Analysis
-
max time kernel
81s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:06
Static task
static1
Behavioral task
behavioral1
Sample
5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exe
Resource
win10v2004-20241007-en
General
-
Target
5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exe
-
Size
224KB
-
MD5
dc91da47fedd576e987dbb22dfa044d0
-
SHA1
92801b28ee39141cf35bf076f05485bebdcf73c8
-
SHA256
5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296b
-
SHA512
d3671fb8893837a2cfa2c3ca163865cd92a32a46c51814a38a34109d1f313e237c910ac8e864efafac55d02e811b484377865fa9994de88f231ba786bc6afc37
-
SSDEEP
3072:o34aULx5Zji/I2B1xdLm102VZjuajDMyap9jCyFsWteYCWS3M:6471vjiQ2B1xBm102VQlterc
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hkdkhl32.exeJmcpqfba.exeCeioieei.exeOcdnloph.exeLlomhllh.exeNbinad32.exeAbjcleqm.exePfgeoo32.exeBpokkdim.exeKgffpk32.exeJfbinf32.exeEjfnfn32.exeFffabman.exeEqninhmc.exePelpgb32.exeNmpkal32.exeIfgooikk.exeLelmei32.exeNonqca32.exeDjoinbpm.exePnpfckmc.exeAgaifnhi.exeHnimeg32.exeOkgpfjbo.exeOqibjq32.exeJhfepfme.exeGqknjlfp.exeOhhcokmp.exeBgagnjbi.exeLkahbkgk.exeIlcfjkgj.exeKldofi32.exeOphoecoa.exePinnfonh.exeFioajqmb.exeCjdonndl.exeAflmbj32.exeKlamohhj.exeJchobqnc.exeNoajmlnj.exeBmahbhei.exeGibmglep.exeKeodflee.exeQcmnaaji.exeOnehadbj.exeBqambacb.exeQdlialfb.exeEedijo32.exeFaopib32.exeFclbgj32.exeDhjdjc32.exeFqqdigko.exeOclpdf32.exeCqneaodd.exeEnokidgl.exeGhlell32.exeJboanfmm.exeCbajme32.exeHhopgkin.exeDhlapc32.exeJnaihhgf.exeNknnnoph.exePhocfd32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdkhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmcpqfba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceioieei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdnloph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llomhllh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbinad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjcleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgeoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpokkdim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgffpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfbinf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfnfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fffabman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqninhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgooikk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lelmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nonqca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djoinbpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnpfckmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agaifnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnimeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgpfjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqibjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhfepfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqknjlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhcokmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgagnjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkahbkgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcfjkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kldofi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffabman.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophoecoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pinnfonh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fioajqmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjdonndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflmbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klamohhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jchobqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noajmlnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmahbhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gibmglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keodflee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcmnaaji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onehadbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqambacb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdlialfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faopib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fclbgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqqdigko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclpdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqneaodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enokidgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghlell32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jboanfmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbajme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhopgkin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhlapc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnaihhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknnnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phocfd32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Ndbile32.exeNafiej32.exeNknnnoph.exeNldcagaq.exeOogiha32.exeOhbjgg32.exePqplqile.exePjhpin32.exePjofjm32.exePcgkcccn.exeAiimfi32.exeAgqfme32.exeAfecna32.exeBiiiempl.exeBebfpm32.exeBmohjooe.exeCbajme32.exeCpgglifo.exeDibhjokm.exeDdliklgk.exeDgoobg32.exeEjohdbok.exeEfmoib32.exeFgeabi32.exeFclbgj32.exeGpeoakhc.exeGphlgk32.exeGfdaid32.exeGjffbhnj.exeHabkeacd.exeHdqhambg.exeHhopgkin.exeHpjeknfi.exeHlqfqo32.exeHidfjckg.exeIigcobid.exeIabhdefo.exeIbadnhmb.exeIkmibjkm.exeIokahhac.exeJidbifmb.exeJghcbjll.exeJlekja32.exeJlghpa32.exeJfpmifoa.exeJfbinf32.exeKdgfpbaf.exeKnbgnhfd.exeKnddcg32.exeKjkehhjf.exeKfbemi32.exeLgabgl32.exeLomglo32.exeLoocanbe.exeLighjd32.exeLgmekpmn.exeMgoaap32.exeMcfbfaao.exeMmngof32.exeMffkgl32.exeMpoppadq.exeMdmhfpkg.exeMlhmkbhb.exeNilndfgl.exepid process 2164 Ndbile32.exe 2936 Nafiej32.exe 2144 Nknnnoph.exe 3040 Nldcagaq.exe 2920 Oogiha32.exe 2564 Ohbjgg32.exe 3004 Pqplqile.exe 2332 Pjhpin32.exe 2316 Pjofjm32.exe 1836 Pcgkcccn.exe 2032 Aiimfi32.exe 564 Agqfme32.exe 2336 Afecna32.exe 2464 Biiiempl.exe 2064 Bebfpm32.exe 2732 Bmohjooe.exe 1356 Cbajme32.exe 2300 Cpgglifo.exe 1744 Dibhjokm.exe 2096 Ddliklgk.exe 276 Dgoobg32.exe 1524 Ejohdbok.exe 2432 Efmoib32.exe 2224 Fgeabi32.exe 2916 Fclbgj32.exe 2964 Gpeoakhc.exe 3044 Gphlgk32.exe 2016 Gfdaid32.exe 2572 Gjffbhnj.exe 2784 Habkeacd.exe 2360 Hdqhambg.exe 1784 Hhopgkin.exe 1056 Hpjeknfi.exe 2344 Hlqfqo32.exe 840 Hidfjckg.exe 2600 Iigcobid.exe 2244 Iabhdefo.exe 520 Ibadnhmb.exe 2452 Ikmibjkm.exe 624 Iokahhac.exe 756 Jidbifmb.exe 1320 Jghcbjll.exe 2576 Jlekja32.exe 1712 Jlghpa32.exe 1204 Jfpmifoa.exe 1544 Jfbinf32.exe 1824 Kdgfpbaf.exe 1256 Knbgnhfd.exe 2212 Knddcg32.exe 2912 Kjkehhjf.exe 2312 Kfbemi32.exe 2836 Lgabgl32.exe 2820 Lomglo32.exe 2536 Loocanbe.exe 1084 Lighjd32.exe 1872 Lgmekpmn.exe 2132 Mgoaap32.exe 2664 Mcfbfaao.exe 2348 Mmngof32.exe 580 Mffkgl32.exe 2268 Mpoppadq.exe 2456 Mdmhfpkg.exe 2200 Mlhmkbhb.exe 1164 Nilndfgl.exe -
Loads dropped DLL 64 IoCs
Processes:
5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exeNdbile32.exeNafiej32.exeNknnnoph.exeNldcagaq.exeOogiha32.exeOhbjgg32.exePqplqile.exePjhpin32.exePjofjm32.exePcgkcccn.exeAiimfi32.exeAgqfme32.exeAfecna32.exeBiiiempl.exeBebfpm32.exeBmohjooe.exeCbajme32.exeCpgglifo.exeDibhjokm.exeDdliklgk.exeDgoobg32.exeEjohdbok.exeFdehpn32.exeFgeabi32.exeFclbgj32.exeGpeoakhc.exeGphlgk32.exeGfdaid32.exeGjffbhnj.exeHabkeacd.exeHdqhambg.exepid process 1736 5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exe 1736 5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exe 2164 Ndbile32.exe 2164 Ndbile32.exe 2936 Nafiej32.exe 2936 Nafiej32.exe 2144 Nknnnoph.exe 2144 Nknnnoph.exe 3040 Nldcagaq.exe 3040 Nldcagaq.exe 2920 Oogiha32.exe 2920 Oogiha32.exe 2564 Ohbjgg32.exe 2564 Ohbjgg32.exe 3004 Pqplqile.exe 3004 Pqplqile.exe 2332 Pjhpin32.exe 2332 Pjhpin32.exe 2316 Pjofjm32.exe 2316 Pjofjm32.exe 1836 Pcgkcccn.exe 1836 Pcgkcccn.exe 2032 Aiimfi32.exe 2032 Aiimfi32.exe 564 Agqfme32.exe 564 Agqfme32.exe 2336 Afecna32.exe 2336 Afecna32.exe 2464 Biiiempl.exe 2464 Biiiempl.exe 2064 Bebfpm32.exe 2064 Bebfpm32.exe 2732 Bmohjooe.exe 2732 Bmohjooe.exe 1356 Cbajme32.exe 1356 Cbajme32.exe 2300 Cpgglifo.exe 2300 Cpgglifo.exe 1744 Dibhjokm.exe 1744 Dibhjokm.exe 2096 Ddliklgk.exe 2096 Ddliklgk.exe 276 Dgoobg32.exe 276 Dgoobg32.exe 1524 Ejohdbok.exe 1524 Ejohdbok.exe 2156 Fdehpn32.exe 2156 Fdehpn32.exe 2224 Fgeabi32.exe 2224 Fgeabi32.exe 2916 Fclbgj32.exe 2916 Fclbgj32.exe 2964 Gpeoakhc.exe 2964 Gpeoakhc.exe 3044 Gphlgk32.exe 3044 Gphlgk32.exe 2016 Gfdaid32.exe 2016 Gfdaid32.exe 2572 Gjffbhnj.exe 2572 Gjffbhnj.exe 2784 Habkeacd.exe 2784 Habkeacd.exe 2360 Hdqhambg.exe 2360 Hdqhambg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Epgoio32.exePpqqbjkm.exeFhlogo32.exeFmnakege.exeHfdkoc32.exeIilocklc.exeKpcbhlki.exeEmjnikpc.exeOjlmgg32.exeJjgbbc32.exeEdmnnakm.exeFhfdffll.exeChdlidjm.exeDlfgehqk.exeDijgnm32.exeCpldjajo.exeGhndjd32.exeBnhqll32.exeDmaoem32.exeDndoof32.exeLelmei32.exeChfffk32.exeIccnmk32.exeGphlgk32.exeGmnlog32.exeLbpolb32.exeBjgmka32.exeLinfpi32.exeLejppj32.exeFefboabg.exeJeidob32.exePdfdkehc.exeQefihg32.exeFmicnhob.exeObbonk32.exeOhbjgg32.exeIigcobid.exeGfdaid32.exeLgabgl32.exeFlphccbp.exeEbkndibq.exeChoejien.exeIhgcof32.exePjofjm32.exeBiiiempl.exeLlgllj32.exeNbjpjm32.exeDjfooa32.exeJfijmdbh.exeAamhdckg.exeDiencmcj.exeOicbma32.exeBcdpacgl.exeOqibjq32.exeIckaaf32.exeIlcfjkgj.exeNceeaikk.exeChdjpl32.exeDdoiei32.exeEghdanac.exeDifplf32.exeMhmfgdch.exedescription