Analysis
-
max time kernel
58s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:11
Static task
static1
Behavioral task
behavioral1
Sample
690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe
Resource
win10v2004-20241007-en
General
-
Target
690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe
-
Size
531KB
-
MD5
c101d5021e67a52af9eaf04aa1370190
-
SHA1
792ea45fdc060dbd7cb54433e76bb54b43cb5645
-
SHA256
690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949
-
SHA512
bfb76896c1507d711c24f986f46c218cf43da96df78b49e3079da87ec87652833d5f2cb17a393d57d89ef34a0e527b4317850120428dbd42c12c0b4fcd74b30f
-
SSDEEP
12288:6FQIwAxWnsuLIpIwAxWube9IwAxWnsuLIpIwAxWDFQIwAU:jxxn9mxx3xxn9mxxax/
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mpcjfa32.exeKdincdcl.exeLknbjlnn.exePfgeoo32.exeHdilalko.exeCfpinnfj.exeDclikp32.exeEaoaafli.exeFpihnbmk.exeEaegaaah.exePnminkof.exeMpjgag32.exeDfecim32.exeCclmlm32.exeJalmcl32.exePfjiod32.exeCilfka32.exeDfpcdh32.exeAcnqen32.exeBpbadcbj.exePclolakk.exeLblflgqk.exeQcgkeonp.exeQgeckn32.exeLeaallcb.exeMhpeem32.exeNijcgp32.exeNlabjj32.exeOeeeeehe.exeEgaoldnf.exeFigoefkf.exeAbbknb32.exeBnfodojp.exeGeehcoaf.exeEplood32.exeOpcaiggo.exeQlnghj32.exeBohoogbk.exeAbcngkmp.exeEnomam32.exeFlcjjdpe.exeHmdohj32.exeKopldl32.exeImkbeqem.exeJmplqp32.exeLpekln32.exeCjiiim32.exeNimaic32.exeHbfalpab.exeEiocbd32.exeHdapggln.exePjhaec32.exeNnidchqp.exeCbfhjfdk.exeJkgfgl32.exeHkgjge32.exeEfolib32.exeIndiodbh.exeHpnbjfjj.exeGjolpkhj.exeJbjejojn.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpcjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdincdcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lknbjlnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgeoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdilalko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpinnfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dclikp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaoaafli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpihnbmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaegaaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnminkof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpjgag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfecim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cclmlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jalmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnqen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpbadcbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclolakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lblflgqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgkeonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgeckn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leaallcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhpeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijcgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlabjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeeeeehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egaoldnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figoefkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geehcoaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplood32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcaiggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlnghj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bohoogbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abcngkmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbadcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enomam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flcjjdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kopldl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkbeqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmplqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpekln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjiiim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbfalpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiocbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjhaec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnidchqp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbfhjfdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgfgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeeeeehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgjge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efolib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Indiodbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnbjfjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjolpkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjejojn.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Cabldeik.exeCinahhff.exeDdqeodjj.exeEplood32.exeFadagl32.exeFebjmj32.exeFgjmfa32.exeGfbfln32.exeGkchpcoc.exeHkhbkc32.exeIcjmpd32.exeIenfml32.exeJalmcl32.exeJbpfpd32.exeKkdnke32.exeKapbmo32.exeLlcfck32.exeLodoefed.exeMgaqohql.exeMgdmeh32.exeMcmkoi32.exeNijcgp32.exeNfppfcmj.exeNpieoi32.exeNlabjj32.exeOldooi32.exeOmhhma32.exeOjlife32.exeOjnelefl.exePejcab32.exePdamhocm.exePogaeg32.exeQajfmbna.exeQiekadkl.exeAjghgd32.exeAjlabc32.exeBnqcaffa.exeBkddjkej.exeBdoeipjh.exeBqffna32.exeBjnjfffm.exeCkbccnji.exeCopljmpo.exeCihqbb32.exeCiknhb32.exeCjngej32.exeDpmlcpdm.exeDihmae32.exeEhpgha32.exeEiocbd32.exeEmailhfb.exeEaoaafli.exeFdpjcaij.exeFpihnbmk.exeFefpfi32.exeFehmlh32.exeFclmem32.exeGaajfi32.exeGkiooocb.exeGjolpkhj.exeGlpdbfek.exeGnoaliln.exeHfjfpkji.exeHcnfjpib.exepid process 2488 Cabldeik.exe 2964 Cinahhff.exe 2924 Ddqeodjj.exe 2920 Eplood32.exe 2756 Fadagl32.exe 2788 Febjmj32.exe 1660 Fgjmfa32.exe 884 Gfbfln32.exe 1160 Gkchpcoc.exe 2468 Hkhbkc32.exe 3044 Icjmpd32.exe 2344 Ienfml32.exe 2044 Jalmcl32.exe 2064 Jbpfpd32.exe 2200 Kkdnke32.exe 824 Kapbmo32.exe 1792 Llcfck32.exe 896 Lodoefed.exe 1360 Mgaqohql.exe 820 Mgdmeh32.exe 1772 Mcmkoi32.exe 2484 Nijcgp32.exe 1728 Nfppfcmj.exe 328 Npieoi32.exe 1516 Nlabjj32.exe 2056 Oldooi32.exe 2952 Omhhma32.exe 2876 Ojlife32.exe 2748 Ojnelefl.exe 2904 Pejcab32.exe 2848 Pdamhocm.exe 2800 Pogaeg32.exe 2248 Qajfmbna.exe 2824 Qiekadkl.exe 3052 Ajghgd32.exe 2816 Ajlabc32.exe 2416 Bnqcaffa.exe 2392 Bkddjkej.exe 2368 Bdoeipjh.exe 2352 Bqffna32.exe 2076 Bjnjfffm.exe 112 Ckbccnji.exe 1868 Copljmpo.exe 2296 Cihqbb32.exe 1912 Ciknhb32.exe 1092 Cjngej32.exe 1480 Dpmlcpdm.exe 1628 Dihmae32.exe 3020 Ehpgha32.exe 792 Eiocbd32.exe 2888 Emailhfb.exe 2760 Eaoaafli.exe 2720 Fdpjcaij.exe 2776 Fpihnbmk.exe 2764 Fefpfi32.exe 2536 Fehmlh32.exe 2172 Fclmem32.exe 2400 Gaajfi32.exe 2372 Gkiooocb.exe 2644 Gjolpkhj.exe 1680 Glpdbfek.exe 2112 Gnoaliln.exe 2516 Hfjfpkji.exe 1804 Hcnfjpib.exe -
Loads dropped DLL 64 IoCs
Processes:
690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exeCabldeik.exeCinahhff.exeDdqeodjj.exeEplood32.exeFadagl32.exeFebjmj32.exeFgjmfa32.exeGfbfln32.exeGkchpcoc.exeHkhbkc32.exeIcjmpd32.exeIenfml32.exeJalmcl32.exeJbpfpd32.exeKkdnke32.exeKapbmo32.exeLlcfck32.exeLodoefed.exeMgaqohql.exeMgdmeh32.exeMcmkoi32.exeNijcgp32.exeNfppfcmj.exeNpieoi32.exeNlabjj32.exeOldooi32.exeOmhhma32.exeOjlife32.exeOjnelefl.exePejcab32.exePdamhocm.exepid process 2328 690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe 2328 690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe 2488 Cabldeik.exe 2488 Cabldeik.exe 2964 Cinahhff.exe 2964 Cinahhff.exe 2924 Ddqeodjj.exe 2924 Ddqeodjj.exe 2920 Eplood32.exe 2920 Eplood32.exe 2756 Fadagl32.exe 2756 Fadagl32.exe 2788 Febjmj32.exe 2788 Febjmj32.exe 1660 Fgjmfa32.exe 1660 Fgjmfa32.exe 884 Gfbfln32.exe 884 Gfbfln32.exe 1160 Gkchpcoc.exe 1160 Gkchpcoc.exe 2468 Hkhbkc32.exe 2468 Hkhbkc32.exe 3044 Icjmpd32.exe 3044 Icjmpd32.exe 2344 Ienfml32.exe 2344 Ienfml32.exe 2044 Jalmcl32.exe 2044 Jalmcl32.exe 2064 Jbpfpd32.exe 2064 Jbpfpd32.exe 2200 Kkdnke32.exe 2200 Kkdnke32.exe 824 Kapbmo32.exe 824 Kapbmo32.exe 1792 Llcfck32.exe 1792 Llcfck32.exe 896 Lodoefed.exe 896 Lodoefed.exe 1360 Mgaqohql.exe 1360 Mgaqohql.exe 820 Mgdmeh32.exe 820 Mgdmeh32.exe 1772 Mcmkoi32.exe 1772 Mcmkoi32.exe 2484 Nijcgp32.exe 2484 Nijcgp32.exe 1728 Nfppfcmj.exe 1728 Nfppfcmj.exe 328 Npieoi32.exe 328 Npieoi32.exe 1516 Nlabjj32.exe 1516 Nlabjj32.exe 2056 Oldooi32.exe 2056 Oldooi32.exe 2952 Omhhma32.exe 2952 Omhhma32.exe 2876 Ojlife32.exe 2876 Ojlife32.exe 2748 Ojnelefl.exe 2748 Ojnelefl.exe 2904 Pejcab32.exe 2904 Pejcab32.exe 2848 Pdamhocm.exe 2848 Pdamhocm.exe -
Drops file in System32 directory 64 IoCs
Processes:
Emailhfb.exeHfalaj32.exePegpamoo.exeMdkmld32.exeNhalag32.exeEibbqmhd.exeCdhgegfd.exeLlcfck32.exeGaajfi32.exeHdilalko.exeEhpgha32.exeOfibcj32.exeNcejcg32.exeAkhndf32.exeKkiiom32.exeBqffna32.exeJkpfcnoe.exeEbhjdc32.exeHkgjge32.exeEibikc32.exeHdailaib.exeEickdlcd.exeJflfbdqe.exeOjlmgg32.exeDdqeodjj.exeJalmcl32.exeKlocba32.exeLpekln32.exeNapfihmn.exeHilghaqq.exeMkldli32.exePobhfl32.exeGnhlgoia.exeJbgbjh32.exeQjcmoqlf.exeDkihli32.exeAofhcmig.exePcdnpp32.exeHbokkagk.exeCjiiim32.exeEplood32.exeOmhhma32.exeBfkakbpp.exeCgjjdijo.exeBjlpjp32.exeJmplqp32.exeNijdcdgn.exeCclmlm32.exeGdgadeee.exeOpcaiggo.exeAhgdbk32.exeOlhmnb32.exe690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exeFdpjcaij.exeDicmlpje.exeEgbffj32.exeNelkme32.exePqdend32.exeIebmaoed.exeJbjejojn.exePmbdfolj.exePnminkof.exeGlhjpjok.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Eaoaafli.exe Emailhfb.exe File created C:\Windows\SysWOW64\Hbhmfk32.exe Hfalaj32.exe File opened for modification C:\Windows\SysWOW64\Pmbdfolj.exe Pegpamoo.exe File created C:\Windows\SysWOW64\Fhofjehd.dll Mdkmld32.exe File created C:\Windows\SysWOW64\Elioal32.dll Nhalag32.exe File opened for modification C:\Windows\SysWOW64\Eeicenni.exe Eibbqmhd.exe File created C:\Windows\SysWOW64\Cjdonndl.exe Cdhgegfd.exe File opened for modification C:\Windows\SysWOW64\Lodoefed.exe Llcfck32.exe File opened for modification C:\Windows\SysWOW64\Gkiooocb.exe Gaajfi32.exe File opened for modification C:\Windows\SysWOW64\Hpbilmop.exe Hdilalko.exe File opened for modification C:\Windows\SysWOW64\Eiocbd32.exe Ehpgha32.exe File created C:\Windows\SysWOW64\Aochck32.dll Ofibcj32.exe File created C:\Windows\SysWOW64\Qegdad32.dll Ncejcg32.exe File created C:\Windows\SysWOW64\Pphqlc32.dll Akhndf32.exe File created C:\Windows\SysWOW64\Lmjbphod.exe Kkiiom32.exe File created C:\Windows\SysWOW64\Anaeppkc.dll Bqffna32.exe File created C:\Windows\SysWOW64\Jfigdl32.exe Jkpfcnoe.exe File opened for modification C:\Windows\SysWOW64\Eibbqmhd.exe Ebhjdc32.exe File opened for modification C:\Windows\SysWOW64\Hilghaqq.exe Hkgjge32.exe File opened for modification C:\Windows\SysWOW64\Flhkhnel.exe Eibikc32.exe File opened for modification C:\Windows\SysWOW64\Hjnaehgj.exe Hdailaib.exe File created C:\Windows\SysWOW64\Emadjj32.exe Eickdlcd.exe File opened for modification C:\Windows\SysWOW64\Jjjohbgl.exe Jflfbdqe.exe File created C:\Windows\SysWOW64\Polbemck.exe Ojlmgg32.exe File opened for modification C:\Windows\SysWOW64\Eplood32.exe Ddqeodjj.exe File created C:\Windows\SysWOW64\Jbpfpd32.exe Jalmcl32.exe File created C:\Windows\SysWOW64\Dkgnkbkk.dll Klocba32.exe File created C:\Windows\SysWOW64\Idmkjp32.dll Lpekln32.exe File created C:\Windows\SysWOW64\Nabcog32.exe Napfihmn.exe File opened for modification C:\Windows\SysWOW64\Hcdkagga.exe Hilghaqq.exe File created C:\Windows\SysWOW64\Mhpeem32.exe Mkldli32.exe File created C:\Windows\SysWOW64\Pqdend32.exe Pobhfl32.exe File opened for modification C:\Windows\SysWOW64\Gjomlp32.exe Gnhlgoia.exe File created C:\Windows\SysWOW64\Jkpfcnoe.exe Jbgbjh32.exe File created C:\Windows\SysWOW64\Amcfpl32.exe Qjcmoqlf.exe File created C:\Windows\SysWOW64\Efolib32.exe Dkihli32.exe File opened for modification C:\Windows\SysWOW64\Aipickfe.exe Aofhcmig.exe File created C:\Windows\SysWOW64\Daedpf32.dll Pcdnpp32.exe File created C:\Windows\SysWOW64\Jhabfbal.dll Hbokkagk.exe File opened for modification C:\Windows\SysWOW64\Cfpinnfj.exe Cjiiim32.exe File created C:\Windows\SysWOW64\Fadagl32.exe Eplood32.exe File created C:\Windows\SysWOW64\Dlpaod32.dll Omhhma32.exe File created C:\Windows\SysWOW64\Bohoogbk.exe Bfkakbpp.exe File created C:\Windows\SysWOW64\Cilfka32.exe Cgjjdijo.exe File created C:\Windows\SysWOW64\Flhkhnel.exe Eibikc32.exe File opened for modification C:\Windows\SysWOW64\Bnjipn32.exe Bjlpjp32.exe File opened for modification C:\Windows\SysWOW64\Jgjman32.exe Jmplqp32.exe File created C:\Windows\SysWOW64\Kikmdack.dll Nijdcdgn.exe File created C:\Windows\SysWOW64\Cocnanmd.exe Cclmlm32.exe File created C:\Windows\SysWOW64\Didpkp32.dll Gdgadeee.exe File created C:\Windows\SysWOW64\Oljanhmc.exe Opcaiggo.exe File created C:\Windows\SysWOW64\Akhndf32.exe Ahgdbk32.exe File created C:\Windows\SysWOW64\Ojlmgg32.exe Olhmnb32.exe File created C:\Windows\SysWOW64\Difcao32.dll 690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe File opened for modification C:\Windows\SysWOW64\Fpihnbmk.exe Fdpjcaij.exe File created C:\Windows\SysWOW64\Gadllf32.dll Dicmlpje.exe File created C:\Windows\SysWOW64\Iahckl32.dll Egbffj32.exe File opened for modification C:\Windows\SysWOW64\Nijdcdgn.exe Nelkme32.exe File opened for modification C:\Windows\SysWOW64\Pcdnpp32.exe Pqdend32.exe File created C:\Windows\SysWOW64\Pmghilqf.dll Iebmaoed.exe File created C:\Windows\SysWOW64\Jnafop32.exe Jbjejojn.exe File created C:\Windows\SysWOW64\Pfjiod32.exe Pmbdfolj.exe File created C:\Windows\SysWOW64\Pclolakk.exe Pnminkof.exe File created C:\Windows\SysWOW64\Gmhfjm32.exe Glhjpjok.