Analysis
-
max time kernel
92s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:05
Behavioral task
behavioral1
Sample
9f17ff427bd52c45482fb986797e9af045c460d28176dbdc56688c56b00faf80.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9f17ff427bd52c45482fb986797e9af045c460d28176dbdc56688c56b00faf80.exe
Resource
win10v2004-20241007-en
General
-
Target
9f17ff427bd52c45482fb986797e9af045c460d28176dbdc56688c56b00faf80.exe
-
Size
124KB
-
MD5
ec8f1f3024260f06b259aced561e3df6
-
SHA1
b220c42c57405c5cc0a9eb5a366580ab52f7da16
-
SHA256
9f17ff427bd52c45482fb986797e9af045c460d28176dbdc56688c56b00faf80
-
SHA512
e5bc5043288d3f081927e4d3f7c8e065ff1a2485e950fbc0c14beda26de1eb3e6a0c0f0f356263a20f8f2304d34c73dceb23dde485d29e4b97f6810e2bb97f2b
-
SSDEEP
3072:8rl0H4YylHF8tK8fiVDKQgBj6+JB8M6m9jqLsFmsr:c0YbkNBj6MB8Mhjwszr
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ajfnnf32.exeLdkdmj32.exeHkihegdi.exeJbmloneh.exeMopefk32.exeGmiaen32.exeJbjiohco.exeNafgdh32.exeGdadgohl.exeGoghdhhb.exeIgebegeg.exePoeaoe32.exeGdammiep.exeIqmpcg32.exeCmmpldbc.exeNbigna32.exeAkcajo32.exeAhgadcll.exeHlldmb32.exeNgleec32.exeFakkpnld.exeJqfcje32.exeKqhalm32.exeEhejfkad.exeHgkidbjf.exeJidalb32.exeKindbq32.exeBmpifphe.exeCeglmh32.exeInaggaka.exeKphcianj.exeAinnoi32.exeBjbddkmm.exeKjhjijog.exeMnkeaebf.exeEmbihh32.exeEhjjkp32.exeOilbajjl.exePhfhmeko.exeAcjillnd.exeBbflmhmd.exeCchndhdb.exeJqlbpnfn.exeKgigbhlh.exeMnlklnmg.exeKhfdcc32.exePgfbpdhl.exeKipqgp32.exeNicokkbf.exeHmdjgf32.exeOihopa32.exeJdkaqcpp.exeNhclfbgh.exeLoioflhd.exePlpobk32.exeCjjjej32.exeCjcmkh32.exeDflkei32.exeEppojm32.exeMlliejcb.exeMhcjjk32.exeCbiajemo.exeDepncf32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajfnnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldkdmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkihegdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbmloneh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mopefk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmiaen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjiohco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nafgdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdadgohl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goghdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igebegeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poeaoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdammiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmpcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmpldbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbigna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgadcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlldmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngleec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fakkpnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqfcje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqhalm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehejfkad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgkidbjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidalb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kindbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpifphe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceglmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inaggaka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphcianj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ainnoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbddkmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhjijog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnkeaebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceglmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjjkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oilbajjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfhmeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acjillnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflmhmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchndhdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlbpnfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgigbhlh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnlklnmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khfdcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfbpdhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipqgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nicokkbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oihopa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkaqcpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhclfbgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loioflhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjcmkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlliejcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhcjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbiajemo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Depncf32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Ceglmh32.exeCfhhepjm.exeCmbpaj32.exeCeihbgbl.exeCfjejp32.exeDoamlm32.exeDelehgpi.exeDfmapp32.exeDodiam32.exeDenang32.exeDfoneode.exeDmifbi32.exeDepncf32.exeDfakkobb.exeDagohgah.exeDhageaie.exeDkocamhi.exeDailng32.exeDhcdkagb.exeEkapgmff.exeEmplchej.exeEdjepb32.exeEghalnlj.exeEmbihh32.exeEhhmfq32.exeEkfjbl32.exeEapbofjm.exeEhjjkp32.exeEodbhj32.exeEabodf32.exeEdakpa32.exeEgpglm32.exeEeqgjdna.exeFhocfpme.exeFkmpbk32.exeFnllof32.exeFecdpd32.exeFhaplo32.exeFkpmhk32.exeFnnidf32.exeFeeqec32.exeFgfmmlpj.exeFoneni32.exeFehmkchi.exeFgijbk32.exeFopbdi32.exeFdmjlp32.exeFgkfhk32.exeFoboih32.exeFaqkedkk.exeGgncnkjb.exeGoekohjd.exeGdadgohl.exeGhmphn32.exeGoghdhhb.exeGaedqc32.exeGddqmo32.exeGgbmij32.exeGahafc32.exeGhbicmmp.exeGnoakdkg.exeGggfdiag.exeGnanqc32.exeHdkgmnpa.exepid process 2308 Ceglmh32.exe 4676 Cfhhepjm.exe 3264 Cmbpaj32.exe 3548 Ceihbgbl.exe 1496 Cfjejp32.exe 3168 Doamlm32.exe 1228 Delehgpi.exe 5012 Dfmapp32.exe 4068 Dodiam32.exe 984 Denang32.exe 316 Dfoneode.exe 4020 Dmifbi32.exe 3580 Depncf32.exe 4340 Dfakkobb.exe 1440 Dagohgah.exe 3028 Dhageaie.exe 116 Dkocamhi.exe 4336 Dailng32.exe 1820 Dhcdkagb.exe 4484 Ekapgmff.exe 2940 Emplchej.exe 1160 Edjepb32.exe 1072 Eghalnlj.exe 2368 Embihh32.exe 1156 Ehhmfq32.exe 1868 Ekfjbl32.exe 596 Eapbofjm.exe 2680 Ehjjkp32.exe 2768 Eodbhj32.exe 1988 Eabodf32.exe 432 Edakpa32.exe 1620 Egpglm32.exe 2012 Eeqgjdna.exe 1792 Fhocfpme.exe 3628 Fkmpbk32.exe 3860 Fnllof32.exe 2160 Fecdpd32.exe 848 Fhaplo32.exe 2180 Fkpmhk32.exe 3792 Fnnidf32.exe 3996 Feeqec32.exe 3716 Fgfmmlpj.exe 3780 Foneni32.exe 1576 Fehmkchi.exe 4964 Fgijbk32.exe 3128 Fopbdi32.exe 4656 Fdmjlp32.exe 4904 Fgkfhk32.exe 4992 Foboih32.exe 1748 Faqkedkk.exe 1148 Ggncnkjb.exe 1400 Goekohjd.exe 4716 Gdadgohl.exe 4316 Ghmphn32.exe 4560 Goghdhhb.exe 4984 Gaedqc32.exe 4212 Gddqmo32.exe 1124 Ggbmij32.exe 2900 Gahafc32.exe 952 Ghbicmmp.exe 1016 Gnoakdkg.exe 3804 Gggfdiag.exe 1816 Gnanqc32.exe 4500 Hdkgmnpa.exe -
Drops file in System32 directory 64 IoCs
Processes:
Paomfkao.exePcqfenfo.exeCjjjej32.exeAinnoi32.exeHjnnlm32.exeKepklb32.exeDmqbmn32.exeFpijfeci.exeFjakin32.exeMehanell.exeGkjnom32.exeGlngldmm.exeHlighc32.exeEaieca32.exeFplnfk32.exeJnilic32.exeKgigbhlh.exeGaedqc32.exeGibopo32.exeFmohei32.exeGhmphn32.exeFfephohc.exeHgilocli.exeFkmihehm.exeAcglfm32.exeGmmdfgdp.exeLechbf32.exePhlibkje.exeBcilgq32.exeCjcmkh32.exeDcbhdmoc.exeHneaam32.exeLbmnke32.exeBcmohj32.exeKljjcb32.exeJqlbpnfn.exeKkkice32.exeEijinlpa.exeOgjcde32.exeEhejfkad.exeFnnidf32.exeHkihegdi.exeKhfdcc32.exeBgiaco32.exeDadkhapo.exeHkknpqnj.exeInndgk32.exeDpdhdheq.exeFehmkchi.exeMkchkb32.exeKcfnhh32.exeOiklfqpj.exePkgaoq32.exeFfnigpok.exeDelehgpi.exeBfbohmii.exeGgoiiddd.exeGdhcmh32.exeOhmegg32.exeAoqiqm32.exeCjpikbma.exeKcdabhmg.exedescription ioc process File created C:\Windows\SysWOW64\Phiebe32.exe Paomfkao.exe File opened for modification C:\Windows\SysWOW64\Peobaiec.exe Pcqfenfo.exe File created C:\Windows\SysWOW64\Nelpcl32.dll Cjjjej32.exe File created C:\Windows\SysWOW64\Fidmfo32.dll Ainnoi32.exe File created C:\Windows\SysWOW64\Haefmk32.exe Hjnnlm32.exe File created C:\Windows\SysWOW64\Kbclefkd.exe Kepklb32.exe File opened for modification C:\Windows\SysWOW64\Doooii32.exe Dmqbmn32.exe File created C:\Windows\SysWOW64\Fbggbabl.exe Fpijfeci.exe File opened for modification C:\Windows\SysWOW64\Fmohei32.exe Fjakin32.exe File created C:\Windows\SysWOW64\Mopefk32.exe Mehanell.exe File created C:\Windows\SysWOW64\Glkkfeop.exe Gkjnom32.exe File created C:\Windows\SysWOW64\Gdepmbmo.exe Glngldmm.exe File opened for modification C:\Windows\SysWOW64\Hccodmjl.exe Hlighc32.exe File opened for modification C:\Windows\SysWOW64\Cmhfae32.exe Cjjjej32.exe File created C:\Windows\SysWOW64\Edgapl32.exe Eaieca32.exe File created C:\Windows\SysWOW64\Fhcfgi32.exe Fplnfk32.exe File created C:\Windows\SysWOW64\Jphieo32.exe Jnilic32.exe File created C:\Windows\SysWOW64\Gneafcnc.dll Kgigbhlh.exe File opened for modification C:\Windows\SysWOW64\Gddqmo32.exe Gaedqc32.exe File created C:\Windows\SysWOW64\Bnfmia32.dll Gibopo32.exe File created C:\Windows\SysWOW64\Jkfkpo32.dll Fmohei32.exe File created C:\Windows\SysWOW64\Goghdhhb.exe Ghmphn32.exe File opened for modification C:\Windows\SysWOW64\Fjakin32.exe Ffephohc.exe File created C:\Windows\SysWOW64\Hjghknkm.exe Hgilocli.exe File created