ioc process File created C:\Windows\SysWOW64\Elnonp32.exe Epgoio32.exe File opened for modification C:\Windows\SysWOW64\Pjfdpckc.exe Ppqqbjkm.exe File created C:\Windows\SysWOW64\Feppqc32.exe Fhlogo32.exe File created C:\Windows\SysWOW64\Kqhaap32.dll Fmnakege.exe File opened for modification C:\Windows\SysWOW64\Ikqcgj32.exe Hfdkoc32.exe File opened for modification C:\Windows\SysWOW64\Iljkofkg.exe Iilocklc.exe File opened for modification C:\Windows\SysWOW64\Kabobo32.exe Kpcbhlki.exe File opened for modification C:\Windows\SysWOW64\Egobfdpi.exe Emjnikpc.exe File created C:\Windows\SysWOW64\Aeijmg32.dll Ojlmgg32.exe File created C:\Windows\SysWOW64\Fblmcdjb.dll Jjgbbc32.exe File opened for modification C:\Windows\SysWOW64\Ekgfkl32.exe Edmnnakm.exe File created C:\Windows\SysWOW64\Kjcfcgbp.dll Fhfdffll.exe File opened for modification C:\Windows\SysWOW64\Cpldjajo.exe Chdlidjm.exe File created C:\Windows\SysWOW64\Dijgnm32.exe Dlfgehqk.exe File created C:\Windows\SysWOW64\Nkpbdj32.dll Dijgnm32.exe File created C:\Windows\SysWOW64\Cclmlm32.exe Cpldjajo.exe File opened for modification C:\Windows\SysWOW64\Gaghcjhd.exe Ghndjd32.exe File created C:\Windows\SysWOW64\Baiingae.exe Bnhqll32.exe File opened for modification C:\Windows\SysWOW64\Dclgbgbh.exe Dmaoem32.exe File created C:\Windows\SysWOW64\Dhmchljg.exe Dndoof32.exe File opened for modification C:\Windows\SysWOW64\Modano32.exe Lelmei32.exe File opened for modification C:\Windows\SysWOW64\Cbokoa32.exe Chfffk32.exe File created C:\Windows\SysWOW64\Mhcdfiom.dll Iccnmk32.exe File opened for modification C:\Windows\SysWOW64\Gfdaid32.exe Gphlgk32.exe File created C:\Windows\SysWOW64\Dankdeoi.dll Gmnlog32.exe File created C:\Windows\SysWOW64\Lodoefed.exe Lbpolb32.exe File opened for modification C:\Windows\SysWOW64\Bnicddki.exe Bjgmka32.exe File opened for modification C:\Windows\SysWOW64\Lpkkbcle.exe Linfpi32.exe File created C:\Windows\SysWOW64\Ipahob32.dll Lejppj32.exe File created C:\Windows\SysWOW64\Jadfnabd.dll Fefboabg.exe File created C:\Windows\SysWOW64\Jnaihhgf.exe Jeidob32.exe File created C:\Windows\SysWOW64\Cbkingcj.dll Pdfdkehc.exe File created C:\Windows\SysWOW64\Qfifmghc.exe Qefihg32.exe File opened for modification C:\Windows\SysWOW64\Fpjlpclc.exe Fmicnhob.exe File created C:\Windows\SysWOW64\Clapna32.dll Obbonk32.exe File created C:\Windows\SysWOW64\Hkjekf32.dll Fmicnhob.exe File created C:\Windows\SysWOW64\Njaagp32.dll Ohbjgg32.exe File opened for modification C:\Windows\SysWOW64\Iabhdefo.exe Iigcobid.exe File opened for modification C:\Windows\SysWOW64\Gjffbhnj.exe Gfdaid32.exe File created C:\Windows\SysWOW64\Lomglo32.exe Lgabgl32.exe File created C:\Windows\SysWOW64\Hokemgkj.dll Flphccbp.exe File opened for modification C:\Windows\SysWOW64\Elcbmn32.exe Ebkndibq.exe File created C:\Windows\SysWOW64\Enedkj32.dll Choejien.exe File created C:\Windows\SysWOW64\Ijklmn32.exe Ihgcof32.exe File created C:\Windows\SysWOW64\Pcgkcccn.exe Pjofjm32.exe File created C:\Windows\SysWOW64\Ipanan32.dll Biiiempl.exe File created C:\Windows\SysWOW64\Mjmiknng.exe Llgllj32.exe File created C:\Windows\SysWOW64\Nonqca32.exe Nbjpjm32.exe File created C:\Windows\SysWOW64\Dpbgghhl.exe Djfooa32.exe File opened for modification C:\Windows\SysWOW64\Gmejdm32.exe Fhfdffll.exe File created C:\Windows\SysWOW64\Jpojog32.dll Jfijmdbh.exe File created C:\Windows\SysWOW64\Dhadgbpa.dll Aamhdckg.exe File opened for modification C:\Windows\SysWOW64\Dbnblb32.exe Diencmcj.exe File created C:\Windows\SysWOW64\Popkeh32.exe Oicbma32.exe File opened for modification C:\Windows\SysWOW64\Bfeibo32.exe Bcdpacgl.exe File opened for modification C:\Windows\SysWOW64\Pjafbfca.exe Oqibjq32.exe File created C:\Windows\SysWOW64\Gfklfa32.dll Ickaaf32.exe File created C:\Windows\SysWOW64\Eccanfla.dll Ilcfjkgj.exe File created C:\Windows\SysWOW64\Necandjo.exe Nceeaikk.exe File created C:\Windows\SysWOW64\Anilobcj.dll Chdjpl32.exe File opened for modification C:\Windows\SysWOW64\Emjnikpc.exe Ddoiei32.exe File created C:\Windows\SysWOW64\Ecodfogg.exe Eghdanac.exe File created C:\Windows\SysWOW64\Knlekjqk.dll Difplf32.exe File created C:\Windows\SysWOW64\Hcmmoflm.dll Mhmfgdch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3552 3672 WerFault.exe