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4068 2260 WerFault.exe Joagkd32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jggiah32.exeGnhlgoia.exeFbjchfaq.exeMdqclpgd.exeJnlhbb32.exeJflfbdqe.exeMhpeem32.exeBefcne32.exeIgioiacg.exeHjnaehgj.exeGaamobdf.exeCjbpoeoj.exeEibbqmhd.exeKemjieol.exeFebjmj32.exeJhlgnd32.exeAdekhkng.exeNabcog32.exeCjdonndl.exeCjiiim32.exeDclikp32.exeOmbhgljn.exeGalfpgpg.exeDqiakm32.exeMajdkifd.exeMdkmld32.exeNqamaeii.exeJgjman32.exeBlhifemo.exeNgcbie32.exeHgmhcm32.exeKkiiom32.exeKbljmd32.exeBehpcefk.exeGigjch32.exeMhmfgdch.exeFbeimf32.exeHdilalko.exeClehoiam.exeEfbbba32.exeHfjfpkji.exeKemgqm32.exeIgdndl32.exeAcnqen32.exeGbmbgngb.exeBnfodojp.exeOlhmnb32.exeGeehcoaf.exeHkgjge32.exeGabohk32.exeLhhmle32.exeEjhhcdjm.exeFfiebc32.exePfgeoo32.exeAbbknb32.exeLanmde32.exeQpmbgaid.exeBljeke32.exeHdapggln.exeOpcaiggo.exeGlajmppm.exeOgigpllh.exeDlgjie32.exeBimbbhgh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggiah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnhlgoia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjchfaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdqclpgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlhbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jflfbdqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befcne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igioiacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjnaehgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamobdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpoeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibbqmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemjieol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febjmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhlgnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adekhkng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabcog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjdonndl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjiiim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclikp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombhgljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Galfpgpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqiakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majdkifd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqamaeii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjman32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blhifemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcbie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmhcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkiiom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbljmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behpcefk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhmfgdch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbeimf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdilalko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clehoiam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efbbba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjfpkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemgqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdndl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnqen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmbgngb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfodojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhmnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geehcoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkgjge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gabohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhmle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhhcdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffiebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmbgaid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bljeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdapggln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcaiggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glajmppm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogigpllh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimbbhgh.exe -
Modifies registry class 64 IoCs
Processes:
Oldooi32.exeGlpdbfek.exeJobnej32.exeQajfmbna.exeOfqonp32.exeQjcmoqlf.exeBljeke32.exeLanmde32.exeQcgkeonp.exeJjhgdqef.exeLkahbkgk.exePolbemck.exeDeedfacn.exeBnfodojp.exeCnekcblk.exeMpcjfa32.exeHfalaj32.exeHeedbbdb.exeDnkggjpj.exeFfcdlncp.exeOjnelefl.exeCgjjdijo.exeDicmlpje.exeMefiog32.exeLobgah32.exePoplqm32.exeEddlcgjb.exeHjaiaolb.exeEfbbba32.exeFebjmj32.exeHfdbji32.exeIecaad32.exeMnqdpj32.exeOahpahel.exePfgeoo32.exeQfedhb32.exeQbhpddbf.exeJbgbjh32.exeChdlidjm.exeJflfbdqe.exePejcab32.exeMkplnp32.exeCblniaii.exeNabcog32.exeCdhgegfd.exeDblcnngi.exeIngogcke.exe690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exeLlcfck32.exeHcnfjpib.exeDjibogkn.exeFhcehngk.exeHkgjge32.exeEnomam32.exeEmadjj32.exeAkhndf32.exeFigoefkf.exeHdilalko.exeFeeldk32.exeJookedhp.exeHdapggln.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oldooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glpdbfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jobnej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qajfmbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofqonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjcmoqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngnenojn.dll" Bljeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lanmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomflmlg.dll" Qcgkeonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelgce32.dll" Jjhgdqef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnede32.dll" Lkahbkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pliibcdi.dll" Polbemck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deedfacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdhadgoa.dll" Cnekcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbcppkf.dll" Mpcjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmplgki.dll" Hfalaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heedbbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfphhb32.dll" Jobnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcfojmh.dll" Dnkggjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffcdlncp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhklj32.dll" Ojnelefl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgjjdijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadllf32.dll" Dicmlpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mefiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lobgah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjiefgfh.dll" Poplqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikfmama.dll" Eddlcgjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjaiaolb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efbbba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Febjmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omincc32.dll" Hfdbji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iecaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmlppdo.dll" Mnqdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oahpahel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfgeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfedhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcgkeonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqdaeh32.dll" Qbhpddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpcjfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chdlidjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jflfbdqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcbkjeif.dll" Pejcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plongokk.dll" Mkplnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cblniaii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpeamj32.dll" Nabcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdhgegfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dblcnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepajh32.dll" Ingogcke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llcfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmmge32.dll" Hcnfjpib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djibogkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhcehngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkgjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enomam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnaimag.dll" Emadjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphqlc32.dll" Akhndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Figoefkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epblob32.dll" Hdilalko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijahed32.dll" Feeldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jookedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkicala.dll" Hdapggln.