Phfmllbd.exe 2324 Phfmllbd.exe 1512 Pckajebj.exe 1512 Pckajebj.exe 2532 Phhjblpa.exe 2532 Phhjblpa.exe 2124 Pldebkhj.exe 2124 Pldebkhj.exe 2684 Qobbofgn.exe 2684 Qobbofgn.exe 2800 Qnebjc32.exe 2800 Qnebjc32.exe 1552 Qdojgmfe.exe 1552 Qdojgmfe.exe 2280 Qgmfchei.exe 2280 Qgmfchei.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cnckjddd.exeMjfnomde.exeAaimopli.exeGepafc32.exeOeindm32.exeQlgkki32.exeGcgnnlle.exeGbadjg32.exeNameek32.exeOffmipej.exeAnlhkbhq.exeBjebdfnn.exeEaheeecg.exeClojhf32.exeQobbofgn.exeEgikjh32.exeFdkklp32.exeIedfqeka.exeNedhjj32.exeOpqoge32.exeOaqbln32.exeBnqned32.exeKcecbq32.exeMnomjl32.exePhlclgfc.exeCbblda32.exeBflbigdb.exeEcnoijbd.exeKekiphge.exeElfcbo32.exeHfjpdjjo.exeIllbhp32.exeKgnbnpkp.exeQgmfchei.exeAopahjll.exeDgeaoinb.exeCileqlmg.exeGfcnegnk.exeMkqqnq32.exeCaifjn32.exeBiolanld.exeEhkhaqpk.exeEhpalp32.exeChfbgn32.exeEddeladm.exeFgnadkic.exeIflmjihl.exeLfoojj32.exePhfmllbd.exeBcpgdhpp.exeCiaefa32.exeOpihgfop.exeCjakccop.exeFcbecl32.exeKpdjaecc.exeAfgmodel.exeAnneqafn.exeDaofpchf.exeJbqmhnbo.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Cmfkfa32.exe Cnckjddd.exe File created C:\Windows\SysWOW64\Mobfgdcl.exe Mjfnomde.exe File opened for modification C:\Windows\SysWOW64\Afdiondb.exe Aaimopli.exe File opened for modification C:\Windows\SysWOW64\Aekeef32.dll Gepafc32.exe File created C:\Windows\SysWOW64\Ddaafojo.dll Oeindm32.exe File created C:\Windows\SysWOW64\Qcachc32.exe Qlgkki32.exe File created C:\Windows\SysWOW64\Gbjojh32.exe Gcgnnlle.exe File opened for modification C:\Windows\SysWOW64\Gepafc32.exe Gbadjg32.exe File opened for modification C:\Windows\SysWOW64\Nhgnaehm.exe Nameek32.exe File created C:\Windows\SysWOW64\Qjeeidhg.dll Offmipej.exe File opened for modification C:\Windows\SysWOW64\Afgmodel.exe Anlhkbhq.exe File opened for modification C:\Windows\SysWOW64\Bnqned32.exe Bjebdfnn.exe File opened for modification C:\Windows\SysWOW64\Eecafd32.exe Eaheeecg.exe File created C:\Windows\SysWOW64\Gepafc32.exe Gbadjg32.exe File opened for modification C:\Windows\SysWOW64\Cjakccop.exe Clojhf32.exe File created C:\Windows\SysWOW64\Ggpbcccn.dll Qobbofgn.exe File opened for modification C:\Windows\SysWOW64\Eelkeeah.exe Egikjh32.exe File created C:\Windows\SysWOW64\Fncpef32.exe Fdkklp32.exe File created C:\Windows\SysWOW64\Qfekkflj.dll Iedfqeka.exe File created C:\Windows\SysWOW64\Qeeheknp.dll Nedhjj32.exe File created C:\Windows\SysWOW64\Oococb32.exe Opqoge32.exe File created C:\Windows\SysWOW64\Pdonhj32.exe Oaqbln32.exe File created C:\Windows\SysWOW64\Epojbfko.dll Anlhkbhq.exe File opened for modification C:\Windows\SysWOW64\Bmcnqama.exe Bnqned32.exe File created C:\Windows\SysWOW64\Andpoahc.dll Kcecbq32.exe File created C:\Windows\SysWOW64\Nlemad32.dll Mnomjl32.exe File opened for modification C:\Windows\SysWOW64\Padhdm32.exe Phlclgfc.exe File created C:\Windows\SysWOW64\Cileqlmg.exe Cbblda32.exe File created C:\Windows\SysWOW64\Bmffciep.dll Bflbigdb.exe File opened for modification C:\Windows\SysWOW64\Egikjh32.exe Ecnoijbd.exe File created C:\Windows\SysWOW64\Fffjig32.dll Kekiphge.exe File created C:\Windows\SysWOW64\Kcjjof32.dll Elfcbo32.exe File created C:\Windows\SysWOW64\Ongkdd32.dll Hfjpdjjo.exe File created C:\Windows\SysWOW64\Gphfihaj.dll Illbhp32.exe File created C:\Windows\SysWOW64\Knhjjj32.exe Kgnbnpkp.exe File created C:\Windows\SysWOW64\Qngopb32.exe Qgmfchei.exe File opened for modification C:\Windows\SysWOW64\Aggiigmn.exe Aopahjll.exe File created C:\Windows\SysWOW64\Ehjkan32.dll Dgeaoinb.exe File created C:\Windows\SysWOW64\Afdiondb.exe Aaimopli.exe File created C:\Windows\SysWOW64\Fbnbckhg.dll Cileqlmg.exe File created C:\Windows\SysWOW64\Doohmk32.dll Gfcnegnk.exe File opened for modification C:\Windows\SysWOW64\Mnomjl32.exe Mkqqnq32.exe File created C:\Windows\SysWOW64\Kgloog32.dll Caifjn32.exe File created C:\Windows\SysWOW64\Bkmhnjlh.exe Biolanld.exe File created C:\Windows\SysWOW64\Fplheofl.dll Ehkhaqpk.exe File created C:\Windows\SysWOW64\Elkmmodo.exe Ehpalp32.exe File opened for modification C:\Windows\SysWOW64\Clbnhmjo.exe Chfbgn32.exe File created C:\Windows\SysWOW64\Ogjbid32.dll Eddeladm.exe File created C:\Windows\SysWOW64\Fdkehipd.dll Fgnadkic.exe File created