C:\Windows\SysWOW64\Fipica32.exe Fkmihehm.exe File created C:\Windows\SysWOW64\Blmcholc.dll Acglfm32.exe File created C:\Windows\SysWOW64\Igjped32.dll Gmmdfgdp.exe File created C:\Windows\SysWOW64\Aeaqdeiq.dll Lechbf32.exe File opened for modification C:\Windows\SysWOW64\Poeaoe32.exe Phlibkje.exe File created C:\Windows\SysWOW64\Bgdhhoni.exe Bcilgq32.exe File created C:\Windows\SysWOW64\Nnabjdgb.dll Cjcmkh32.exe File created C:\Windows\SysWOW64\Dhndel32.exe Dcbhdmoc.exe File created C:\Windows\SysWOW64\Haqmbk32.exe Hneaam32.exe File opened for modification C:\Windows\SysWOW64\Ligfho32.exe Lbmnke32.exe File opened for modification C:\Windows\SysWOW64\Bjfgedel.exe Bcmohj32.exe File opened for modification C:\Windows\SysWOW64\Knifon32.exe Kljjcb32.exe File created C:\Windows\SysWOW64\Njoglmfg.dll Fpijfeci.exe File created C:\Windows\SysWOW64\Jcknlj32.exe Jqlbpnfn.exe File created C:\Windows\SysWOW64\Imoncqmj.dll Kkkice32.exe File created C:\Windows\SysWOW64\Epdakf32.exe Eijinlpa.exe File opened for modification C:\Windows\SysWOW64\Oihopa32.exe Ogjcde32.exe File opened for modification C:\Windows\SysWOW64\Ejcfbfqg.exe Ehejfkad.exe File created C:\Windows\SysWOW64\Feeqec32.exe Fnnidf32.exe File created C:\Windows\SysWOW64\Eikkjqoh.dll Hkihegdi.exe File opened for modification C:\Windows\SysWOW64\Lpmldp32.exe Khfdcc32.exe File created C:\Windows\SysWOW64\Kkbpcn32.dll Bgiaco32.exe File opened for modification C:\Windows\SysWOW64\Dcbhdmoc.exe Dadkhapo.exe File created C:\Windows\SysWOW64\Hjnnlm32.exe Hkknpqnj.exe File opened for modification C:\Windows\SysWOW64\Iqmpcg32.exe Inndgk32.exe File opened for modification C:\Windows\SysWOW64\Dbbdpddd.exe Dpdhdheq.exe File opened for modification C:\Windows\SysWOW64\Fgijbk32.exe Fehmkchi.exe File created C:\Windows\SysWOW64\Mnadgn32.exe Mkchkb32.exe File created C:\Windows\SysWOW64\Kknfie32.exe Kcfnhh32.exe File created C:\Windows\SysWOW64\Olihblon.exe Oiklfqpj.exe File opened for modification C:\Windows\SysWOW64\Pcnipn32.exe Pkgaoq32.exe File opened for modification C:\Windows\SysWOW64\Fimeclno.exe Ffnigpok.exe File opened for modification C:\Windows\SysWOW64\Dfmapp32.exe Delehgpi.exe File created C:\Windows\SysWOW64\Ecoopakp.dll Bfbohmii.exe File created C:\Windows\SysWOW64\Njfdikjb.dll Ggoiiddd.exe File created C:\Windows\SysWOW64\Gkbkjbfe.exe Gdhcmh32.exe File created C:\Windows\SysWOW64\Abcjbp32.dll Ohmegg32.exe File created C:\Windows\SysWOW64\Emjnjegi.dll Aoqiqm32.exe File created C:\Windows\SysWOW64\Hpabdhgp.dll Cjpikbma.exe File created C:\Windows\SysWOW64\Kkkice32.exe Kcdabhmg.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 14904 14528 WerFault.exe Njahbm32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nimpdb32.exeOockch32.exeNlmblg32.exe9f17ff427bd52c45482fb986797e9af045c460d28176dbdc56688c56b00faf80.exeCfhhepjm.exeIgebegeg.exePhiebe32.exeMnadgn32.exeMefcihdd.exeNedpjfhd.exeAghhla32.exeEamnophd.exeFhcfgi32.exeCchndhdb.exeDbgnkc32.exeLkgiod32.exeEdjepb32.exeNcjnhg32.exeObefjo32.exeDfakkobb.exeOknnhb32.exeDmcobm32.exeFjakin32.exeHikklg32.exeIkamfi32.exeDodiam32.exeEgpglm32.exeHdkgmnpa.exeCgpgdndl.exeKindbq32.exeAaabbh32.exeNminnj32.exeKnifon32.exeKpkpoq32.exeJkpqbnlb.exeOaqqdm32.exeJkkpmh32.exeMapqci32.exeEfjgggfl.exeMlliejcb.exeLemqbjlo.exeKeekahla.exeEmpehban.exeHjdleo32.exeHhhhif32.exeKepklb32.exeNajjdncg.exeHglpoi32.exeEfbjlbih.exeEldloh32.exePeeokjnm.exePhdlgfma.exeLpafopeo.exeLpdbeo32.exeOpgahjed.exeBgpomp32.exeDjhffhke.exeNjkile32.exeAjhjcfal.exeBjbmjdia.exeGahafc32.exeHnehlceo.exeEjcfbfqg.exeMaiamqaj.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimpdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oockch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmblg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9f17ff427bd52c45482fb986797e9af045c460d28176dbdc56688c56b00faf80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhhepjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebegeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phiebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnadgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mefcihdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedpjfhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aghhla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamnophd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhcfgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchndhdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgnkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgiod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edjepb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjnhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obefjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfakkobb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oknnhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcobm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjakin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hikklg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikamfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodiam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkgmnpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpgdndl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kindbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaabbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nminnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knifon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpqbnlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqqdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapqci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjgggfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlliejcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lemqbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keekahla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empehban.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhhif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kepklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najjdncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglpoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efbjlbih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldloh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peeokjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdlgfma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpafopeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdbeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opgahjed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpomp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhffhke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkile32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhjcfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbmjdia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gahafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnehlceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcfbfqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiamqaj.exe -
Modifies registry class 64 IoCs
Processes:
Olglllqq.exeGbnmbpld.exeMgpfjd32.exeOgaied32.exeLnlbeq32.exeBoofbkhi.exeOchjjebe.exeEaieca32.exeKilngg32.exeLoioflhd.exeEhejfkad.exeNabmiifc.exeFgkfhk32.exeHclidnpd.exeIhknec32.exeQeaogicp.exeFjakin32.exeFoneni32.exeLhmjcbcj.exeFpnkkk32.exeGibopo32.exeCfnndkol.exeMiecim32.exeBjfgedel.exeLemqbjlo.exeMapqci32.exeNedpjfhd.exeOihopa32.exeCgpgdndl.exeGikiopej.exeLcbmcf32.exeLkpboe32.exeEdakpa32.exeMiapid32.exeNcjnhg32.exeOogncajf.exeHikklg32.exeFnnidf32.exeIoljfe32.exeHaefmk32.exeCbbkif32.exeIepiokni.exeQhpkcdbd.exeGlkkfeop.exeFpkgke32.exeDlkiii32.exeHkadplbi.exeIgcdpknp.exeKjlmic32.exeGoghdhhb.exeIoadadbd.exeGdcjbhcm.exeMlliejcb.exeGkmbob32.exeIjedll32.exeHhhhif32.exeIqomiffj.exeNhclfbgh.exeEogonj32.exePhnehkhb.exeAooced32.exeCpfcmq32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olglllqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbnmbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmnbllhc.dll" Mgpfjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkdoo32.dll" Ogaied32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnlbeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boofbkhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ochjjebe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjcpobj.dll" Eaieca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kilngg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loioflhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcpkhn32.dll" Ehejfkad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdbpl32.dll" Nabmiifc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgkfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boijii32.dll" Hclidnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihknec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmkmp32.dll" Qeaogicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjakin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foneni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mambio32.dll" Lhmjcbcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpnkkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gibopo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnndkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqiklm32.dll" Miecim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amlajoem.dll" Bjfgedel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lemqbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mapqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkqdo32.dll" Nedpjfhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiipke32.dll" Oihopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgpgdndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnnmfkof.dll" Gikiopej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opoada32.dll" Lcbmcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkpboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heibmekp.dll" Edakpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcemppib.dll" Miapid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncjnhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oogncajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hikklg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedcjbme.dll" Fnnidf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioljfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haefmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpdcp32.dll" Cbbkif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iepiokni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhpkcdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qokeqobp.dll" Glkkfeop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpkgke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlkiii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkadplbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igcdpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dophhc32.dll" Kjlmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goghdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioadadbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cllqhfeh.dll" Gdcjbhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbko32.dll" Mlliejcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkmbob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijedll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgpfjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hclidnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabego32.dll" Hhhhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqomiffj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhclfbgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eogonj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phnehkhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aooced32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbekgmkm.dll" Cpfcmq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9f17ff427bd52c45482fb986797e9af045c460d28176dbdc56688c56b00faf80.exeCeglmh32.exeCfhhepjm.exeCmbpaj32.exeCeihbgbl.exeCfjejp32.exeDoamlm32.exeDelehgpi.exeDfmapp32.exeDodiam32.exeDenang32.exeDfoneode.exeDmifbi32.exeDepncf32.exeDfakkobb.exeDagohgah.exeDhageaie.exeDkocamhi.exeDailng32.exeDhcdkagb.exeEkapgmff.exeEmplchej.exedescription pid process target process PID 3272 wrote to memory of 2308 3272 9f17ff427bd52c45482fb986797e9af045c460d28176dbdc56688c56b00faf80.exe Ceglmh32.exe PID 3272 wrote to memory of 2308 3272 9f17ff427bd52c45482fb986797e9af045c460d28176dbdc56688c56b00faf80.exe Ceglmh32.exe PID 3272 wrote to memory of 2308 3272 9f17ff427bd52c45482fb986797e9af045c460d28176dbdc56688c56b00faf80.exe Ceglmh32.exe PID 2308 wrote to memory of 4676 2308 Ceglmh32.exe Cfhhepjm.exe PID 2308 wrote to memory of 4676 2308 Ceglmh32.exe Cfhhepjm.exe PID 2308 wrote to memory of 4676 2308 Ceglmh32.exe Cfhhepjm.exe PID 4676 wrote to memory of 3264 4676 Cfhhepjm.exe Cmbpaj32.exe PID 4676 wrote to memory of 3264 4676 Cfhhepjm.exe Cmbpaj32.exe PID 4676 wrote to memory of 3264 4676 Cfhhepjm.exe Cmbpaj32.exe PID 3264 wrote to memory of 3548 3264 Cmbpaj32.exe Ceihbgbl.exe PID 3264 wrote to memory of 3548 3264 Cmbpaj32.exe Ceihbgbl.exe PID 3264 wrote to memory of 3548 3264 Cmbpaj32.exe Ceihbgbl.exe PID 3548 wrote to memory of 1496 3548 Ceihbgbl.exe Cfjejp32.exe PID 3548 wrote to memory of 1496 3548 Ceihbgbl.exe Cfjejp32.exe PID 3548 wrote to memory of 1496 3548 Ceihbgbl.exe Cfjejp32.exe PID 1496 wrote to memory of 3168 1496 Cfjejp32.exe Doamlm32.exe PID 1496 wrote to memory of 3168 1496 Cfjejp32.exe Doamlm32.exe PID 1496 wrote to memory of 3168 1496 Cfjejp32.exe Doamlm32.exe PID 3168 wrote to memory of 1228 3168 Doamlm32.exe Delehgpi.exe PID 3168 wrote to memory of 1228 3168 Doamlm32.exe Delehgpi.exe PID 3168 wrote to memory of 1228 3168 Doamlm32.exe Delehgpi.exe PID 1228 wrote to memory of 5012 1228 Delehgpi.exe Dfmapp32.exe PID 1228 wrote to