Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:07
Static task
static1
Behavioral task
behavioral1
Sample
a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe
Resource
win10v2004-20241007-en
General
-
Target
a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe
-
Size
55KB
-
MD5
c7c7836857023a98ed4ed49da9e677e8
-
SHA1
f0ec55a1ccceb012c4ca3c6fb0384e762f901d0b
-
SHA256
a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4
-
SHA512
27b1960990863506b71361eee295a248591f14989592e46b5ff4a6f9c5b3fba328162376358f9c9307bb894407453c4a6d6dd3c74cd02d5bbc8e699eb91e0f5d
-
SSDEEP
1536:kaUYPRoJ5zUOiWeJn0SdgnbuZ0oXD2LXn:zUeOiWK0vnbuKow3
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ifgicg32.exeLnqjnhge.exePbemboof.exeCoicfd32.exeFhdmph32.exeOccjjnap.exeBjembh32.exeEodicd32.exeNmflee32.exeIebldo32.exeLdhgnk32.exePlndcmmj.exeClkicbfa.exeNjnmbk32.exePpddpd32.exeJibnop32.exeGmlablaa.exeKcmdjgbh.exeOhmoco32.exeFlapkmlj.exeIaegpaao.exeNqhepeai.exeNknimnap.exeDifqji32.exeIfgklp32.exeOekehomj.exeDgnminke.exeIdbnmgll.exeEmifeqid.exeBnapnm32.exeFkefbcmf.exeIinhdmma.exeBimphc32.exeDlljaj32.exeEfljhq32.exeAfpogk32.exeCmqihg32.exeMneaacno.exeAifjgdkj.exeCjmmffgn.exeFlabdecn.exeQaofgc32.exeAmjpgdik.exeEkghcq32.exeJeclebja.exeKdeaelok.exeMpphdpcf.exeBfgdmjlp.exeKlmqapci.exeJdcpkp32.exeCjogcm32.exeBlqmid32.exeGmidlmcd.exeNflfad32.exeHkmjjn32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgicg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnqjnhge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbemboof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coicfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Occjjnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjembh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eodicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldhgnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plndcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clkicbfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnmbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibnop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmlablaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcmdjgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flapkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaegpaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difqji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekehomj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnminke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbnmgll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emifeqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnapnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkefbcmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bimphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlljaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpogk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqihg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mneaacno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aifjgdkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjmmffgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaegpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flabdecn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaofgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjpgdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekghcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeclebja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdeaelok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpphdpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgdmjlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmqapci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Occjjnap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcpkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjogcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqmid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmidlmcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflfad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekghcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmjjn32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Dpeiligo.exeDebadpeg.exeDlljaj32.exeDfbnoc32.exeDlofgj32.exeEegkpo32.exeEkdchf32.exeEeiheo32.exeElcpbigl.exeEaphjp32.exeEgmabg32.exeEodicd32.exeEhlmljkm.exeEmifeqid.exeEphbal32.exeEipgjaoi.exeFdekgjno.exeFchkbg32.exeFibcoalf.exeFlapkmlj.exeFoolgh32.exeFiepea32.exeFhgppnan.exeFhjmfnok.exeFkhibino.exeFabaocfl.exeFlhflleb.exeFepjea32.exeGgagmjbq.exeGdegfn32.exeGkoobhhg.exeGaihob32.exeGkalhgfd.exeGjdldd32.exeGlchpp32.exeGodaakic.exeGconbj32.exeGfnjne32.exeGmhbkohm.exeHofngkga.exeHjlbdc32.exeHmjoqo32.exeHbggif32.exeHmlkfo32.exeHnnhngjf.exeHfepod32.exeHiclkp32.exeHkahgk32.exeHomdhjai.exeHnpdcf32.exeHbkqdepm.exeHqnapb32.exeHieiqo32.exeHjgehgnh.exeHnbaif32.exeHaqnea32.exeHcojam32.exeHgkfal32.exeIjibng32.exeIacjjacb.exeIcafgmbe.exeIgmbgk32.exeIjkocg32.exeIngkdeak.exepid process 2184 Dpeiligo.exe 2772 Debadpeg.exe 2736 Dlljaj32.exe 2448 Dfbnoc32.exe 2640 Dlofgj32.exe 2104 Eegkpo32.exe 2432 Ekdchf32.exe 2056 Eeiheo32.exe 2292 Elcpbigl.exe 3008 Eaphjp32.exe 2680 Egmabg32.exe 2840 Eodicd32.exe 1632 Ehlmljkm.exe 1868 Emifeqid.exe 2212 Ephbal32.exe 1148 Eipgjaoi.exe 1324 Fdekgjno.exe 1344 Fchkbg32.exe 840 Fibcoalf.exe 1544 Flapkmlj.exe 1716 Foolgh32.exe 2216 Fiepea32.exe 2140 Fhgppnan.exe 2156 Fhjmfnok.exe 1764 Fkhibino.exe 2900 Fabaocfl.exe 2724 Flhflleb.exe 2788 Fepjea32.exe 2612 Ggagmjbq.exe 1068 Gdegfn32.exe 2452 Gkoobhhg.exe 860 Gaihob32.exe 2960 Gkalhgfd.exe 2860 Gjdldd32.exe 3036 Glchpp32.exe 2424 Godaakic.exe 1252 Gconbj32.exe 2312 Gfnjne32.exe 2188 Gmhbkohm.exe 1792 Hofngkga.exe 2068 Hjlbdc32.exe 1108 Hmjoqo32.exe 820 Hbggif32.exe 2404 Hmlkfo32.exe 1956 Hnnhngjf.exe 2236 Hfepod32.exe 2324 Hiclkp32.exe 700 Hkahgk32.exe 1564 Homdhjai.exe 1196 Hnpdcf32.exe 2732 Hbkqdepm.exe 2684 Hqnapb32.exe 2444 Hieiqo32.exe 2136 Hjgehgnh.exe 2284 Hnbaif32.exe 1160 Haqnea32.exe 2000 Hcojam32.exe 1636 Hgkfal32.exe 2552 Ijibng32.exe 776 Iacjjacb.exe 816 Icafgmbe.exe 348 Igmbgk32.exe 1376 Ijkocg32.exe 1408 Ingkdeak.exe -
Loads dropped DLL 64 IoCs
Processes:
a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exeDpeiligo.exeDebadpeg.exeDlljaj32.exeDfbnoc32.exeDlofgj32.exeEegkpo32.exeEkdchf32.exeEeiheo32.exeElcpbigl.exeEaphjp32.exeEgmabg32.exeEodicd32.exeEhlmljkm.exeEmifeqid.exeEphbal32.exeEipgjaoi.exeFdekgjno.exeFchkbg32.exeFibcoalf.exeFlapkmlj.exeFoolgh32.exeFiepea32.exeFhgppnan.exeFhjmfnok.exeFkhibino.exeFabaocfl.exeFlhflleb.exeFepjea32.exeGgagmjbq.exeGdegfn32.exeGkoobhhg.exepid process 2464 a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe 2464 a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe 2184 Dpeiligo.exe 2184 Dpeiligo.exe 2772 Debadpeg.exe 2772 Debadpeg.exe 2736 Dlljaj32.exe 2736 Dlljaj32.exe 2448 Dfbnoc32.exe 2448 Dfbnoc32.exe 2640 Dlofgj32.exe 2640 Dlofgj32.exe 2104 Eegkpo32.exe 2104 Eegkpo32.exe 2432 Ekdchf32.exe 2432 Ekdchf32.exe 2056 Eeiheo32.exe 2056 Eeiheo32.exe 2292 Elcpbigl.exe 2292 Elcpbigl.exe 3008 Eaphjp32.exe 3008 Eaphjp32.exe 2680 Egmabg32.exe 2680 Egmabg32.exe 2840 Eodicd32.exe 2840 Eodicd32.exe 1632 Ehlmljkm.exe 1632 Ehlmljkm.exe 1868 Emifeqid.exe 1868 Emifeqid.exe 2212 Ephbal32.exe 2212 Ephbal32.exe 1148 Eipgjaoi.exe 1148 Eipgjaoi.exe 1324 Fdekgjno.exe 1324 Fdekgjno.exe 1344 Fchkbg32.exe 1344 Fchkbg32.exe 840 Fibcoalf.exe 840 Fibcoalf.exe 1544 Flapkmlj.exe 1544 Flapkmlj.exe 1716 Foolgh32.exe 1716 Foolgh32.exe 2216 Fiepea32.exe 2216 Fiepea32.exe 2140 Fhgppnan.exe 2140 Fhgppnan.exe 2156 Fhjmfnok.exe 2156 Fhjmfnok.exe 1764 Fkhibino.exe 1764 Fkhibino.exe 2900 Fabaocfl.exe 2900 Fabaocfl.exe 2724 Flhflleb.exe 2724 Flhflleb.exe 2788 Fepjea32.exe 2788 Fepjea32.exe 2612 Ggagmjbq.exe 2612 Ggagmjbq.exe 1068 Gdegfn32.exe 1068 Gdegfn32.exe 2452 Gkoobhhg.exe 2452 Gkoobhhg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mloiec32.exeDqobnf32.exeLgnjke32.exeBkcfjk32.exeFhjmfnok.exeHnnhngjf.exeKbmome32.exeBhonjg32.exeChggdoee.exeEgcfdn32.exeOioipf32.exeKjhcag32.exeFbkjap32.exeGecpnp32.exeKipmhc32.exePpcmfn32.exeFkhibino.exeHnbaif32.exeAgpeaa32.exeJcciqi32.exeFhgppnan.exeHgkfal32.exeLifcib32.exeObhpad32.exeDfhgggim.exeEmpomd32.exeMlafkb32.exeMkipao32.exeCfoaho32.exeJmocbnop.exeLkbmbl32.exeCkpckece.exeIfgicg32.exeJfekec32.exeMacjgadf.exeMpphdpcf.exeEloipb32.exeFmnahilc.exeQhkipdeb.exeJelhmlgm.exeIcoepohq.exeHmbndmkb.exeEpeajo32.exeHkmjjn32.exeJfmnkn32.exeGfnjne32.exeChjjde32.exeHafbghhj.exeKckhdg32.exeHekefkig.exeJkdcdf32.exeIcafgmbe.exeIjkocg32.exeBnapnm32.exedescription