C:\Windows\SysWOW64\Ieomef32.exe Iflmjihl.exe File opened for modification C:\Windows\SysWOW64\Lklgbadb.exe Lfoojj32.exe File opened for modification C:\Windows\SysWOW64\Pckajebj.exe Phfmllbd.exe File created C:\Windows\SysWOW64\Kainfp32.dll Bcpgdhpp.exe File created C:\Windows\SysWOW64\Clpabm32.exe Ciaefa32.exe File created C:\Windows\SysWOW64\Ofcqcp32.exe Opihgfop.exe File created C:\Windows\SysWOW64\Ofaejacl.dll Cjakccop.exe File opened for modification C:\Windows\SysWOW64\Cnckjddd.exe Bflbigdb.exe File opened for modification C:\Windows\SysWOW64\Fgnadkic.exe Fcbecl32.exe File created C:\Windows\SysWOW64\Kgnbnpkp.exe Kpdjaecc.exe File created C:\Windows\SysWOW64\Dlkmjn32.dll Afgmodel.exe File created C:\Windows\SysWOW64\Amaelomh.exe Anneqafn.exe File created C:\Windows\SysWOW64\Difnaqih.exe Daofpchf.exe File created C:\Windows\SysWOW64\Jfliim32.exe Jbqmhnbo.exe File created C:\Windows\SysWOW64\Egpfmb32.dll Kpdjaecc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5636 5604 WerFault.exe Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Obgkpb32.exeBbgqjdce.exeNameek32.exeNplimbka.exePldebkhj.exeGhajacmo.exeLonpma32.exeObokcqhk.exePhcilf32.exeQdojgmfe.exeEecafd32.exeKdnild32.exeNenkqi32.exeQkfocaki.exeEnlidg32.exeAaimopli.exeBkegah32.exeBflbigdb.exeCpkmcldj.exeFgdnnl32.exeKoaqcn32.exeBgaebe32.exeFcphnm32.exeNibqqh32.exeDpapaj32.exeBgdibkam.exeDemofaol.exeDphmloih.exeBgllgedi.exeDmbcen32.exeKklkcn32.exeNefdpjkl.exeNeknki32.exeCiihklpj.exeCopjdhib.exeFhdjgoha.exeOhiffh32.exeAnlhkbhq.exeCpfdhl32.exeCcdmnj32.exeDgbeiiqe.exeIimfld32.exePdonhj32.exeLcofio32.exePhlclgfc.exeOmqlpp32.exePnjofo32.exeCkjamgmk.exeMjfnomde.exeBfqpecma.exeCicalakk.exeEcploipa.exeEeohkeoe.exeEeaepd32.exeIdkpganf.exeMnomjl32.exeNncbdomg.exeKcecbq32.exeMcqombic.exeOhncbdbd.exeHidcef32.exeInlkik32.exeKgnbnpkp.exeMkndhabp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgkpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgqjdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nameek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplimbka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldebkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghajacmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obokcqhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdojgmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecafd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnild32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenkqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaimopli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkegah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflbigdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkmcldj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaqcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcphnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibqqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdibkam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demofaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphmloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgllgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbcen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklkcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neknki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copjdhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdjgoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlhkbhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfdhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbeiiqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdonhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcofio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqlpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjamgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfnomde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqpecma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicalakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecploipa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeohkeoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeaepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkpganf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnomjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncbdomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcecbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqombic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inlkik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbnpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkndhabp.exe -