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exeCabldeik.exeCinahhff.exeDdqeodjj.exeEplood32.exeFadagl32.exeFebjmj32.exeFgjmfa32.exeGfbfln32.exeGkchpcoc.exeHkhbkc32.exeIcjmpd32.exeIenfml32.exeJalmcl32.exeJbpfpd32.exeKkdnke32.exedescription pid process target process PID 2328 wrote to memory of 2488 2328 690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe Cabldeik.exe PID 2328 wrote to memory of 2488 2328 690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe Cabldeik.exe PID 2328 wrote to memory of 2488 2328 690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe Cabldeik.exe PID 2328 wrote to memory of 2488 2328 690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe Cabldeik.exe PID 2488 wrote to memory of 2964 2488 Cabldeik.exe Cinahhff.exe PID 2488 wrote to memory of 2964 2488 Cabldeik.exe Cinahhff.exe PID 2488 wrote to memory of 2964 2488 Cabldeik.exe Cinahhff.exe PID 2488 wrote to memory of 2964 2488 Cabldeik.exe Cinahhff.exe PID 2964 wrote to memory of 2924 2964 Cinahhff.exe Ddqeodjj.exe PID 2964 wrote to memory of 2924 2964 Cinahhff.exe Ddqeodjj.exe PID 2964 wrote to memory of 2924 2964 Cinahhff.exe Ddqeodjj.exe PID 2964 wrote to memory of 2924 2964 Cinahhff.exe Ddqeodjj.exe PID 2924 wrote to memory of 2920 2924 Ddqeodjj.exe Eplood32.exe PID 2924 wrote to memory of 2920 2924 Ddqeodjj.exe Eplood32.exe PID 2924 wrote to memory of 2920 2924 Ddqeodjj.exe Eplood32.exe PID 2924 wrote to memory of 2920 2924 Ddqeodjj.exe Eplood32.exe PID 2920 wrote to memory of 2756 2920 Eplood32.exe Fadagl32.exe PID 2920 wrote to memory of 2756 2920 Eplood32.exe Fadagl32.exe PID 2920 wrote to memory of 2756 2920 Eplood32.exe Fadagl32.exe PID 2920 wrote to memory of 2756 2920 Eplood32.exe Fadagl32.exe PID 2756 wrote to memory of 2788 2756 Fadagl32.exe Febjmj32.exe PID 2756 wrote to memory of 2788 2756 Fadagl32.exe Febjmj32.exe PID 2756 wrote to memory of 2788 2756 Fadagl32.exe Febjmj32.exe PID 2756 wrote to memory of 2788 2756 Fadagl32.exe Febjmj32.exe PID 2788 wrote to memory of 1660 2788 Febjmj32.exe Fgjmfa32.exe PID 2788 wrote to memory of 1660 2788 Febjmj32.exe Fgjmfa32.exe PID 2788 wrote to memory of 1660 2788 Febjmj32.exe Fgjmfa32.exe PID 2788 wrote to memory of 1660 2788 Febjmj32.exe Fgjmfa32.exe PID 1660 wrote to memory of 884 1660 Fgjmfa32.exe Gfbfln32.exe PID 1660 wrote to memory of 884 1660 Fgjmfa32.exe Gfbfln32.exe PID 1660 wrote to memory of 884 1660 Fgjmfa32.exe Gfbfln32.exe PID 1660 wrote to memory of 884 1660 Fgjmfa32.exe Gfbfln32.exe PID 884 wrote to memory of 1160 884 Gfbfln32.exe Gkchpcoc.exe PID 884 wrote to memory of 1160 884 Gfbfln32.exe Gkchpcoc.exe PID 884 wrote to memory of 1160 884 Gfbfln32.exe Gkchpcoc.exe PID 884 wrote to memory of 1160 884 Gfbfln32.exe Gkchpcoc.exe PID 1160 wrote to memory of 2468 1160 Gkchpcoc.exe Hkhbkc32.exe PID 1160 wrote to memory of 2468 1160 Gkchpcoc.exe Hkhbkc32.exe PID 1160 wrote to memory of 2468 1160 Gkchpcoc.exe Hkhbkc32.exe PID 1160 wrote to memory of 2468 1160 Gkchpcoc.exe Hkhbkc32.exe PID 2468 wrote to memory of 3044 2468 Hkhbkc32.exe Icjmpd32.exe PID 2468 wrote to memory of 3044 2468 Hkhbkc32.exe Icjmpd32.exe PID 2468 wrote to memory of 3044 2468 Hkhbkc32.exe Icjmpd32.exe PID 2468 wrote to memory of 3044 2468 Hkhbkc32.exe Icjmpd32.exe PID 3044 wrote to memory of 2344 3044 Icjmpd32.exe Ienfml32.exe PID 3044 wrote to memory of 2344 3044 Icjmpd32.exe Ienfml32.exe PID 3044 wrote to memory of 2344 3044 Icjmpd32.exe Ienfml32.exe PID 3044 wrote to memory of 2344 3044 Icjmpd32.exe Ienfml32.exe PID 2344 wrote to memory of 2044 2344 Ienfml32.exe Jalmcl32.exe PID 2344 wrote to memory of 2044 2344 Ienfml32.exe Jalmcl32.exe PID 2344 wrote to memory of 2044 2344 Ienfml32.exe Jalmcl32.exe PID 2344 wrote to memory of 2044 2344 Ienfml32.exe Jalmcl32.exe PID 2044 wrote to memory of 2064 2044 Jalmcl32.exe Jbpfpd32.exe PID 2044 wrote to memory of 2064 2044 Jalmcl32.exe Jbpfpd32.exe PID 2044 wrote to memory of 2064 2044 Jalmcl32.exe Jbpfpd32.exe PID 2044 wrote to memory of 2064 2044 Jalmcl32.exe Jbpfpd32.exe PID 2064 wrote to memory of 2200 2064 Jbpfpd32.exe Kkdnke32.exe PID 2064 wrote to memory of 2200 2064 Jbpfpd32.exe Kkdnke32.exe PID 2064 wrote to memory of 2200 2064 Jbpfpd32.exe Kkdnke32.exe PID 2064 wrote to memory of 2200 2064 Jbpfpd32.exe Kkdnke32.exe PID 2200 wrote to memory of 824 2200 Kkdnke32.exe Kapbmo32.exe PID 2200 wrote to memory of 824 2200 Kkdnke32.exe Kapbmo32.exe PID 2200 wrote to memory of 824 2200 Kkdnke32.exe Kapbmo32.exe PID 2200 wrote to memory of 824 2200 Kkdnke32.exe Kapbmo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe"C:\Users\Admin\AppData\Local\Temp\690aebd9216fdef0f25d7c8e9ea8a47ee62ff84ae647ea1bedfc07f57ce1d949N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Cinahhff.exeC:\Windows\system32\Cinahhff.