memory of 5012 1228 Delehgpi.exe Dfmapp32.exe PID 1228 wrote to memory of 5012 1228 Delehgpi.exe Dfmapp32.exe PID 5012 wrote to memory of 4068 5012 Dfmapp32.exe Dodiam32.exe PID 5012 wrote to memory of 4068 5012 Dfmapp32.exe Dodiam32.exe PID 5012 wrote to memory of 4068 5012 Dfmapp32.exe Dodiam32.exe PID 4068 wrote to memory of 984 4068 Dodiam32.exe Denang32.exe PID 4068 wrote to memory of 984 4068 Dodiam32.exe Denang32.exe PID 4068 wrote to memory of 984 4068 Dodiam32.exe Denang32.exe PID 984 wrote to memory of 316 984 Denang32.exe Dfoneode.exe PID 984 wrote to memory of 316 984 Denang32.exe Dfoneode.exe PID 984 wrote to memory of 316 984 Denang32.exe Dfoneode.exe PID 316 wrote to memory of 4020 316 Dfoneode.exe Dmifbi32.exe PID 316 wrote to memory of 4020 316 Dfoneode.exe Dmifbi32.exe PID 316 wrote to memory of 4020 316 Dfoneode.exe Dmifbi32.exe PID 4020 wrote to memory of 3580 4020 Dmifbi32.exe Depncf32.exe PID 4020 wrote to memory of 3580 4020 Dmifbi32.exe Depncf32.exe PID 4020 wrote to memory of 3580 4020 Dmifbi32.exe Depncf32.exe PID 3580 wrote to memory of 4340 3580 Depncf32.exe Dfakkobb.exe PID 3580 wrote to memory of 4340 3580 Depncf32.exe Dfakkobb.exe PID 3580 wrote to memory of 4340 3580 Depncf32.exe Dfakkobb.exe PID 4340 wrote to memory of 1440 4340 Dfakkobb.exe Dagohgah.exe PID 4340 wrote to memory of 1440 4340 Dfakkobb.exe Dagohgah.exe PID 4340 wrote to memory of 1440 4340 Dfakkobb.exe Dagohgah.exe PID 1440 wrote to memory of 3028 1440 Dagohgah.exe Dhageaie.exe PID 1440 wrote to memory of 3028 1440 Dagohgah.exe Dhageaie.exe PID 1440 wrote to memory of 3028 1440 Dagohgah.exe Dhageaie.exe PID 3028 wrote to memory of 116 3028 Dhageaie.exe Dkocamhi.exe PID 3028 wrote to memory of 116 3028 Dhageaie.exe Dkocamhi.exe PID 3028 wrote to memory of 116 3028 Dhageaie.exe Dkocamhi.exe PID 116 wrote to memory of 4336 116 Dkocamhi.exe Dailng32.exe PID 116 wrote to memory of 4336 116 Dkocamhi.exe Dailng32.exe PID 116 wrote to memory of 4336 116 Dkocamhi.exe Dailng32.exe PID 4336 wrote to memory of 1820 4336 Dailng32.exe Dhcdkagb.exe PID 4336 wrote to memory of 1820 4336 Dailng32.exe Dhcdkagb.exe PID 4336 wrote to memory of 1820 4336 Dailng32.exe Dhcdkagb.exe PID 1820 wrote to memory of 4484 1820 Dhcdkagb.exe Ekapgmff.exe PID 1820 wrote to memory of 4484 1820 Dhcdkagb.exe Ekapgmff.exe PID 1820 wrote to memory of 4484 1820 Dhcdkagb.exe Ekapgmff.exe PID 4484 wrote to memory of 2940 4484 Ekapgmff.exe Emplchej.exe PID 4484 wrote to memory of 2940 4484 Ekapgmff.exe Emplchej.exe PID 4484 wrote to memory of 2940 4484 Ekapgmff.exe Emplchej.exe PID 2940 wrote to memory of 1160 2940 Emplchej.exe Edjepb32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f17ff427bd52c45482fb986797e9af045c460d28176dbdc56688c56b00faf80.exe"C:\Users\Admin\AppData\Local\Temp\9f17ff427bd52c45482fb986797e9af045c460d28176dbdc56688c56b00faf80.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Ceglmh32.exeC:\Windows\system32\Ceglmh32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Cfhhepjm.exeC:\Windows\system32\Cfhhepjm.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Cmbpaj32.exeC:\Windows\system32\Cmbpaj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Ceihbgbl.exeC:\Windows\system32\Ceihbgbl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Cfjejp32.exeC:\Windows\system32\Cfjejp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Doamlm32.exeC:\Windows\system32\Doamlm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Delehgpi.exeC:\Windows\system32\Delehgpi.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Dfmapp32.exeC:\Windows\system32\Dfmapp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Dodiam32.exeC:\Windows\system32\Dodiam32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Denang32.exeC:\Windows\system32\Denang32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Dfoneode.exeC:\Windows\system32\Dfoneode.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Dmifbi32.exeC:\Windows\system32\Dmifbi32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Depncf32.exeC:\Windows\system32\Depncf32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Dfakkobb.exeC:\Windows\system32\Dfakkobb.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Dagohgah.exeC:\Windows\system32\Dagohgah.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Dhageaie.exeC:\Windows\system32\Dhageaie.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Dkocamhi.exeC:\Windows\system32\Dkocamhi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Dailng32.exeC:\Windows\system32\Dailng32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Dhcdkagb.exeC:\Windows\system32\Dhcdkagb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Ekapgmff.exeC:\Windows\system32\Ekapgmff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Emplchej.exeC:\Windows\system32\Emplchej.