Modifies registry class 64 IoCs
Processes:
Poklngnf.exeAknlofim.exeDmojkc32.exeFgdnnl32.exeFamope32.exeHqfaldbo.exeMjhjdm32.exeNeknki32.exePhqmgg32.exeCacclpae.exeCcdmnj32.exeCiaefa32.exeMkqqnq32.exePhnpagdp.exeOehdan32.exeFmkilb32.exeNibqqh32.exeCileqlmg.exeBfqpecma.exeIjqoilii.exeEhpalp32.exeFncpef32.exeGgnmbn32.exeBoogmgkl.exeAcfdnihk.exeOffmipej.exePmmeon32.exeBdcifi32.exeOhfqmi32.exeQobbofgn.exeBbgqjdce.exeDoecog32.exeGblkoham.exeGneijien.exeLfoojj32.exeMklcadfn.exeOlebgfao.exePepcelel.exeAjmijmnn.exeBkegah32.exePecgea32.exeCnckjddd.exeKpgffe32.exeNncbdomg.exeOadkej32.exeApgagg32.exeDnpciaef.exePilfpqaa.exeAmcbankf.exeGjojef32.exeHkiicmdh.exeHblgnkdh.exeEogmcjef.exeGbjojh32.exeHfcjdkpg.exeOplelf32.exeCeebklai.exeHcigco32.exeLklgbadb.exeMkndhabp.exeBgllgedi.exeBoidnh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkhmgco.dll" Poklngnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknlofim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmojkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgdnnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqfaldbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfnnoge.dll" Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbkkmi32.dll" Cacclpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnidcen.dll" Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciaefa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkqqnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phnpagdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmkilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nibqqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfqpecma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngkoe32.dll" Ggnmbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhhkjkc.dll" Acfdnihk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahapj32.dll" Pmmeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohniib32.dll" Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjkclbf.dll" Ohfqmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doecog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjhkej32.dll" Gblkoham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iajfhi32.dll" Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdph32.dll" Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeikk32.dll" Mklcadfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olebgfao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pepcelel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkegah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnckjddd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncbdomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll" Dnpciaef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcbankf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjojef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhkdkaa.dll" Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eogmcjef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbjojh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfcjdkpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcigco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnajpcii.dll" Lklgbadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll" Bgllgedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchqdi32.dll" Boidnh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exeOoicid32.exeOeckfndj.exeObgkpb32.exeOeehln32.exeOhcdhi32.exeOmqlpp32.exeOehdan32.exeOhfqmi32.exeOhhmcinf.exeOkgjodmi.exeOmefkplm.exeOaqbln32.exePdonhj32.exePilfpqaa.exePecgea32.exedescription pid process target process PID 2568 wrote to memory of 1840 2568 9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe Ooicid32.exe PID 2568 wrote to memory of 1840 2568 9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe Ooicid32.exe PID 2568 wrote to memory of 1840 2568 9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe Ooicid32.exe PID 2568 wrote to memory of 1840 2568 9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe Ooicid32.exe PID 1840 wrote to memory of 2356 1840 Ooicid32.exe Oeckfndj.exe PID 1840 wrote to memory of 2356 1840 Ooicid32.exe Oeckfndj.exe PID 1840 wrote to memory of 2356 1840 Ooicid32.exe Oeckfndj.exe PID 1840 wrote to memory of 2356 1840 Ooicid32.exe Oeckfndj.exe PID 2356 wrote to memory of 3060 2356 Oeckfndj.exe Obgkpb32.exe PID 2356 wrote to memory of 3060 2356 Oeckfndj.exe Obgkpb32.exe PID 2356 wrote to memory of 3060 2356 Oeckfndj.exe Obgkpb32.exe PID 2356 wrote to memory of 3060 2356 Oeckfndj.exe Obgkpb32.exe PID 3060 wrote to memory of 2704 3060 Obgkpb32.exe Oeehln32.exe PID 3060 wrote to memory of 2704 3060 Obgkpb32.exe Oeehln32.exe PID 3060 wrote to memory of 2704 3060 Obgkpb32.exe Oeehln32.exe PID 3060 wrote to memory of 2704 3060 Obgkpb32.exe Oeehln32.exe PID 2704 wrote to memory of 2752 2704 Oeehln32.exe Ohcdhi32.exe PID 2704 wrote to memory of 2752 2704 Oeehln32.exe Ohcdhi32.exe PID 2704 wrote to memory of 2752 2704 Oeehln32.exe Ohcdhi32.exe PID 2704 wrote to memory of 2752 2704 Oeehln32.exe Ohcdhi32.exe PID 2752 wrote to memory of 2904 2752 Ohcdhi32.exe Omqlpp32.exe PID 2752 wrote to memory of 2904 2752 Ohcdhi32.exe Omqlpp32.exe PID 2752 wrote to memory of 2904 2752 Ohcdhi32.exe Omqlpp32.exe PID 2752 wrote to memory of 2904 2752 Ohcdhi32.exe Omqlpp32.exe PID 2904 wrote to memory of 2712 2904 Omqlpp32.exe Oehdan32.exe PID 2904 wrote to memory of 2712 2904 Omqlpp32.exe Oehdan32.exe PID 2904 wrote to memory of 2712 2904 Omqlpp32.exe Oehdan32.exe PID 2904 wrote to memory of 2712 2904 Omqlpp32.exe Oehdan32.exe PID 2712 wrote to memory of 2676 2712 Oehdan32.exe Ohfqmi32.exe PID 2712 wrote to memory of 2676 2712 Oehdan32.exe Ohfqmi32.exe PID 2712 wrote to memory of 2676 2712 Oehdan32.exe Ohfqmi32.exe PID 2712 wrote to memory of 2676 2712 Oehdan32.exe Ohfqmi32.exe PID 2676 wrote to memory of 2460 2676 Ohfqmi32.exe Ohhmcinf.exe PID 2676 wrote to memory of 2460 2676 Ohfqmi32.exe Ohhmcinf.exe PID 2676 wrote to memory of 2460 2676 Ohfqmi32.exe Ohhmcinf.exe PID 2676 wrote to memory of 2460 2676 Ohfqmi32.exe Ohhmcinf.exe PID 2460 wrote to memory of 2996 2460 Ohhmcinf.exe Okgjodmi.exe PID 2460 wrote to memory of 2996 2460 Ohhmcinf.exe Okgjodmi.exe PID 2460 wrote to memory of 2996 2460 Ohhmcinf.exe Okgjodmi.exe PID 2460 wrote to memory of 2996 2460 Ohhmcinf.exe Okgjodmi.exe PID 2996 wrote to memory of 2952 2996 Okgjodmi.exe Omefkplm.exe PID 2996 wrote to memory of 2952 2996 Okgjodmi.exe Omefkplm.exe PID 2996 wrote to memory of 2952 2996 Okgjodmi.exe Omefkplm.exe PID 2996 wrote to memory of 2952 2996 Okgjodmi.exe Omefkplm.exe PID 2952 wrote to memory of 1448 2952 Omefkplm.exe Oaqbln32.exe PID 2952 wrote to memory of 1448 2952 Omefkplm.exe Oaqbln32.exe PID 2952 wrote to memory of 1448 2952 Omefkplm.exe Oaqbln32.exe PID 2952 wrote to memory of 1448 2952 Omefkplm.exe Oaqbln32.exe PID 1448 wrote to memory of 2504 1448 Oaqbln32.exe Pdonhj32.exe PID 1448 wrote to memory of 2504 1448 Oaqbln32.exe Pdonhj32.exe PID 1448 wrote to memory of 2504 1448 Oaqbln32.exe Pdonhj32.exe PID 1448 wrote to memory of 2504 1448 Oaqbln32.exe Pdonhj32.exe PID 2504 wrote to memory of 3056 2504 Pdonhj32.exe Pilfpqaa.exe PID 2504 wrote to memory of 3056 2504 Pdonhj32.exe Pilfpqaa.exe PID 2504 wrote to memory of 3056 2504 Pdonhj32.exe Pilfpqaa.exe PID 2504 wrote to memory of 3056 2504 Pdonhj32.exe Pilfpqaa.exe PID 3056 wrote to memory of 2328 3056 Pilfpqaa.exe Pecgea32.exe PID 3056 wrote to memory of 2328 3056 Pilfpqaa.exe Pecgea32.exe PID 3056 wrote to memory of 2328 3056 Pilfpqaa.exe Pecgea32.exe PID 3056 wrote to memory of 2328 3056 Pilfpqaa.exe Pecgea32.exe PID 2328 wrote to memory of 2316 2328 Pecgea32.exe Pnjofo32.exe PID 2328 wrote to memory of 2316 2328 Pecgea32.exe Pnjofo32.exe PID 2328 wrote to memory of 2316 2328 Pecgea32.exe Pnjofo32.exe PID 2328 wrote to memory of 2316 2328 Pecgea32.exe Pnjofo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe"C:\Users\Admin\AppData\Local\Temp\9d8b0d7ce66548c1375b8bca7eb790085b65c5d337098af206528586cfc28b53.