Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exe
Resource
win10v2004-20241007-en
General
-
Target
a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exe
-
Size
768KB
-
MD5
fd440a37c4ee029aa6542c8290da961e
-
SHA1
2367ed4037ac6b5c05522e0b1e5e711c7c99eddd
-
SHA256
a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6
-
SHA512
8d514d47578b1318dbdcc753ed2a22b41991088b2bcc9300b5914695c9aac6a39043d84740297c36ee56c21c8e25e3e2891c176e135d63f5c0c5118e23a1601d
-
SSDEEP
12288:ejAadXHaINIVyeNIVy2oIvPKiK13fS2hEYM9RIPqcNaAarJWw6j0dFZg0ZktGb:ejHdXHfNIVyeNIVy2jU13fS2hEYM9RIs
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Caenkc32.exeGolbnm32.exeGdmdacnn.exeLhnkffeo.exePhklaacg.exeImggplgm.exeJmlfmn32.exeHdpehd32.exeBjbeofpp.exeHifbdnbi.exeCjbmll32.exePeqhgmdd.exeOfqmcj32.exeKaajei32.exeHaemloni.exeMkohjbah.exePjpmdd32.exeHjlioj32.exeKdbepm32.exeFegjgkla.exeLiibgkoo.exeCjlheehe.exeNgpcohbm.exeHljaigmo.exeLilfgq32.exePhnpagdp.exeNlefhcnc.exeCbppnbhm.exeAgkako32.exeLmbabj32.exeOkgjodmi.exeLaidgi32.exeAfdiondb.exeInjndk32.exeQcogbdkg.exeJmibmhoj.exeNfkapb32.exeBkegah32.exeBfncpcoc.exeBfbjdf32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caenkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmdacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phklaacg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmlfmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peqhgmdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofqmcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaajei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haemloni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpmdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fegjgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlheehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hljaigmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilfgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbppnbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agkako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbabj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgjodmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laidgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmibmhoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfkapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkegah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfncpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfbjdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Depbfhpe.exeDedlag32.exeEhgbhbgn.exeEgokonjc.exeEnkpahon.exeFfkoai32.exeFnipkkdl.exeFkmqdpce.exeGpcoib32.exeHphidanj.exeHeealhla.exeHndlem32.exeIhmpobck.exeIoakoq32.exeJaeafklf.exeJaijak32.exeJdhgnf32.exeJkbojpna.exeJnpkflne.exeKcmcoblm.exeKlehgh32.exeKcopdb32.exeKfnmpn32.exeKhlili32.exeKofaicon.exeKljabgnh.exeKbgjkn32.exeKdefgj32.exeKkoncdcp.exeKnnkpobc.exeKgfoie32.exeLblcfnhj.exeLghlndfa.exeLdllgiek.exeLneaqn32.exeLcaiiejc.exeLfpeeqig.exeLmjnak32.exeLcdfnehp.exeLmljgj32.exeLbicoamh.exeMmogmjmn.exeMbkpeake.exeMiehak32.exeMpopnejo.exeMfihkoal.exeMihdgkpp.exeMlfacfpc.exeMbpipp32.exeMijamjnm.exeMjkndb32.exeMbbfep32.exeMhonngce.exeNmlgfnal.exeNhakcfab.exeNmnclmoj.exeNdhlhg32.exeNfghdcfj.exeNmqpam32.exeNdkhngdd.exeNfidjbdg.exeNmcmgm32.exeNpaich32.exeNfkapb32.exepid process 2144 Depbfhpe.exe 1972 Dedlag32.exe 2120 Ehgbhbgn.exe 2816 Egokonjc.exe 2896 Enkpahon.exe 2908 Ffkoai32.exe 324 Fnipkkdl.exe 700 Fkmqdpce.exe 476 Gpcoib32.exe 2608 Hphidanj.exe 1032 Heealhla.exe 636 Hndlem32.exe 2452 Ihmpobck.exe 2060 Ioakoq32.exe 2168 Jaeafklf.exe 2260 Jaijak32.exe 1080 Jdhgnf32.exe 620 Jkbojpna.exe 1692 Jnpkflne.exe 904 Kcmcoblm.exe 2228 Klehgh32.exe 548 Kcopdb32.exe 2524 Kfnmpn32.exe 2676 Khlili32.exe 1280 Kofaicon.exe 1760 Kljabgnh.exe 624 Kbgjkn32.exe 2500 Kdefgj32.exe 2716 Kkoncdcp.exe 2732 Knnkpobc.exe 2972 Kgfoie32.exe 2340 Lblcfnhj.exe 2984 Lghlndfa.exe 796 Ldllgiek.exe 568 Lneaqn32.exe 1944 Lcaiiejc.exe 2028 Lfpeeqig.exe 2460 Lmjnak32.exe 2276 Lcdfnehp.exe 2180 Lmljgj32.exe 836 Lbicoamh.exe 1636 Mmogmjmn.exe 2456 Mbkpeake.exe 1708 Miehak32.exe 2192 Mpopnejo.exe 1332 Mfihkoal.exe 1512 Mihdgkpp.exe 2800 Mlfacfpc.exe 2964 Mbpipp32.exe 2920 Mijamjnm.exe 2752 Mjkndb32.exe 1492 Mbbfep32.exe 2888 Mhonngce.exe 3052 Nmlgfnal.exe 2040 Nhakcfab.exe 1780 Nmnclmoj.exe 1448 Ndhlhg32.exe 2116 Nfghdcfj.exe 768 Nmqpam32.exe 1576 Ndkhngdd.exe 2532 Nfidjbdg.exe 1776 Nmcmgm32.exe 1888 Npaich32.exe 2892 Nfkapb32.exe -