ioc process File created C:\Windows\SysWOW64\Ioljnm32.dll Mloiec32.exe File opened for modification C:\Windows\SysWOW64\Dcmnja32.exe Dqobnf32.exe File opened for modification C:\Windows\SysWOW64\Lilfgq32.exe Lgnjke32.exe File created C:\Windows\SysWOW64\Alakfjbc.dll Bkcfjk32.exe File created C:\Windows\SysWOW64\Npjkgala.dll File created C:\Windows\SysWOW64\Fkhibino.exe Fhjmfnok.exe File created C:\Windows\SysWOW64\Fejcohho.dll Hnnhngjf.exe File created C:\Windows\SysWOW64\Jmegnj32.dll Kbmome32.exe File created C:\Windows\SysWOW64\Nlqmdnof.dll Bhonjg32.exe File opened for modification C:\Windows\SysWOW64\Cgjgol32.exe Chggdoee.exe File created C:\Windows\SysWOW64\Ejabqi32.exe Egcfdn32.exe File opened for modification C:\Windows\SysWOW64\Olmela32.exe Oioipf32.exe File created C:\Windows\SysWOW64\Kjpndcho.dll Kjhcag32.exe File created C:\Windows\SysWOW64\Ifcmmf32.dll Fbkjap32.exe File opened for modification C:\Windows\SysWOW64\Giolnomh.exe Gecpnp32.exe File created C:\Windows\SysWOW64\Kageia32.exe Kipmhc32.exe File created C:\Windows\SysWOW64\Pbajbi32.exe Ppcmfn32.exe File opened for modification C:\Windows\SysWOW64\Fabaocfl.exe Fkhibino.exe File created C:\Windows\SysWOW64\Haqnea32.exe Hnbaif32.exe File created C:\Windows\SysWOW64\Aklabp32.exe Agpeaa32.exe File created C:\Windows\SysWOW64\Jipaip32.exe Jcciqi32.exe File opened for modification C:\Windows\SysWOW64\Nloachkf.exe File created C:\Windows\SysWOW64\Jplagm32.dll Fhgppnan.exe File created C:\Windows\SysWOW64\Pjkkpmda.dll Hgkfal32.exe File created C:\Windows\SysWOW64\Mcbniafn.dll Lifcib32.exe File created C:\Windows\SysWOW64\Cdokfc32.dll Obhpad32.exe File created C:\Windows\SysWOW64\Bjcmdmiq.dll Dfhgggim.exe File created C:\Windows\SysWOW64\Epnkip32.exe Empomd32.exe File created C:\Windows\SysWOW64\Mopbgn32.exe Mlafkb32.exe File created C:\Windows\SysWOW64\Pqdhpbib.dll Mkipao32.exe File opened for modification C:\Windows\SysWOW64\Cjjnhnbl.exe Cfoaho32.exe File created C:\Windows\SysWOW64\Jpmooind.exe Jmocbnop.exe File opened for modification C:\Windows\SysWOW64\Keiqlihp.exe File created C:\Windows\SysWOW64\Mcoomf32.dll File created C:\Windows\SysWOW64\Biqfpb32.exe File opened for modification C:\Windows\SysWOW64\Lnqjnhge.exe Lkbmbl32.exe File created C:\Windows\SysWOW64\Ccgklc32.exe Ckpckece.exe File created C:\Windows\SysWOW64\Dcmnja32.exe Dqobnf32.exe File created C:\Windows\SysWOW64\Knoegqbp.dll File created C:\Windows\SysWOW64\Mmjplobo.dll Ifgicg32.exe File created C:\Windows\SysWOW64\Inncclpb.dll Jfekec32.exe File created C:\Windows\SysWOW64\Bbmcpemo.dll Macjgadf.exe File created C:\Windows\SysWOW64\Qjgcecja.exe File created C:\Windows\SysWOW64\Djepnq32.dll Mpphdpcf.exe File created C:\Windows\SysWOW64\Kdjphodi.dll Eloipb32.exe File opened for modification C:\Windows\SysWOW64\Flabdecn.exe Fmnahilc.exe File created C:\Windows\SysWOW64\Dhkqcl32.dll File opened for modification C:\Windows\SysWOW64\Aeoijidl.exe Qhkipdeb.exe File created C:\Windows\SysWOW64\Jgkdigfa.exe Jelhmlgm.exe File opened for modification C:\Windows\SysWOW64\Iaaekl32.exe Icoepohq.exe File created C:\Windows\SysWOW64\Hoqjqhjf.exe Hmbndmkb.exe File created C:\Windows\SysWOW64\Efoifiep.exe Epeajo32.exe File opened for modification C:\Windows\SysWOW64\Hafbghhj.exe Hkmjjn32.exe File created C:\Windows\SysWOW64\Poajppaa.dll Jfmnkn32.exe File created C:\Windows\SysWOW64\Pdnkanfg.exe File opened for modification C:\Windows\SysWOW64\Gmhbkohm.exe Gfnjne32.exe File created C:\Windows\SysWOW64\Ckhfpp32.exe Chjjde32.exe File created C:\Windows\SysWOW64\Jemffb32.dll Hafbghhj.exe File created C:\Windows\SysWOW64\Kfidqb32.exe Kckhdg32.exe File created C:\Windows\SysWOW64\Kfnhec32.dll Hekefkig.exe File created C:\Windows\SysWOW64\Befaceaa.dll Jkdcdf32.exe File created C:\Windows\SysWOW64\Ekcqmj32.dll Icafgmbe.exe File opened for modification C:\Windows\SysWOW64\Ingkdeak.exe Ijkocg32.exe File opened for modification C:\Windows\SysWOW64\Bdkhjgeh.exe Bnapnm32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ipomlm32.exeOfnpnkgf.exeHjaeba32.exePhehko32.exeJfekec32.exeJgmjdaqb.exeGjdldd32.exeImaapa32.exePebbcdkn.exeLmalgq32.exeCgqmpkfg.exeIdghhf32.exeIinhdmma.exeNnjklb32.exeAgbbgqhh.exeAdfbpega.exeDbabho32.exeGbffjmmp.exeJnagmc32.exeFmbgageq.exeHhlaiccm.exeNgpqfp32.exeNnleiipc.exeFmaeho32.exeIeponofk.exeHnnjfo32.exeHganjo32.exeKpojkp32.exeBdaojbjf.exePiohgbng.exeQhkkim32.exeEjcofica.exeFmfalg32.exeHememgdi.exeMfjkdh32.exeKmimcbja.exeDcageqgm.exeIkfdkc32.exeDnhefh32.exePdbmfb32.exePmmneg32.exeNghpjn32.exeElcpbigl.exeMkfclo32.exeCkbpqe32.exeFcqjfeja.exePjoklkie.exeAedlhg32.exeGmqkml32.exeIkocoa32.exeKbpbmkan.exeMcodqkbi.exeBdobdc32.exeLaodmoep.exeBhonjg32.exeMebnic32.exeBlqmid32.exeEbfqfpop.