Joagkd32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Agaifnhi.exeDedkbb32.exeEpgoio32.exeHeedbbdb.exeKldofi32.exeFqkbkicd.exeLlomhllh.exeGohjnf32.exeFqqdigko.exeHabkeacd.exeQomcdf32.exeFkbadifn.exeAjkmbo32.exeEjohdbok.exeBigohejb.exeLghgocek.exeGgcnbh32.exeObbonk32.exeBjclfmfe.exeBfoffmhd.exeDkohanoc.exeBaajji32.exeHmighemp.exeJnafop32.exeFhlogo32.exeBhoikfbb.exeJqonjmbn.exeBmahbhei.exeGigjch32.exeKoejqi32.exeAabfqp32.exeBlklfk32.exeIjkjde32.exeJcekbk32.exeGalhhp32.exeOkgpfjbo.exeNmpkal32.exeDjoinbpm.exeGidgdcli.exeFngjmb32.exeDoapanne.exeMcfbfaao.exeNhakecld.exeOcdnloph.exeLbjlnd32.exeIlhnjfmi.exeOljanhmc.exeQfedhb32.exeFgeabi32.exeAlgida32.exeMemonbnl.exeIqbekpal.exeGnfoao32.exeLinfpi32.exeDcppmg32.exeOggkklnk.exeGnaffpoi.exeMhmfgdch.exeKpmpjm32.exeFdekigip.exeJmejmm32.exeJemkai32.exeOiiilm32.exeGpagbp32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agaifnhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heedbbdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kldofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqkbkicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llomhllh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohjnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqqdigko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Habkeacd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qomcdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbadifn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajkmbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejohdbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigohejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghgocek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggcnbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbonk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjclfmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoffmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkohanoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baajji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmighemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnafop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlogo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhoikfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqonjmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmahbhei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koejqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabfqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blklfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkjde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcekbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Galhhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgpfjbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmpkal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoinbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidgdcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fngjmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doapanne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbfaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhakecld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdnloph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjlnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilhnjfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljanhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfedhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgeabi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Algida32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memonbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbekpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Linfpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcppmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oggkklnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaffpoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhmfgdch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdekigip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmejmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jemkai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiiilm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpagbp32.exe -
Modifies registry class 64 IoCs
Processes:
Kabobo32.exeQedjib32.exeCclmlm32.exeGqknjlfp.exeLgmekpmn.exeHcajjf32.exeFlmlmc32.exeOnggom32.exeGidgdcli.exeNabcog32.exeQipmdhcj.exeJghcbjll.exeClnkdc32.exeFffabman.exeFokofpif.exeFhfihd32.exeAjpgkb32.exeAecdpmbm.exeJekaeb32.exeDhcoei32.exeHbjgbbpn.exeAmebjgai.exeHimionmc.exeNhffikob.exeNodnmb32.exeBmohjooe.exeOkjdfq32.exeAdcakdhn.exeKgffpk32.exeMgfjjh32.exeBmgddcnf.exeHmnhnk32.exeLkkckdhm.exeNbgakd32.exeGkiooocb.exePafpjljk.exeOcdnloph.exePjblcl32.exeDogpfc32.exeKekkkm32.exeBjgmka32.exeNjjbjk32.exeFngjmb32.exeLighjd32.exeMpmdff32.exeCjdonndl.exeIaqnbb32.exeJocalffk.exeModano32.exePgkqeo32.exeCqneaodd.exeKlamohhj.exeAdohpe32.exeIlcfjkgj.exeGdgadeee.exeFoblaefj.exeMhaobd32.exeHiichkog.exeMpoppadq.exeQlqdmj32.exeBeccgi32.exeNilndfgl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kabobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhklgej.dll" Qedjib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajjck32.dll" Cclmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflnei32.dll" Gqknjlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecmfopg.dll" Lgmekpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfifj32.dll" Hcajjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niqcoabo.dll" Flmlmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpdhc32.dll" Onggom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooqml32.dll" Gidgdcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbdligd.dll" Nabcog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qipmdhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jghcbjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkdmogal.dll" Clnkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjddeg32.dll" Fffabman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qipmdhcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fokofpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhfihd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajpgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aecdpmbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jekaeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhcoei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pealef32.dll" Hbjgbbpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amebjgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Himionmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhffikob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nodnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmohjooe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okjdfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adcakdhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekljoh32.dll" Kgffpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgfjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmgddcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmnhnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkkckdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbgakd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkiooocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmickpbi.dll" Pafpjljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fepnhp32.dll" Dhcoei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocdnloph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjblcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dogpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekkkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjgmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngdkkof.dll" Njjbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fngjmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lighjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahqpjlb.dll" Mpmdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmglh32.dll" Cjdonndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaqnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmolagqb.dll" Jocalffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modano32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgkqeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqneaodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joidfo32.dll" Klamohhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbclfj32.dll" Adohpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilcfjkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfeke32.dll" Gdgadeee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foblaefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjdbifq.dll" Mhaobd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiichkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpoppadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oclndk32.dll" Qlqdmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqepfb32.dll" Beccgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nilndfgl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exeNdbile32.exeNafiej32.exeNknnnoph.exeNldcagaq.exeOogiha32.exeOhbjgg32.exePqplqile.exePjhpin32.exePjofjm32.exePcgkcccn.exeAiimfi32.exeAgqfme32.exeAfecna32.exeBiiiempl.exeBebfpm32.exedescription pid