Loads dropped DLL 64 IoCs
Processes:
a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exeDepbfhpe.exeDedlag32.exeEhgbhbgn.exeEgokonjc.exeEnkpahon.exeFfkoai32.exeFnipkkdl.exeFkmqdpce.exeGpcoib32.exeHphidanj.exeHeealhla.exeHndlem32.exeIhmpobck.exeIoakoq32.exeJaeafklf.exeJaijak32.exeJdhgnf32.exeJkbojpna.exeJnpkflne.exeKcmcoblm.exeKlehgh32.exeKcopdb32.exeKfnmpn32.exeKhlili32.exeKbdmeoob.exeKljabgnh.exeKbgjkn32.exeKdefgj32.exeKkoncdcp.exeKnnkpobc.exeKgfoie32.exepid process 2416 a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exe 2416 a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exe 2144 Depbfhpe.exe 2144 Depbfhpe.exe 1972 Dedlag32.exe 1972 Dedlag32.exe 2120 Ehgbhbgn.exe 2120 Ehgbhbgn.exe 2816 Egokonjc.exe 2816 Egokonjc.exe 2896 Enkpahon.exe 2896 Enkpahon.exe 2908 Ffkoai32.exe 2908 Ffkoai32.exe 324 Fnipkkdl.exe 324 Fnipkkdl.exe 700 Fkmqdpce.exe 700 Fkmqdpce.exe 476 Gpcoib32.exe 476 Gpcoib32.exe 2608 Hphidanj.exe 2608 Hphidanj.exe 1032 Heealhla.exe 1032 Heealhla.exe 636 Hndlem32.exe 636 Hndlem32.exe 2452 Ihmpobck.exe 2452 Ihmpobck.exe 2060 Ioakoq32.exe 2060 Ioakoq32.exe 2168 Jaeafklf.exe 2168 Jaeafklf.exe 2260 Jaijak32.exe 2260 Jaijak32.exe 1080 Jdhgnf32.exe 1080 Jdhgnf32.exe 620 Jkbojpna.exe 620 Jkbojpna.exe 1692 Jnpkflne.exe 1692 Jnpkflne.exe 904 Kcmcoblm.exe 904 Kcmcoblm.exe 2228 Klehgh32.exe 2228 Klehgh32.exe 548 Kcopdb32.exe 548 Kcopdb32.exe 2524 Kfnmpn32.exe 2524 Kfnmpn32.exe 2676 Khlili32.exe 2676 Khlili32.exe 1628 Kbdmeoob.exe 1628 Kbdmeoob.exe 1760 Kljabgnh.exe 1760 Kljabgnh.exe 624 Kbgjkn32.exe 624 Kbgjkn32.exe 2500 Kdefgj32.exe 2500 Kdefgj32.exe 2716 Kkoncdcp.exe 2716 Kkoncdcp.exe 2732 Knnkpobc.exe 2732 Knnkpobc.exe 2972 Kgfoie32.exe 2972 Kgfoie32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jcnoejch.exeNdnmialh.exeMokkegmm.exeFdnlcakk.exeOalkih32.exeGlklejoo.exeGpacogjm.exeDemofaol.exeAhgofi32.exeMhdpnm32.exeCabaec32.exeAhebaiac.exeQekbgbpf.exeJaeafklf.exeElacliin.exeObgnhkkh.exeEgcfdn32.exeLcjlnpmo.exeOjmpooah.exeCgkocj32.exeEoepnk32.exeIhglhp32.exePeefcjlg.exeMldeik32.exeMjkndb32.exePbagipfi.exePkaehb32.exeAoagccfn.exeGmnngl32.exeMpopnejo.exeIjclol32.exeAbpcooea.exeIejkhlip.exeLdllgiek.exeFajbke32.exeLnjcomcf.exePfpibn32.exeKmimcbja.exeEnpdjfgj.exeElfcbo32.exeEdofbpja.exeOpglafab.exeFabmmejd.exeIgqhpj32.exeKglehp32.exedescription ioc process File created C:\Windows\SysWOW64\Jabponba.exe Jcnoejch.exe File created C:\Windows\SysWOW64\Gflclobd.dll Ndnmialh.exe File opened for modification C:\Windows\SysWOW64\Mhdpnm32.exe Mokkegmm.exe File opened for modification C:\Windows\SysWOW64\Fabmmejd.exe Fdnlcakk.exe File created C:\Windows\SysWOW64\Omckoi32.exe Oalkih32.exe File created C:\Windows\SysWOW64\Qfomeb32.dll Glklejoo.exe File created C:\Windows\SysWOW64\Hijhhl32.exe Gpacogjm.exe File created C:\Windows\SysWOW64\Cmfkkl32.dll File created C:\Windows\SysWOW64\Hlmdnf32.dll Demofaol.exe File opened for modification C:\Windows\SysWOW64\Akfkbd32.exe Ahgofi32.exe File created C:\Windows\SysWOW64\Mehpga32.exe Mhdpnm32.exe File opened for modification C:\Windows\SysWOW64\Cenmfbml.exe Cabaec32.exe File opened for modification C:\Windows\SysWOW64\Lgdfgbhf.exe File created C:\Windows\SysWOW64\Qoblpdnf.dll Ahebaiac.exe File opened for modification C:\Windows\SysWOW64\Qldjdlgb.exe Qekbgbpf.exe File opened for modification C:\Windows\SysWOW64\Hhogaamj.exe File created C:\Windows\SysWOW64\Lggbmbfc.exe