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Edjepb32.exeC:\Windows\system32\Edjepb32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\Eghalnlj.exeC:\Windows\system32\Eghalnlj.exe24⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Embihh32.exeC:\Windows\system32\Embihh32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ehhmfq32.exeC:\Windows\system32\Ehhmfq32.exe26⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Ekfjbl32.exeC:\Windows\system32\Ekfjbl32.exe27⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Eapbofjm.exeC:\Windows\system32\Eapbofjm.exe28⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Ehjjkp32.exeC:\Windows\system32\Ehjjkp32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Eodbhj32.exeC:\Windows\system32\Eodbhj32.exe30⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Eabodf32.exeC:\Windows\system32\Eabodf32.exe31⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Edakpa32.exeC:\Windows\system32\Edakpa32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Egpglm32.exeC:\Windows\system32\Egpglm32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Eogonj32.exeC:\Windows\system32\Eogonj32.exe34⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Eeqgjdna.exeC:\Windows\system32\Eeqgjdna.exe35⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Fhocfpme.exeC:\Windows\system32\Fhocfpme.exe36⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Fkmpbk32.exeC:\Windows\system32\Fkmpbk32.exe37⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Fnllof32.exeC:\Windows\system32\Fnllof32.exe38⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Fecdpd32.exeC:\Windows\system32\Fecdpd32.exe39⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Fhaplo32.exeC:\Windows\system32\Fhaplo32.exe40⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Fkpmhk32.exeC:\Windows\system32\Fkpmhk32.exe41⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Fnnidf32.exeC:\Windows\system32\Fnnidf32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3792 -
C:\Windows\SysWOW64\Feeqec32.exeC:\Windows\system32\Feeqec32.exe43⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Fgfmmlpj.exeC:\Windows\system32\Fgfmmlpj.exe44⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Foneni32.exeC:\Windows\system32\Foneni32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3780 -
C:\Windows\SysWOW64\Fehmkchi.exeC:\Windows\system32\Fehmkchi.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Fgijbk32.exeC:\Windows\system32\Fgijbk32.exe47⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Fopbdi32.exeC:\Windows\system32\Fopbdi32.exe48⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Fdmjlp32.exeC:\Windows\system32\Fdmjlp32.exe49⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Fgkfhk32.exeC:\Windows\system32\Fgkfhk32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4904 -
C:\Windows\SysWOW64\Foboih32.exeC:\Windows\system32\Foboih32.exe51⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Faqkedkk.exeC:\Windows\system32\Faqkedkk.exe52⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Ggncnkjb.exeC:\Windows\system32\Ggncnkjb.exe53⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Goekohjd.exeC:\Windows\system32\Goekohjd.exe54⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Gdadgohl.exeC:\Windows\system32\Gdadgohl.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Ghmphn32.exeC:\Windows\system32\Ghmphn32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4316 -
C:\Windows\SysWOW64\Goghdhhb.exeC:\Windows\system32\Goghdhhb.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4560 -
C:\Windows\SysWOW64\Gaedqc32.exeC:\Windows\system32\Gaedqc32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4984 -
C:\Windows\SysWOW64\Gddqmo32.exeC:\Windows\system32\Gddqmo32.exe59⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Ggbmij32.exeC:\Windows\system32\Ggbmij32.exe60⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Gahafc32.exeC:\Windows\system32\Gahafc32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Ghbicmmp.exeC:\Windows\system32\Ghbicmmp.exe62⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Gnoakdkg.exeC:\Windows\system32\Gnoakdkg.exe63⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Gggfdiag.exeC:\Windows\system32\Gggfdiag.exe64⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Gnanqc32.exeC:\Windows\system32\Gnanqc32.exe65⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Hdkgmnpa.exeC:\Windows\system32\Hdkgmnpa.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4500 -