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:664 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe33⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe34⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe35⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe36⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe37⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe38⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe46⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe49⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe50⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe51⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:352 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe56⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe57⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe58⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe60⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe62⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe65⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe66⤵PID:2744
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe68⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe69⤵PID:2176
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe70⤵PID:2604
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe71⤵PID:2992
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1200 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe73⤵PID:2812
-
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe75⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe76⤵PID:2908
-
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe77⤵PID:2972
-
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1440 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe80⤵PID:2380
-
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe82⤵PID:2516
-
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe83⤵PID:2736
-
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe84⤵PID:976
-
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe85⤵PID:1484
-
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe86⤵PID:2548
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe87⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe89⤵PID:2600
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe90⤵PID:908
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe91⤵PID:1212
-
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe92⤵PID:328
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe93⤵PID:1616
-
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe95⤵PID:2632
-
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe97⤵PID:2940
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe98⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe99⤵PID:1880
-
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe101⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe102⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe103⤵PID:1944
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe104⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe105⤵PID:2292
-
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe106⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe107⤵PID:1964
-
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe109⤵PID:2776
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe110⤵PID:1232
-
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe111⤵PID:1684
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe112⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe113⤵PID:2884
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe114⤵PID:1012
-
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe115⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe116⤵PID:1940
-
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe117⤵PID:1628
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe118⤵PID:2944
-
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe119⤵PID:640
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe120⤵PID:2172
-
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe121⤵PID:1136
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe122⤵PID:440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-