File opened for modification C:\Windows\SysWOW64\Gabofn32.exe File created C:\Windows\SysWOW64\Jaijak32.exe Jaeafklf.exe File created C:\Windows\SysWOW64\Jclpkjad.dll Elacliin.exe File opened for modification C:\Windows\SysWOW64\Oajndh32.exe Obgnhkkh.exe File opened for modification C:\Windows\SysWOW64\Eqkjmcmq.exe Egcfdn32.exe File opened for modification C:\Windows\SysWOW64\Ljddjj32.exe Lcjlnpmo.exe File created C:\Windows\SysWOW64\Oaghki32.exe Ojmpooah.exe File opened for modification C:\Windows\SysWOW64\Jlaeab32.exe File created C:\Windows\SysWOW64\Coalledf.dll Cgkocj32.exe File opened for modification C:\Windows\SysWOW64\Eeohkeoe.exe Eoepnk32.exe File opened for modification C:\Windows\SysWOW64\Ijehdl32.exe Ihglhp32.exe File opened for modification C:\Windows\SysWOW64\Ppkjac32.exe Peefcjlg.exe File created C:\Windows\SysWOW64\Mhdpnm32.exe Mokkegmm.exe File created C:\Windows\SysWOW64\Mneaacno.exe Mldeik32.exe File opened for modification C:\Windows\SysWOW64\Aakhkj32.exe File opened for modification C:\Windows\SysWOW64\Eoecbheg.exe File created C:\Windows\SysWOW64\Ioiepeog.dll Mjkndb32.exe File opened for modification C:\Windows\SysWOW64\Jcaqmkpn.exe File created C:\Windows\SysWOW64\Mpioba32.dll Pbagipfi.exe File created C:\Windows\SysWOW64\Paknelgk.exe Pkaehb32.exe File created C:\Windows\SysWOW64\Abpcooea.exe Aoagccfn.exe File created C:\Windows\SysWOW64\Liiffa32.dll Gmnngl32.exe File created C:\Windows\SysWOW64\Oeaael32.exe File created C:\Windows\SysWOW64\Ceacoqfi.exe File created C:\Windows\SysWOW64\Pacnfacn.dll Ihglhp32.exe File opened for modification C:\Windows\SysWOW64\Mfihkoal.exe Mpopnejo.exe File created C:\Windows\SysWOW64\Imahkg32.exe Ijclol32.exe File created C:\Windows\SysWOW64\Hpqnnmcd.dll Abpcooea.exe File created C:\Windows\SysWOW64\Jihdnk32.exe Iejkhlip.exe File created C:\Windows\SysWOW64\Lgdfgbhf.exe File opened for modification C:\Windows\SysWOW64\Dkjkcfjc.exe File created C:\Windows\SysWOW64\Lneaqn32.exe Ldllgiek.exe File created C:\Windows\SysWOW64\Fdiogq32.exe Fajbke32.exe File created C:\Windows\SysWOW64\Dofhhgce.dll Lnjcomcf.exe File created C:\Windows\SysWOW64\Bbjjjgna.dll Pfpibn32.exe File created C:\Windows\SysWOW64\Alhpic32.dll Kmimcbja.exe File opened for modification C:\Windows\SysWOW64\Egihcl32.exe Enpdjfgj.exe File opened for modification C:\Windows\SysWOW64\Feobac32.exe File created C:\Windows\SysWOW64\Eoepnk32.exe Elfcbo32.exe File created C:\Windows\SysWOW64\Fbokdb32.dll Edofbpja.exe File created C:\Windows\SysWOW64\Eiapeffl.dll Opglafab.exe File created C:\Windows\SysWOW64\Gfoeel32.exe Fabmmejd.exe File created C:\Windows\SysWOW64\Icbkhnan.exe File created C:\Windows\SysWOW64\Anckcdco.dll File created C:\Windows\SysWOW64\Fapjpi32.dll File created C:\Windows\SysWOW64\Iogpag32.exe Igqhpj32.exe File created C:\Windows\SysWOW64\Decimbli.dll Kglehp32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 6124 3616 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Boljgg32.exeHnhgha32.exeJcikog32.exeAiqjao32.exeFfkoai32.exeHjacjifm.exeCpiaipmh.exeLepclldc.exeHeealhla.exeCfcijf32.exeAljjjb32.exePioamlkk.exeDcdfdi32.exeFqfemqod.exeHbaaik32.exeIejkhlip.exeQijdqp32.exeAchjibcl.exeDjiqdb32.exeAaimopli.exeAbmgjo32.exeDdhcbnnn.exeIeomef32.exeNlcibc32.exeKfidqb32.exeChabmm32.exeAfgmodel.exeGmhkin32.exeEpbbkf32.exeJplfkjbd.exeJmlfmn32.exeKoibpd32.exeNckmpicl.exeMbkpeake.exeDbfbnddq.exeKglehp32.exeCfnkmi32.exeFnadkjlc.exeEdofbpja.exeCgkocj32.exeFgnadkic.exeLmpcca32.exeFbfjkj32.exeLaidgi32.exeNanfqo32.exeElkmmodo.exeIafnjg32.exeAlodeacc.exeDjoeki32.exePaiaplin.exeLljipmdl.exeFfaaoh32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boljgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcikog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiqjao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffkoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjacjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiaipmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepclldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heealhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcijf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljjjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pioamlkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdfdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqfemqod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbaaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iejkhlip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qijdqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djiqdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaimopli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhcbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieomef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfidqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chabmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgmodel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplfkjbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlfmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koibpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckmpicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkpeake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfbnddq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglehp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnkmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnadkjlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edofbpja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkocj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnadkic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpcca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfjkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laidgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nanfqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkmmodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alodeacc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoeki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiaplin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljipmdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaaoh32.exe -
Modifies registry class 64 IoCs
Processes:
a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exeMcckcbgp.exeKhgkpl32.exeGbmlkl32.exeLblcfnhj.exeMclgklel.exePdjljpnc.exeIjdppm32.exeBfdenafn.exeOkkddd32.exeCenmfbml.exeBfncpcoc.exeOplgeoea.exeFelekcop.exeEldbkbop.exeKelmbifm.exeFhkagonc.exeDpeiligo.exeJnmiag32.exeEgmbnkie.exeKbdmeoob.exeOpaebkmc.exePhcilf32.exeBbmcibjp.exeMldeik32.exeEikimeff.exeGpcoib32.exeNedifo32.exePioamlkk.exePiliii32.exeJdhgnf32.exeIefcfe32.exeKnohpo32.exeJabponba.exeFabmmejd.exeClpabm32.exeIjehdl32.exePdeqfhjd.exeAficjnpm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocndli32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcicjgkh.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofpf32.dll" Khgkpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbmlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lblcfnhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mclgklel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdjljpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijdppm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmdqcnk.dll" Okkddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfncpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oplgeoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddkfopf.dll" Felekcop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnmpd32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfmoo32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eldbkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiilj32.dll" Kelmbifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkagonc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbonbipa.dll" Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnmiag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egmbnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cebedebg.