process target process PID 1736 wrote to memory of 2164 1736 5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exe Ndbile32.exe PID 1736 wrote to memory of 2164 1736 5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exe Ndbile32.exe PID 1736 wrote to memory of 2164 1736 5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exe Ndbile32.exe PID 1736 wrote to memory of 2164 1736 5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exe Ndbile32.exe PID 2164 wrote to memory of 2936 2164 Ndbile32.exe Nafiej32.exe PID 2164 wrote to memory of 2936 2164 Ndbile32.exe Nafiej32.exe PID 2164 wrote to memory of 2936 2164 Ndbile32.exe Nafiej32.exe PID 2164 wrote to memory of 2936 2164 Ndbile32.exe Nafiej32.exe PID 2936 wrote to memory of 2144 2936 Nafiej32.exe Nknnnoph.exe PID 2936 wrote to memory of 2144 2936 Nafiej32.exe Nknnnoph.exe PID 2936 wrote to memory of 2144 2936 Nafiej32.exe Nknnnoph.exe PID 2936 wrote to memory of 2144 2936 Nafiej32.exe Nknnnoph.exe PID 2144 wrote to memory of 3040 2144 Nknnnoph.exe Nldcagaq.exe PID 2144 wrote to memory of 3040 2144 Nknnnoph.exe Nldcagaq.exe PID 2144 wrote to memory of 3040 2144 Nknnnoph.exe Nldcagaq.exe PID 2144 wrote to memory of 3040 2144 Nknnnoph.exe Nldcagaq.exe PID 3040 wrote to memory of 2920 3040 Nldcagaq.exe Oogiha32.exe PID 3040 wrote to memory of 2920 3040 Nldcagaq.exe Oogiha32.exe PID 3040 wrote to memory of 2920 3040 Nldcagaq.exe Oogiha32.exe PID 3040 wrote to memory of 2920 3040 Nldcagaq.exe Oogiha32.exe PID 2920 wrote to memory of 2564 2920 Oogiha32.exe Ohbjgg32.exe PID 2920 wrote to memory of 2564 2920 Oogiha32.exe Ohbjgg32.exe PID 2920 wrote to memory of 2564 2920 Oogiha32.exe Ohbjgg32.exe PID 2920 wrote to memory of 2564 2920 Oogiha32.exe Ohbjgg32.exe PID 2564 wrote to memory of 3004 2564 Ohbjgg32.exe Pqplqile.exe PID 2564 wrote to memory of 3004 2564 Ohbjgg32.exe Pqplqile.exe PID 2564 wrote to memory of 3004 2564 Ohbjgg32.exe Pqplqile.exe PID 2564 wrote to memory of 3004 2564 Ohbjgg32.exe Pqplqile.exe PID 3004 wrote to memory of 2332 3004 Pqplqile.exe Pjhpin32.exe PID 3004 wrote to memory of 2332 3004 Pqplqile.exe Pjhpin32.exe PID 3004 wrote to memory of 2332 3004 Pqplqile.exe Pjhpin32.exe PID 3004 wrote to memory of 2332 3004 Pqplqile.exe Pjhpin32.exe PID 2332 wrote to memory of 2316 2332 Pjhpin32.exe Pjofjm32.exe PID 2332 wrote to memory of 2316 2332 Pjhpin32.exe Pjofjm32.exe PID 2332 wrote to memory of 2316 2332 Pjhpin32.exe Pjofjm32.exe PID 2332 wrote to memory of 2316 2332 Pjhpin32.exe Pjofjm32.exe PID 2316 wrote to memory of 1836 2316 Pjofjm32.exe Pcgkcccn.exe PID 2316 wrote to memory of 1836 2316 Pjofjm32.exe Pcgkcccn.exe PID 2316 wrote to memory of 1836 2316 Pjofjm32.exe Pcgkcccn.exe PID 2316 wrote to memory of 1836 2316 Pjofjm32.exe Pcgkcccn.exe PID 1836 wrote to memory of 2032 1836 Pcgkcccn.exe Aiimfi32.exe PID 1836 wrote to memory of 2032 1836 Pcgkcccn.exe Aiimfi32.exe PID 1836 wrote to memory of 2032 1836 Pcgkcccn.exe Aiimfi32.exe PID 1836 wrote to memory of 2032 1836 Pcgkcccn.exe Aiimfi32.exe PID 2032 wrote to memory of 564 2032 Aiimfi32.exe Agqfme32.exe PID 2032 wrote to memory of 564 2032 Aiimfi32.exe Agqfme32.exe PID 2032 wrote to memory of 564 2032 Aiimfi32.exe Agqfme32.exe PID 2032 wrote to memory of 564 2032 Aiimfi32.exe Agqfme32.exe PID 564 wrote to memory of 2336 564 Agqfme32.exe Afecna32.exe PID 564 wrote to memory of 2336 564 Agqfme32.exe Afecna32.exe PID 564 wrote to memory of 2336 564 Agqfme32.exe Afecna32.exe PID 564 wrote to memory of 2336 564 Agqfme32.exe Afecna32.exe PID 2336 wrote to memory of 2464 2336 Afecna32.exe Biiiempl.exe PID 2336 wrote to memory of 2464 2336 Afecna32.exe Biiiempl.exe PID 2336 wrote to memory of 2464 2336 Afecna32.exe Biiiempl.exe PID 2336 wrote to memory of 2464 2336 Afecna32.exe Biiiempl.exe PID 2464 wrote to memory of 2064 2464 Biiiempl.exe Bebfpm32.exe PID 2464 wrote to memory of 2064 2464 Biiiempl.exe Bebfpm32.exe PID 2464 wrote to memory of 2064 2464 Biiiempl.exe Bebfpm32.exe PID 2464 wrote to memory of 2064 2464 Biiiempl.exe Bebfpm32.exe PID 2064 wrote to memory of 2732 2064 Bebfpm32.exe Bmohjooe.exe PID 2064 wrote to memory of 2732 2064 Bebfpm32.exe Bmohjooe.exe PID 2064 wrote to memory of 2732 2064 Bebfpm32.exe Bmohjooe.exe PID 2064 wrote to memory of 2732 2064 Bebfpm32.exe Bmohjooe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exe"C:\Users\Admin\AppData\Local\Temp\5b84717f9bc74ded241f99c7b8c4c1fe698a0af96a81a4e4d81df894854b296bN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Ndbile32.exeC:\Windows\system32\Ndbile32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Nafiej32.exeC:\Windows\system32\Nafiej32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Nknnnoph.exeC:\Windows\system32\Nknnnoph.