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipomlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnpnkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjaeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phehko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfekec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjdaqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdldd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaapa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebbcdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmalgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqmpkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idghhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinhdmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbbgqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfbpega.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbabho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbffjmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnagmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbgageq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlaiccm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpqfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaeho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieponofk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnjfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hganjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpojkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdaojbjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piohgbng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkkim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcofica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfalg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hememgdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjkdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmimcbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcageqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhefh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbmfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmneg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcpbigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbpqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqjfeja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjoklkie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aedlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmqkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikocoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpbmkan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcodqkbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdobdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laodmoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhonjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebnic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqmid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfqfpop.exe -
Modifies registry class 64 IoCs
Processes:
Phfoee32.exeQlgndbil.exeNknimnap.exeKablnadm.exePbajbi32.exeImjkpb32.exeEepmlf32.exePndalkgf.exeFjckelfm.exeLhfpdi32.exeFipbhd32.exeIdghhf32.exeDcbnpgkh.exeAbjeejep.exeAoaill32.exeBdkhjgeh.exeGiaidnkf.exeJnagmc32.exeOighcd32.exeGodaakic.exeFjnignob.exeGbffjmmp.exeJfieigio.exeQdofep32.exeFdapcg32.exeCppobaeb.exeDfhgggim.exeFkhibino.exeMpnkopeh.exeAaejojjq.exeHgeelf32.exeMkcplien.exeFopnpaba.exeJecnnk32.exeChggdoee.exeOnqkclni.exeIngmmn32.exePfebnmcj.exeKecjmodq.exeOnamle32.exeCmfmojcb.exeHhaanh32.exeNbqjqehd.exeOfqmcj32.exeOhdfqbio.exeKfodfh32.exeNbpghl32.exeAmjpgdik.exeNhkbmo32.exeFeddombd.exeGpjmnh32.exeDppigchi.exeCkkcep32.exeAfcdpi32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgikembl.dll" Phfoee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlgndbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgcpnbh.dll" Nknimnap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kablnadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknaqdia.dll" Imjkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akomon32.dll" Eepmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pndalkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnqnoqah.dll" Fjckelfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhfpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fipbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlmjnop.dll" Idghhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcbnpgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abjeejep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoaill32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefndikl.dll" Bdkhjgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giaidnkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnagmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oighcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Godaakic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjnignob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbffjmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpfnk32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmiplp32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdofep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdapcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipoidefp.dll" Cppobaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjcmdmiq.dll" Dfhgggim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkhibino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhimephj.dll" Mpnkopeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaejojjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabahf32.dll" Mkcplien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fopnpaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkoop32.dll" Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onqkclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhbig32.dll" Ingmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfebnmcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kecjmodq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onamle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbqjqehd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fieacp32.dll" Ofqmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejilio32.dll" Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll" Kfodfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdkhjgeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbpghl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjpgdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofbagcb.dll" Nhkbmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdck32.dll" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpjmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dppigchi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckkcep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afcdpi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exeDpeiligo.exeDebadpeg.exeDlljaj32.exeDfbnoc32.exeDlofgj32.exeEegkpo32.exeEkdchf32.exeEeiheo32.exeElcpbigl.exeEaphjp32.exeEgmabg32.exeEodicd32.exeEhlmljkm.exeEmifeqid.exeEphbal32.exedescription pid process target process PID 2464 wrote to memory of 2184 2464 a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe Dpeiligo.exe PID 2464 wrote to memory of 2184 2464 a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe Dpeiligo.exe PID 2464 wrote to memory of 2184 2464 a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe Dpeiligo.exe PID 2464 wrote to memory of 2184 2464 a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe Dpeiligo.exe PID 2184 wrote to memory of 2772 2184 Dpeiligo.exe Debadpeg.exe PID 2184 wrote to memory of 2772 2184 Dpeiligo.exe Debadpeg.exe PID 2184 wrote to memory of 2772 2184 Dpeiligo.exe Debadpeg.exe PID 2184 wrote to memory of 2772 2184 Dpeiligo.exe Debadpeg.exe PID 2772 wrote to memory of 2736 2772 Debadpeg.exe Dlljaj32.exe PID 2772 wrote to memory of 2736 2772 Debadpeg.exe Dlljaj32.exe PID 2772 wrote to memory of 2736 2772 Debadpeg.exe