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglabp32.dll" Opaebkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakoaln.dll" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpboioea.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" Bbmcibjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mldeik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaeee32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpcoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhhea32.dll" Nedifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pioamlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjajedk.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkiehdc.dll" Piliii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomadboo.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhjijha.dll" Jdhgnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knohpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdloglhf.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabponba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fabmmejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodkcd32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clpabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnmcb32.dll" Ijehdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll" Aficjnpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnobnc32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clpabm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exeDepbfhpe.exeDedlag32.exeEhgbhbgn.exeEgokonjc.exeEnkpahon.exeFfkoai32.exeFnipkkdl.exeFkmqdpce.exeGpcoib32.exeHphidanj.exeHeealhla.exeHndlem32.exeIhmpobck.exeIoakoq32.exeJaeafklf.exedescription pid process target process PID 2416 wrote to memory of 2144 2416 a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exe Depbfhpe.exe PID 2416 wrote to memory of 2144 2416 a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exe Depbfhpe.exe PID 2416 wrote to memory of 2144 2416 a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exe Depbfhpe.exe PID 2416 wrote to memory of 2144 2416 a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exe Depbfhpe.exe PID 2144 wrote to memory of 1972 2144 Depbfhpe.exe Dedlag32.exe PID 2144 wrote to memory of 1972 2144 Depbfhpe.exe Dedlag32.exe PID 2144 wrote to memory of 1972 2144 Depbfhpe.exe Dedlag32.exe PID 2144 wrote to memory of 1972 2144 Depbfhpe.exe Dedlag32.exe PID 1972 wrote to memory of 2120 1972 Dedlag32.exe Ehgbhbgn.exe PID 1972 wrote to memory of 2120 1972 Dedlag32.exe Ehgbhbgn.exe PID 1972 wrote to memory of 2120 1972 Dedlag32.exe Ehgbhbgn.exe PID 1972 wrote to memory of 2120 1972 Dedlag32.exe Ehgbhbgn.exe PID 2120 wrote to memory of 2816 2120 Ehgbhbgn.exe Egokonjc.exe PID 2120 wrote to memory of 2816 2120 Ehgbhbgn.exe Egokonjc.exe PID 2120 wrote to memory of 2816 2120 Ehgbhbgn.exe Egokonjc.exe PID 2120 wrote to memory of 2816 2120 Ehgbhbgn.exe Egokonjc.exe PID 2816 wrote to memory of 2896 2816 Egokonjc.exe Enkpahon.exe PID 2816 wrote to memory of 2896 2816 Egokonjc.exe Enkpahon.exe PID 2816 wrote to memory of 2896 2816 Egokonjc.exe Enkpahon.exe PID 2816 wrote to memory of 2896 2816 Egokonjc.exe Enkpahon.exe PID 2896 wrote to memory of 2908 2896 Enkpahon.exe Ffkoai32.exe PID 2896 wrote to memory of 2908 2896 Enkpahon.exe Ffkoai32.exe PID 2896 wrote to memory of 2908 2896 Enkpahon.exe Ffkoai32.exe PID 2896 wrote to memory of 2908 2896 Enkpahon.exe Ffkoai32.exe PID 2908 wrote to memory of 324 2908 Ffkoai32.exe Fnipkkdl.exe PID 2908 wrote to memory of 324 2908 Ffkoai32.exe Fnipkkdl.exe PID 2908 wrote to memory of 324 2908 Ffkoai32.exe Fnipkkdl.exe PID 2908 