C:\Windows\SysWOW64\Hoqkkfpg.exeC:\Windows\system32\Hoqkkfpg.exe67⤵PID:4920
-
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe68⤵PID:1668
-
C:\Windows\SysWOW64\Hglpoi32.exeC:\Windows\system32\Hglpoi32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Hnehlceo.exeC:\Windows\system32\Hnehlceo.exe70⤵
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Windows\SysWOW64\Hhklilde.exeC:\Windows\system32\Hhklilde.exe71⤵PID:1404
-
C:\Windows\SysWOW64\Hkihegdi.exeC:\Windows\system32\Hkihegdi.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4136 -
C:\Windows\SysWOW64\Hdbmnm32.exeC:\Windows\system32\Hdbmnm32.exe73⤵PID:4004
-
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe74⤵PID:4056
-
C:\Windows\SysWOW64\Hbfmgaic.exeC:\Windows\system32\Hbfmgaic.exe75⤵PID:3504
-
C:\Windows\SysWOW64\Hknapf32.exeC:\Windows\system32\Hknapf32.exe76⤵PID:3112
-
C:\Windows\SysWOW64\Hnmnlb32.exeC:\Windows\system32\Hnmnlb32.exe77⤵PID:4508
-
C:\Windows\SysWOW64\Igebegeg.exeC:\Windows\system32\Igebegeg.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe79⤵
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Ibjgbp32.exeC:\Windows\system32\Ibjgbp32.exe80⤵PID:4868
-
C:\Windows\SysWOW64\Iidoojlj.exeC:\Windows\system32\Iidoojlj.exe81⤵PID:3308
-
C:\Windows\SysWOW64\Inaggaka.exeC:\Windows\system32\Inaggaka.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe83⤵PID:1288
-
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe84⤵
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Ibamcooe.exeC:\Windows\system32\Ibamcooe.exe85⤵PID:1472
-
C:\Windows\SysWOW64\Iepiokni.exeC:\Windows\system32\Iepiokni.exe86⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Jebfej32.exeC:\Windows\system32\Jebfej32.exe87⤵PID:2068
-
C:\Windows\SysWOW64\Jfbbomci.exeC:\Windows\system32\Jfbbomci.exe88⤵PID:2480
-
C:\Windows\SysWOW64\Jgcofe32.exeC:\Windows\system32\Jgcofe32.exe89⤵PID:3856
-
C:\Windows\SysWOW64\Jojghc32.exeC:\Windows\system32\Jojghc32.exe90⤵PID:3884
-
C:\Windows\SysWOW64\Jegopjha.exeC:\Windows\system32\Jegopjha.exe91⤵PID:3552
-
C:\Windows\SysWOW64\Jgeklege.exeC:\Windows\system32\Jgeklege.exe92⤵PID:2036
-
C:\Windows\SysWOW64\Jpmcmbhg.exeC:\Windows\system32\Jpmcmbhg.exe93⤵PID:2244
-
C:\Windows\SysWOW64\Jffljm32.exeC:\Windows\system32\Jffljm32.exe94⤵PID:888
-
C:\Windows\SysWOW64\Jiehfh32.exeC:\Windows\system32\Jiehfh32.exe95⤵PID:4580
-
C:\Windows\SysWOW64\Jpopcbfd.exeC:\Windows\system32\Jpopcbfd.exe96⤵PID:5016
-
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Jelhki32.exeC:\Windows\system32\Jelhki32.exe98⤵PID:2716
-
C:\Windows\SysWOW64\Jgjegd32.exeC:\Windows\system32\Jgjegd32.exe99⤵PID:472
-
C:\Windows\SysWOW64\Jpamhb32.exeC:\Windows\system32\Jpamhb32.exe100⤵PID:5124
-
C:\Windows\SysWOW64\Kndmdojl.exeC:\Windows\system32\Kndmdojl.exe101⤵PID:5160
-
C:\Windows\SysWOW64\Keneqi32.exeC:\Windows\system32\Keneqi32.exe102⤵PID:5228
-
C:\Windows\SysWOW64\Kijaagjb.exeC:\Windows\system32\Kijaagjb.exe103⤵PID:5296
-
C:\Windows\SysWOW64\Klhnmcif.exeC:\Windows\system32\Klhnmcif.exe104⤵PID:5388
-
C:\Windows\SysWOW64\Knfjinhj.exeC:\Windows\system32\Knfjinhj.exe105⤵PID:5436
-
C:\Windows\SysWOW64\Kbbfjm32.exeC:\Windows\system32\Kbbfjm32.exe106⤵PID:5488
-
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe107⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Kljjcb32.exeC:\Windows\system32\Kljjcb32.exe108⤵
- Drops file in System32 directory
PID:5588 -
C:\Windows\SysWOW64\Knifon32.exeC:\Windows\system32\Knifon32.exe109⤵
- System Location Discovery: System Language Discovery
PID:5640 -
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe110⤵PID:5688
-
C:\Windows\SysWOW64\Kebolhnd.exeC:\Windows\system32\Kebolhnd.exe111⤵PID:5744
-
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5792 -
C:\Windows\SysWOW64\Keekahla.exeC:\Windows\system32\Keekahla.exe113⤵
- System Location Discovery: System Language Discovery
PID:5836 -
C:\Windows\SysWOW64\Khchmc32.exeC:\Windows\system32\Khchmc32.exe114⤵PID:5884
-
C:\Windows\SysWOW64\Kpkpoq32.exeC:\Windows\system32\Kpkpoq32.exe115⤵
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe116⤵PID:5968
-
C:\Windows\SysWOW64\Keghgg32.exeC:\Windows\system32\Keghgg32.exe117⤵PID:6044
-
C:\Windows\SysWOW64\Khfdcc32.exeC:\Windows\system32\Khfdcc32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6088 -
C:\Windows\SysWOW64\Lpmldp32.exeC:\Windows\system32\Lpmldp32.exe119⤵PID:6136
-
C:\Windows\SysWOW64\Lnpmpmpo.exeC:\Windows\system32\Lnpmpmpo.exe120⤵PID:5156
-
C:\Windows\SysWOW64\Lfgdajaa.exeC:\Windows\system32\Lfgdajaa.exe121⤵PID:5268
-
C:\Windows\SysWOW64\Llcmia32.exeC:\Windows\system32\Llcmia32.exe122⤵PID:5404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-