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Eplood32.exeC:\Windows\system32\Eplood32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Febjmj32.exeC:\Windows\system32\Febjmj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Fgjmfa32.exeC:\Windows\system32\Fgjmfa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Gfbfln32.exeC:\Windows\system32\Gfbfln32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Hkhbkc32.exeC:\Windows\system32\Hkhbkc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Icjmpd32.exeC:\Windows\system32\Icjmpd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Jalmcl32.exeC:\Windows\system32\Jalmcl32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Jbpfpd32.exeC:\Windows\system32\Jbpfpd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Kapbmo32.exeC:\Windows\system32\Kapbmo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Lodoefed.exeC:\Windows\system32\Lodoefed.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Mcmkoi32.exeC:\Windows\system32\Mcmkoi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Npieoi32.exeC:\Windows\system32\Npieoi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Oldooi32.exeC:\Windows\system32\Oldooi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Ojnelefl.exeC:\Windows\system32\Ojnelefl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Pogaeg32.exeC:\Windows\system32\Pogaeg32.exe33⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Qajfmbna.exeC:\Windows\system32\Qajfmbna.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Qiekadkl.exeC:\Windows\system32\Qiekadkl.exe35⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ajghgd32.exeC:\Windows\system32\Ajghgd32.exe36⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ajlabc32.exeC:\Windows\system32\Ajlabc32.exe37⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Bnqcaffa.exeC:\Windows\system32\Bnqcaffa.exe38⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Bkddjkej.exeC:\Windows\system32\Bkddjkej.exe39⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Bdoeipjh.exeC:\Windows\system32\Bdoeipjh.exe40⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Bqffna32.exeC:\Windows\system32\Bqffna32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Bjnjfffm.exeC:\Windows\system32\Bjnjfffm.exe42⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ckbccnji.exeC:\Windows\system32\Ckbccnji.exe43⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Copljmpo.exeC:\Windows\system32\Copljmpo.exe44⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Cihqbb32.exeC:\Windows\system32\Cihqbb32.exe45⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Ciknhb32.exeC:\Windows\system32\Ciknhb32.exe46⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Cjngej32.exeC:\Windows\system32\Cjngej32.exe47⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Dpmlcpdm.exeC:\Windows\system32\Dpmlcpdm.exe48⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Dihmae32.exeC:\Windows\system32\Dihmae32.exe49⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ehpgha32.exeC:\Windows\system32\Ehpgha32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Eiocbd32.exeC:\Windows\system32\Eiocbd32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Eaoaafli.exeC:\Windows\system32\Eaoaafli.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Fdpjcaij.exeC:\Windows\system32\Fdpjcaij.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Fefpfi32.exeC:\Windows\system32\Fefpfi32.exe56⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Fehmlh32.exeC:\Windows\system32\Fehmlh32.exe57⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Fclmem32.exeC:\Windows\system32\Fclmem32.exe58⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Gaajfi32.exeC:\Windows\system32\Gaajfi32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Gkiooocb.exeC:\Windows\system32\Gkiooocb.exe60⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Gjolpkhj.exeC:\Windows\system32\Gjolpkhj.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Gnoaliln.exeC:\Windows\system32\Gnoaliln.exe63⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Hcnfjpib.exeC:\Windows\system32\Hcnfjpib.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Hmfkbeoc.exeC:\Windows\system32\Hmfkbeoc.exe66⤵PID:2008
-
C:\Windows\SysWOW64\Hdapggln.exeC:\Windows\system32\Hdapggln.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Hfalaj32.exeC:\Windows\system32\Hfalaj32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:740 -