wrote to memory of 324 2908 Ffkoai32.exe Fnipkkdl.exe PID 324 wrote to memory of 700 324 Fnipkkdl.exe Fkmqdpce.exe PID 324 wrote to memory of 700 324 Fnipkkdl.exe Fkmqdpce.exe PID 324 wrote to memory of 700 324 Fnipkkdl.exe Fkmqdpce.exe PID 324 wrote to memory of 700 324 Fnipkkdl.exe Fkmqdpce.exe PID 700 wrote to memory of 476 700 Fkmqdpce.exe Gpcoib32.exe PID 700 wrote to memory of 476 700 Fkmqdpce.exe Gpcoib32.exe PID 700 wrote to memory of 476 700 Fkmqdpce.exe Gpcoib32.exe PID 700 wrote to memory of 476 700 Fkmqdpce.exe Gpcoib32.exe PID 476 wrote to memory of 2608 476 Gpcoib32.exe Hphidanj.exe PID 476 wrote to memory of 2608 476 Gpcoib32.exe Hphidanj.exe PID 476 wrote to memory of 2608 476 Gpcoib32.exe Hphidanj.exe PID 476 wrote to memory of 2608 476 Gpcoib32.exe Hphidanj.exe PID 2608 wrote to memory of 1032 2608 Hphidanj.exe Heealhla.exe PID 2608 wrote to memory of 1032 2608 Hphidanj.exe Heealhla.exe PID 2608 wrote to memory of 1032 2608 Hphidanj.exe Heealhla.exe PID 2608 wrote to memory of 1032 2608 Hphidanj.exe Heealhla.exe PID 1032 wrote to memory of 636 1032 Heealhla.exe Hndlem32.exe PID 1032 wrote to memory of 636 1032 Heealhla.exe Hndlem32.exe PID 1032 wrote to memory of 636 1032 Heealhla.exe Hndlem32.exe PID 1032 wrote to memory of 636 1032 Heealhla.exe Hndlem32.exe PID 636 wrote to memory of 2452 636 Hndlem32.exe Ihmpobck.exe PID 636 wrote to memory of 2452 636 Hndlem32.exe Ihmpobck.exe PID 636 wrote to memory of 2452 636 Hndlem32.exe Ihmpobck.exe PID 636 wrote to memory of 2452 636 Hndlem32.exe Ihmpobck.exe PID 2452 wrote to memory of 2060 2452 Ihmpobck.exe Ioakoq32.exe PID 2452 wrote to memory of 2060 2452 Ihmpobck.exe Ioakoq32.exe PID 2452 wrote to memory of 2060 2452 Ihmpobck.exe Ioakoq32.exe PID 2452 wrote to memory of 2060 2452 Ihmpobck.exe Ioakoq32.exe PID 2060 wrote to memory of 2168 2060 Ioakoq32.exe Jaeafklf.exe PID 2060 wrote to memory of 2168 2060 Ioakoq32.exe Jaeafklf.exe PID 2060 wrote to memory of 2168 2060 Ioakoq32.exe Jaeafklf.exe PID 2060 wrote to memory of 2168 2060 Ioakoq32.exe Jaeafklf.exe PID 2168 wrote to memory of 2260 2168 Jaeafklf.exe Jaijak32.exe PID 2168 wrote to memory of 2260 2168 Jaeafklf.exe Jaijak32.exe PID 2168 wrote to memory of 2260 2168 Jaeafklf.exe Jaijak32.exe PID 2168 wrote to memory of 2260 2168 Jaeafklf.exe Jaijak32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exe"C:\Users\Admin\AppData\Local\Temp\a1aed8b3aae5cf1a1eb10f9adc667b1abceb2db40178e0a1f418f3984d6d34d6.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe26⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe27⤵
- Loads dropped DLL
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe35⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe37⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe38⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe39⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe40⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe41⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe42⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe43⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe44⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe46⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe48⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe49⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe50⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe51⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe52⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe54⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe55⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe56⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe57⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe58⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe59⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe60⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe61⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe62⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe63⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe64⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe65⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe67⤵PID:3060