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Nldcagaq.exeC:\Windows\system32\Nldcagaq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Oogiha32.exeC:\Windows\system32\Oogiha32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ohbjgg32.exeC:\Windows\system32\Ohbjgg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Pqplqile.exeC:\Windows\system32\Pqplqile.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Pjhpin32.exeC:\Windows\system32\Pjhpin32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Pjofjm32.exeC:\Windows\system32\Pjofjm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Pcgkcccn.exeC:\Windows\system32\Pcgkcccn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Aiimfi32.exeC:\Windows\system32\Aiimfi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Agqfme32.exeC:\Windows\system32\Agqfme32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Afecna32.exeC:\Windows\system32\Afecna32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Biiiempl.exeC:\Windows\system32\Biiiempl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Bebfpm32.exeC:\Windows\system32\Bebfpm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Bmohjooe.exeC:\Windows\system32\Bmohjooe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Cbajme32.exeC:\Windows\system32\Cbajme32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Cpgglifo.exeC:\Windows\system32\Cpgglifo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Ddliklgk.exeC:\Windows\system32\Ddliklgk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Ejohdbok.exeC:\Windows\system32\Ejohdbok.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Efmoib32.exeC:\Windows\system32\Efmoib32.exe24⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Fdehpn32.exeC:\Windows\system32\Fdehpn32.exe25⤵
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Fgeabi32.exeC:\Windows\system32\Fgeabi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Gpeoakhc.exeC:\Windows\system32\Gpeoakhc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Gjffbhnj.exeC:\Windows\system32\Gjffbhnj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Habkeacd.exeC:\Windows\system32\Habkeacd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Hdqhambg.exeC:\Windows\system32\Hdqhambg.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Hhopgkin.exeC:\Windows\system32\Hhopgkin.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Hpjeknfi.exeC:\Windows\system32\Hpjeknfi.exe35⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Hlqfqo32.exeC:\Windows\system32\Hlqfqo32.exe36⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Hidfjckg.exeC:\Windows\system32\Hidfjckg.exe37⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Iabhdefo.exeC:\Windows\system32\Iabhdefo.exe39⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe40⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Ikmibjkm.exeC:\Windows\system32\Ikmibjkm.exe41⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe42⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Jidbifmb.exeC:\Windows\system32\Jidbifmb.exe43⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Jghcbjll.exeC:\Windows\system32\Jghcbjll.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Jlekja32.exeC:\Windows\system32\Jlekja32.exe45⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Jlghpa32.exeC:\Windows\system32\Jlghpa32.exe46⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Jfpmifoa.exeC:\Windows\system32\Jfpmifoa.exe47⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe49⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Knbgnhfd.exeC:\Windows\system32\Knbgnhfd.exe50⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Knddcg32.exeC:\Windows\system32\Knddcg32.exe51⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe52⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe53⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Lomglo32.exeC:\Windows\system32\Lomglo32.exe55⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Loocanbe.exeC:\Windows\system32\Loocanbe.exe56⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Lgmekpmn.exeC:\Windows\system32\Lgmekpmn.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Mgoaap32.exeC:\Windows\system32\Mgoaap32.exe59⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Mmngof32.exeC:\Windows\system32\Mmngof32.exe61⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe62⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe64⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Mlhmkbhb.exeC:\Windows\system32\Mlhmkbhb.exe65⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Noifmmec.exeC:\Windows\system32\Noifmmec.exe67⤵PID:1700