Dlljaj32.exe PID 2772 wrote to memory of 2736 2772 Debadpeg.exe Dlljaj32.exe PID 2736 wrote to memory of 2448 2736 Dlljaj32.exe Dfbnoc32.exe PID 2736 wrote to memory of 2448 2736 Dlljaj32.exe Dfbnoc32.exe PID 2736 wrote to memory of 2448 2736 Dlljaj32.exe Dfbnoc32.exe PID 2736 wrote to memory of 2448 2736 Dlljaj32.exe Dfbnoc32.exe PID 2448 wrote to memory of 2640 2448 Dfbnoc32.exe Dlofgj32.exe PID 2448 wrote to memory of 2640 2448 Dfbnoc32.exe Dlofgj32.exe PID 2448 wrote to memory of 2640 2448 Dfbnoc32.exe Dlofgj32.exe PID 2448 wrote to memory of 2640 2448 Dfbnoc32.exe Dlofgj32.exe PID 2640 wrote to memory of 2104 2640 Dlofgj32.exe Eegkpo32.exe PID 2640 wrote to memory of 2104 2640 Dlofgj32.exe Eegkpo32.exe PID 2640 wrote to memory of 2104 2640 Dlofgj32.exe Eegkpo32.exe PID 2640 wrote to memory of 2104 2640 Dlofgj32.exe Eegkpo32.exe PID 2104 wrote to memory of 2432 2104 Eegkpo32.exe Ekdchf32.exe PID 2104 wrote to memory of 2432 2104 Eegkpo32.exe Ekdchf32.exe PID 2104 wrote to memory of 2432 2104 Eegkpo32.exe Ekdchf32.exe PID 2104 wrote to memory of 2432 2104 Eegkpo32.exe Ekdchf32.exe PID 2432 wrote to memory of 2056 2432 Ekdchf32.exe Eeiheo32.exe PID 2432 wrote to memory of 2056 2432 Ekdchf32.exe Eeiheo32.exe PID 2432 wrote to memory of 2056 2432 Ekdchf32.exe Eeiheo32.exe PID 2432 wrote to memory of 2056 2432 Ekdchf32.exe Eeiheo32.exe PID 2056 wrote to memory of 2292 2056 Eeiheo32.exe Elcpbigl.exe PID 2056 wrote to memory of 2292 2056 Eeiheo32.exe Elcpbigl.exe PID 2056 wrote to memory of 2292 2056 Eeiheo32.exe Elcpbigl.exe PID 2056 wrote to memory of 2292 2056 Eeiheo32.exe Elcpbigl.exe PID 2292 wrote to memory of 3008 2292 Elcpbigl.exe Eaphjp32.exe PID 2292 wrote to memory of 3008 2292 Elcpbigl.exe Eaphjp32.exe PID 2292 wrote to memory of 3008 2292 Elcpbigl.exe Eaphjp32.exe PID 2292 wrote to memory of 3008 2292 Elcpbigl.exe Eaphjp32.exe PID 3008 wrote to memory of 2680 3008 Eaphjp32.exe Egmabg32.exe PID 3008 wrote to memory of 2680 3008 Eaphjp32.exe Egmabg32.exe PID 3008 wrote to memory of 2680 3008 Eaphjp32.exe Egmabg32.exe PID 3008 wrote to memory of 2680 3008 Eaphjp32.exe Egmabg32.exe PID 2680 wrote to memory of 2840 2680 Egmabg32.exe Eodicd32.exe PID 2680 wrote to memory of 2840 2680 Egmabg32.exe Eodicd32.exe PID 2680 wrote to memory of 2840 2680 Egmabg32.exe Eodicd32.exe PID 2680 wrote to memory of 2840 2680 Egmabg32.exe Eodicd32.exe PID 2840 wrote to memory of 1632 2840 Eodicd32.exe Ehlmljkm.exe PID 2840 wrote to memory of 1632 2840 Eodicd32.exe Ehlmljkm.exe PID 2840 wrote to memory of 1632 2840 Eodicd32.exe Ehlmljkm.exe PID 2840 wrote to memory of 1632 2840 Eodicd32.exe Ehlmljkm.exe PID 1632 wrote to memory of 1868 1632 Ehlmljkm.exe Emifeqid.exe PID 1632 wrote to memory of 1868 1632 Ehlmljkm.exe Emifeqid.exe PID 1632 wrote to memory of 1868 1632 Ehlmljkm.exe Emifeqid.exe PID 1632 wrote to memory of 1868 1632 Ehlmljkm.exe Emifeqid.exe PID 1868 wrote to memory of 2212 1868 Emifeqid.exe Ephbal32.exe PID 1868 wrote to memory of 2212 1868 Emifeqid.exe Ephbal32.exe PID 1868 wrote to memory of 2212 1868 Emifeqid.exe Ephbal32.exe PID 1868 wrote to memory of 2212 1868 Emifeqid.exe Ephbal32.exe PID 2212 wrote to memory of 1148 2212 Ephbal32.exe Eipgjaoi.exe PID 2212 wrote to memory of 1148 2212 Ephbal32.exe Eipgjaoi.exe PID 2212 wrote to memory of 1148 2212 Ephbal32.exe Eipgjaoi.exe PID 2212 wrote to memory of 1148 2212 Ephbal32.exe Eipgjaoi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe"C:\Users\Admin\AppData\Local\Temp\a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe33⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe34⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe36⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe38⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe40⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe41⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe42⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe43⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe44⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe45⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe47⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe48⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe49⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe50⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe51⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe52⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe53⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe54⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe55⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe57⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe58⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe60⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe61⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe63⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe65⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe66⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe68⤵PID:2920
-
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe69⤵PID:2908
-
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe70⤵PID:2692
-
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe71⤵PID:2288
-
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe72⤵PID:2848
-
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe73⤵PID:2172
-
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe74⤵PID:2688
-
C:\Windows\SysWOW64\Iichjc32.exeC:\Windows\system32\Iichjc32.exe75⤵PID:2596
-
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe76⤵PID:1364
-
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe77⤵PID:772
-
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe79⤵PID:2208
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe82⤵PID:1924
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe83⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe84⤵PID:2916
-
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe85⤵PID:2636
-
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe86⤵PID:2964
-
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe87⤵PID:2832
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe88⤵PID:2972
-
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe89⤵PID:2248
-
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe90⤵PID:2496
-
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe91⤵PID:2084
-
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe92⤵PID:1256
-
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe94⤵PID:1524
-
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe95⤵PID:1980
-
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe96⤵PID:2924
-
C:\Windows\SysWOW64\Jeclebja.exeC:\Windows\system32\Jeclebja.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe98⤵PID:2176
-
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe99⤵PID:564
-
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe100⤵PID:3044
-
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe101⤵PID:3000
-
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe102⤵PID:916
-
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe103⤵PID:2560
-
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe104⤵
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Kfibhjlj.exeC:\Windows\system32\Kfibhjlj.exe105⤵PID:980
-
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe106⤵PID:2864
-
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe107⤵PID:1696
-
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe108⤵PID:3040
-
C:\Windows\SysWOW64\Kbpbmkan.exeC:\Windows\system32\Kbpbmkan.exe109⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe110⤵PID:2632
-
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe111⤵PID:2852
-
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe112⤵PID:2808
-
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe113⤵PID:2196
-
C:\Windows\SysWOW64\Kgnkci32.exeC:\Windows\system32\Kgnkci32.exe114⤵PID:2396
-
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe115⤵PID:1872
-
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe116⤵PID:1736
-
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe117⤵PID:1732
-
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe118⤵PID:992
-
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe119⤵PID:2944
-
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe120⤵PID:2604
-
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:684 -
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe122⤵PID:2200
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-