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe68⤵PID:2924
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe69⤵PID:1868
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe70⤵PID:592
-
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe71⤵PID:776
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe72⤵PID:964
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe73⤵PID:2656
-
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe74⤵PID:316
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe75⤵PID:1568
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe76⤵PID:2448
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe77⤵PID:1984
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe78⤵PID:2176
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe79⤵PID:1040
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe80⤵PID:2736
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe81⤵PID:2840
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe82⤵PID:2036
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe83⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe84⤵PID:2596
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1836 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe86⤵PID:320
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe87⤵PID:356
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe88⤵PID:916
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe89⤵PID:3036
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe90⤵PID:908
-
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe91⤵PID:2420
-
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe92⤵PID:2196
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe93⤵PID:2136
-
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe94⤵PID:2712
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe95⤵PID:1596
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe96⤵PID:2572
-
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe97⤵PID:1604
-
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe98⤵PID:1524
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe99⤵PID:2744
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe100⤵PID:348
-
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe101⤵PID:2980
-
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe102⤵PID:1732
-
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe103⤵PID:2236
-
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe104⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe105⤵PID:2932
-
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe106⤵PID:2288
-
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe107⤵PID:2336
-
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe108⤵PID:2328
-
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe109⤵PID:1796
-
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe110⤵PID:2684
-
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe111⤵PID:1328
-
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe113⤵PID:2536
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe114⤵PID:2376
-
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe115⤵PID:1088
-
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe116⤵PID:1376
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe117⤵PID:2280
-
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe118⤵PID:1668
-
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe119⤵PID:1832
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe120⤵PID:344
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe122⤵PID:1128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-