-
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe68⤵
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Neekogkm.exeC:\Windows\system32\Neekogkm.exe69⤵PID:2056
-
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Ophoecoa.exeC:\Windows\system32\Ophoecoa.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Onlooh32.exeC:\Windows\system32\Onlooh32.exe72⤵PID:872
-
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe73⤵PID:2184
-
C:\Windows\SysWOW64\Opmhqc32.exeC:\Windows\system32\Opmhqc32.exe74⤵PID:2844
-
C:\Windows\SysWOW64\Plcied32.exeC:\Windows\system32\Plcied32.exe75⤵PID:2848
-
C:\Windows\SysWOW64\Pkifgpeh.exeC:\Windows\system32\Pkifgpeh.exe76⤵PID:2884
-
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe77⤵PID:940
-
C:\Windows\SysWOW64\Phocfd32.exeC:\Windows\system32\Phocfd32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Pdfdkehc.exeC:\Windows\system32\Pdfdkehc.exe79⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Pjblcl32.exeC:\Windows\system32\Pjblcl32.exe80⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Qckalamk.exeC:\Windows\system32\Qckalamk.exe81⤵PID:3008
-
C:\Windows\SysWOW64\Qcmnaaji.exeC:\Windows\system32\Qcmnaaji.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Amebjgai.exeC:\Windows\system32\Amebjgai.exe83⤵
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Abbjbnoq.exeC:\Windows\system32\Abbjbnoq.exe84⤵PID:1080
-
C:\Windows\SysWOW64\Akkokc32.exeC:\Windows\system32\Akkokc32.exe85⤵PID:2568
-
C:\Windows\SysWOW64\Akmlacdn.exeC:\Windows\system32\Akmlacdn.exe86⤵PID:1764
-
C:\Windows\SysWOW64\Aialjgbh.exeC:\Windows\system32\Aialjgbh.exe87⤵PID:932
-
C:\Windows\SysWOW64\Aicipgqe.exeC:\Windows\system32\Aicipgqe.exe88⤵PID:1528
-
C:\Windows\SysWOW64\Anpahn32.exeC:\Windows\system32\Anpahn32.exe89⤵PID:2368
-
C:\Windows\SysWOW64\Baajji32.exeC:\Windows\system32\Baajji32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Bnekcm32.exeC:\Windows\system32\Bnekcm32.exe91⤵PID:3048
-
C:\Windows\SysWOW64\Biolckgf.exeC:\Windows\system32\Biolckgf.exe92⤵PID:1628
-
C:\Windows\SysWOW64\Bcdpacgl.exeC:\Windows\system32\Bcdpacgl.exe93⤵
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Bfeibo32.exeC:\Windows\system32\Bfeibo32.exe94⤵PID:2904
-
C:\Windows\SysWOW64\Cbljgpja.exeC:\Windows\system32\Cbljgpja.exe95⤵PID:2792
-
C:\Windows\SysWOW64\Cbnfmo32.exeC:\Windows\system32\Cbnfmo32.exe96⤵PID:1780
-
C:\Windows\SysWOW64\Clfkfeno.exeC:\Windows\system32\Clfkfeno.exe97⤵PID:1548
-
C:\Windows\SysWOW64\Cmjdcm32.exeC:\Windows\system32\Cmjdcm32.exe98⤵PID:2476
-
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe99⤵PID:680
-
C:\Windows\SysWOW64\Dfdeab32.exeC:\Windows\system32\Dfdeab32.exe100⤵PID:1868
-
C:\Windows\SysWOW64\Dpmjjhmi.exeC:\Windows\system32\Dpmjjhmi.exe101⤵PID:1996
-
C:\Windows\SysWOW64\Diencmcj.exeC:\Windows\system32\Diencmcj.exe102⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Dbnblb32.exeC:\Windows\system32\Dbnblb32.exe103⤵PID:1808
-
C:\Windows\SysWOW64\Dlfgehqk.exeC:\Windows\system32\Dlfgehqk.exe104⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe105⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Dogpfc32.exeC:\Windows\system32\Dogpfc32.exe106⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Dpflqfeo.exeC:\Windows\system32\Dpflqfeo.exe107⤵PID:2540
-
C:\Windows\SysWOW64\Egikle32.exeC:\Windows\system32\Egikle32.exe108⤵PID:1248
-
C:\Windows\SysWOW64\Edmkei32.exeC:\Windows\system32\Edmkei32.exe109⤵PID:2136
-
C:\Windows\SysWOW64\Enepnoji.exeC:\Windows\system32\Enepnoji.exe110⤵PID:1500
-
C:\Windows\SysWOW64\Ecbhfeip.exeC:\Windows\system32\Ecbhfeip.exe111⤵PID:556
-
C:\Windows\SysWOW64\Fgpalcog.exeC:\Windows\system32\Fgpalcog.exe112⤵PID:2472
-
C:\Windows\SysWOW64\Fokfqflb.exeC:\Windows\system32\Fokfqflb.exe113⤵PID:768
-
C:\Windows\SysWOW64\Fqkbkicd.exeC:\Windows\system32\Fqkbkicd.exe114⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Fclkldqe.exeC:\Windows\system32\Fclkldqe.exe115⤵PID:576
-
C:\Windows\SysWOW64\Foblaefj.exeC:\Windows\system32\Foblaefj.exe116⤵
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Ggnqfgce.exeC:\Windows\system32\Ggnqfgce.exe117⤵PID:2392
-
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe118⤵PID:2832
-
C:\Windows\SysWOW64\Gknfaehi.exeC:\Windows\system32\Gknfaehi.exe119⤵PID:1968
-
C:\Windows\SysWOW64\Gqknjlfp.exeC:\Windows\system32\Gqknjlfp.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Gnoocq32.exeC:\Windows\system32\Gnoocq32.exe121⤵PID:2676
-
C:\Windows\SysWOW64\Hmdldmja.exeC:\Windows\system32\Hmdldmja.exe122⤵PID:1016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-