C:\Windows\SysWOW64\Hbhmfk32.exeC:\Windows\system32\Hbhmfk32.exe69⤵PID:1180
-
C:\Windows\SysWOW64\Hjcajn32.exeC:\Windows\system32\Hjcajn32.exe70⤵PID:2268
-
C:\Windows\SysWOW64\Ijenpn32.exeC:\Windows\system32\Ijenpn32.exe71⤵PID:1860
-
C:\Windows\SysWOW64\Igioiacg.exeC:\Windows\system32\Igioiacg.exe72⤵
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Iglkoaad.exeC:\Windows\system32\Iglkoaad.exe73⤵PID:2740
-
C:\Windows\SysWOW64\Ifahpnfl.exeC:\Windows\system32\Ifahpnfl.exe74⤵PID:2704
-
C:\Windows\SysWOW64\Jiaaaicm.exeC:\Windows\system32\Jiaaaicm.exe75⤵PID:1496
-
C:\Windows\SysWOW64\Jbjejojn.exeC:\Windows\system32\Jbjejojn.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Jnafop32.exeC:\Windows\system32\Jnafop32.exe77⤵PID:1340
-
C:\Windows\SysWOW64\Jjhgdqef.exeC:\Windows\system32\Jjhgdqef.exe78⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Jhlgnd32.exeC:\Windows\system32\Jhlgnd32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\Jafilj32.exeC:\Windows\system32\Jafilj32.exe80⤵PID:2088
-
C:\Windows\SysWOW64\Kkomepon.exeC:\Windows\system32\Kkomepon.exe81⤵PID:1564
-
C:\Windows\SysWOW64\Kdincdcl.exeC:\Windows\system32\Kdincdcl.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1284 -
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe83⤵PID:2256
-
C:\Windows\SysWOW64\Kemgqm32.exeC:\Windows\system32\Kemgqm32.exe84⤵
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Khnqbhdi.exeC:\Windows\system32\Khnqbhdi.exe85⤵PID:1044
-
C:\Windows\SysWOW64\Leaallcb.exeC:\Windows\system32\Leaallcb.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:944 -
C:\Windows\SysWOW64\Ldgnmhhj.exeC:\Windows\system32\Ldgnmhhj.exe87⤵PID:1600
-
C:\Windows\SysWOW64\Lpnobi32.exeC:\Windows\system32\Lpnobi32.exe88⤵PID:1604
-
C:\Windows\SysWOW64\Lamkllea.exeC:\Windows\system32\Lamkllea.exe89⤵PID:2752
-
C:\Windows\SysWOW64\Ljhppo32.exeC:\Windows\system32\Ljhppo32.exe90⤵PID:1388
-
C:\Windows\SysWOW64\Mnfhfmhc.exeC:\Windows\system32\Mnfhfmhc.exe91⤵PID:1668
-
C:\Windows\SysWOW64\Mmpobi32.exeC:\Windows\system32\Mmpobi32.exe92⤵PID:1240
-
C:\Windows\SysWOW64\Mfhcknpf.exeC:\Windows\system32\Mfhcknpf.exe93⤵PID:3060
-
C:\Windows\SysWOW64\Nnfeep32.exeC:\Windows\system32\Nnfeep32.exe94⤵PID:1824
-
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe95⤵PID:2080
-
C:\Windows\SysWOW64\Ncejcg32.exeC:\Windows\system32\Ncejcg32.exe96⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Ngcbie32.exeC:\Windows\system32\Ngcbie32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\Ncjcnfcn.exeC:\Windows\system32\Ncjcnfcn.exe98⤵PID:1508
-
C:\Windows\SysWOW64\Ombhgljn.exeC:\Windows\system32\Ombhgljn.exe99⤵
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe100⤵PID:1992
-
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Oljanhmc.exeC:\Windows\system32\Oljanhmc.exe102⤵PID:2512
-
C:\Windows\SysWOW64\Obdjjb32.exeC:\Windows\system32\Obdjjb32.exe103⤵PID:2936
-
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe104⤵PID:2784
-
C:\Windows\SysWOW64\Onmgeb32.exeC:\Windows\system32\Onmgeb32.exe105⤵PID:540
-
C:\Windows\SysWOW64\Pegpamoo.exeC:\Windows\system32\Pegpamoo.exe106⤵
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Pmbdfolj.exeC:\Windows\system32\Pmbdfolj.exe107⤵
- Drops file in System32 directory
PID:304 -
C:\Windows\SysWOW64\Pfjiod32.exeC:\Windows\system32\Pfjiod32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Pjhaec32.exeC:\Windows\system32\Pjhaec32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1588 -
C:\Windows\SysWOW64\Pdqfnhpa.exeC:\Windows\system32\Pdqfnhpa.exe110⤵PID:1796
-
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe111⤵PID:2680
-
C:\Windows\SysWOW64\Qlnghj32.exeC:\Windows\system32\Qlnghj32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Qbhpddbf.exeC:\Windows\system32\Qbhpddbf.exe113⤵
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Qlqdmj32.exeC:\Windows\system32\Qlqdmj32.exe114⤵PID:1488
-
C:\Windows\SysWOW64\Ahgdbk32.exeC:\Windows\system32\Ahgdbk32.exe115⤵
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Akhndf32.exeC:\Windows\system32\Akhndf32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Aimkeb32.exeC:\Windows\system32\Aimkeb32.exe117⤵PID:288
-
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe118⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe119⤵PID:2320
-
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe120⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Bhqdgm32.exeC:\Windows\system32\Bhqdgm32.exe122⤵PID:1008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-