Analysis
-
max time kernel
63s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe
Resource
win10v2004-20241007-en
General
-
Target
19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe
-
Size
320KB
-
MD5
e0902c86f393b4c6cfd478b5a94b1650
-
SHA1
4535966ef19d6360fcf29e814cf8641c03bcba46
-
SHA256
19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84
-
SHA512
8baaf78d7d055fbd5e7b580c37cc44ec6a8573de56b3bb5c9df9849e09f11891fdb0004b9c68e733bbd3138f563418c5312c2908d9389df7a75b66df3235852e
-
SSDEEP
6144:R5xcC90cvlNY/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:Rxicvmm05XEvG6IveDVqvQ6IvP
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fnafdc32.exeNinjjf32.exeGngfjicn.exeLjjhdm32.exePmiikipg.exeGpjilj32.exeHengep32.exeHibidc32.exeMnkfcjqe.exeKmhhae32.exeLamjph32.exeCgobcd32.exeOcfkaone.exeIcdhnn32.exeNmhqokcq.exePjofjm32.exeJpeafo32.exeIgkjcm32.exeLaogfg32.exeNickoldp.exeOkqgcb32.exeEhinpnpm.exeHpfoboml.exeMioeeifi.exeKbkgig32.exeNlapaapg.exeKcngcp32.exeLgiobadq.exeIpkema32.exeMiaaki32.exeBomhnb32.exeKdqifajl.exeEnpdjfgj.exeAadakl32.exeHeijidbn.exeIciaim32.exePoibmdmh.exeEcjibgdh.exeKmjaddii.exeLjcbcngi.exeJbedkhie.exeBiiiempl.exeGipqpplq.exeEdofbpja.exeBbcjca32.exeLpapgnpb.exeJqfhqe32.exeKmoekf32.exeKfgjdlme.exeNpppaejj.exeOklmhcdf.exePmfmej32.exeFgcdlj32.exeHiockd32.exeIplnpq32.exeMdplfflp.exeQkelme32.exeDpdfemkm.exeIgbqdlea.exeLcppgbjd.exeMpkjgckc.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnafdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ninjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gngfjicn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljjhdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmiikipg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hengep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibidc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnkfcjqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmhhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lamjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgobcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocfkaone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmhqokcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjofjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpeafo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkjcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laogfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nickoldp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okqgcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehinpnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfoboml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mioeeifi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkgig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlapaapg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcngcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgiobadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipkema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miaaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bomhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdqifajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpdjfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadakl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heijidbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poibmdmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjibgdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjaddii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbedkhie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biiiempl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipqpplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjaddii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edofbpja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbcjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpapgnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqfhqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmoekf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfgjdlme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laogfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npppaejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklmhcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmfmej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcdlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiockd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iplnpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdplfflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkelme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgobcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpdfemkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igbqdlea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcppgbjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkjgckc.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Bacefpbg.exeBdaabk32.exeBiqfpb32.exeBeggec32.exeCbkgog32.exeChhpgn32.exeCkiiiine.exeChmibmlo.exeCeqjla32.exeChofhm32.exeCkpoih32.exeDgfpni32.exeDcmpcjcf.exeDpaqmnap.exeDlhaaogd.exeDcbjni32.exeDfbbpd32.exeElmkmo32.exeEbicee32.exeEdhpaa32.exeEnpdjfgj.exeEhfhgogp.exeEbnmpemq.exeEcoihm32.exeEmhnqbjo.exeEdofbpja.exeEngjkeab.exeFqffgapf.exeFmlglb32.exeFcfohlmg.exeFichqckn.exeFladmn32.exeFiedfb32.exeFldabn32.exeFlfnhnfm.exeFpbihl32.exeGngfjicn.exeGbbbjg32.exeGlkgcmbg.exeGjngoj32.exeGecklbih.exeGdflgo32.exeGfdhck32.exeGnlpeh32.exeGdihmo32.exeGfgdij32.exeGieaef32.exeGamifcmi.exeGfiaojkq.exeGmcikd32.exeGdmbhnjj.exeHflndjin.exeHmefad32.exeHlhfmqge.exeHbboiknb.exeHeakefnf.exeHilgfe32.exeHpfoboml.exeHiockd32.exeHlmphp32.exeHolldk32.exeHajhpgag.exeHdhdlbpk.exeHkbmil32.exepid process 2892 Bacefpbg.exe 2960 Bdaabk32.exe 2840 Biqfpb32.exe 2896 Beggec32.exe 2756 Cbkgog32.exe 2780 Chhpgn32.exe 1556 Ckiiiine.exe 2460 Chmibmlo.exe 2244 Ceqjla32.exe 2164 Chofhm32.exe 2128 Ckpoih32.exe 2520 Dgfpni32.exe 1016 Dcmpcjcf.exe 2196 Dpaqmnap.exe 2088 Dlhaaogd.exe 2544 Dcbjni32.exe 1612 Dfbbpd32.exe 1788 Elmkmo32.exe 2228 Ebicee32.exe 2040 Edhpaa32.exe 984 Enpdjfgj.exe 1684 Ehfhgogp.exe 1504 Ebnmpemq.exe 548 Ecoihm32.exe 3024 Emhnqbjo.exe 1680 Edofbpja.exe 1156 Engjkeab.exe 2224 Fqffgapf.exe 2072 Fmlglb32.exe 2760 Fcfohlmg.exe 2748 Fichqckn.exe 3052 Fladmn32.exe 1180 Fiedfb32.exe 1952 Fldabn32.exe 2368 Flfnhnfm.exe 2904 Fpbihl32.exe 1760 Gngfjicn.exe 1652 Gbbbjg32.exe 1880 Glkgcmbg.exe 2532 Gjngoj32.exe 2108 Gecklbih.exe 1616 Gdflgo32.exe 1500 Gfdhck32.exe 1704 Gnlpeh32.exe 1472 Gdihmo32.exe 1972 Gfgdij32.exe 2440 Gieaef32.exe 2180 Gamifcmi.exe 2800 Gfiaojkq.exe 2848 Gmcikd32.exe 2740 Gdmbhnjj.exe 2716 Hflndjin.exe 2236 Hmefad32.exe 1380 Hlhfmqge.exe 1696 Hbboiknb.exe 2804 Heakefnf.exe 1924 Hilgfe32.exe 532 Hpfoboml.exe 2396 Hiockd32.exe 2416 Hlmphp32.exe 2776 Holldk32.exe 1768 Hajhpgag.exe 1876 Hdhdlbpk.exe 1064 Hkbmil32.exe -
Loads dropped DLL 64 IoCs
Processes:
19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exeBacefpbg.exeBdaabk32.exeBiqfpb32.exeBeggec32.exeCbkgog32.exeChhpgn32.exeCkiiiine.exeChmibmlo.exeCeqjla32.exeChofhm32.exeCkpoih32.exeDgfpni32.exeDcmpcjcf.exeDpaqmnap.exeDlhaaogd.exeDcbjni32.exeDfbbpd32.exeElmkmo32.exeEbicee32.exeEdhpaa32.exeEnpdjfgj.exeEhfhgogp.exeEbnmpemq.exeEcoihm32.exeEmhnqbjo.exeEdofbpja.exeEngjkeab.exeFqffgapf.exeFmlglb32.exeFcfohlmg.exeFichqckn.exepid process 1464 19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe 1464 19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe 2892 Bacefpbg.exe 2892 Bacefpbg.exe 2960 Bdaabk32.exe 2960 Bdaabk32.exe 2840 Biqfpb32.exe 2840 Biqfpb32.exe 2896 Beggec32.exe 2896 Beggec32.exe 2756 Cbkgog32.exe 2756 Cbkgog32.exe 2780 Chhpgn32.exe 2780 Chhpgn32.exe 1556 Ckiiiine.exe 1556 Ckiiiine.exe 2460 Chmibmlo.exe 2460 Chmibmlo.exe 2244 Ceqjla32.exe 2244 Ceqjla32.exe 2164 Chofhm32.exe 2164 Chofhm32.exe 2128 Ckpoih32.exe 2128 Ckpoih32.exe 2520 Dgfpni32.exe 2520 Dgfpni32.exe 1016 Dcmpcjcf.exe 1016 Dcmpcjcf.exe 2196 Dpaqmnap.exe 2196 Dpaqmnap.exe 2088 Dlhaaogd.exe 2088 Dlhaaogd.exe 2544 Dcbjni32.exe 2544 Dcbjni32.exe 1612 Dfbbpd32.exe 1612 Dfbbpd32.exe 1788 Elmkmo32.exe 1788 Elmkmo32.exe 2228 Ebicee32.exe 2228 Ebicee32.exe 2040 Edhpaa32.exe 2040 Edhpaa32.exe 984 Enpdjfgj.exe 984 Enpdjfgj.exe 1684 Ehfhgogp.exe 1684 Ehfhgogp.exe 1504 Ebnmpemq.exe 1504 Ebnmpemq.exe 548 Ecoihm32.exe 548 Ecoihm32.exe 3024 Emhnqbjo.exe 3024 Emhnqbjo.exe 1680 Edofbpja.exe 1680 Edofbpja.exe 1156 Engjkeab.exe 1156 Engjkeab.exe 2224 Fqffgapf.exe 2224 Fqffgapf.exe 2072 Fmlglb32.exe 2072 Fmlglb32.exe 2760 Fcfohlmg.exe 2760 Fcfohlmg.exe 2748 Fichqckn.exe 2748 Fichqckn.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bepjjn32.exeDpdfemkm.exeOpjlkc32.exeKfgjdlme.exeNpiiafpa.exeNgencpel.exeOggghc32.exeKcamln32.exeMecbjd32.exeMeeopdhb.exeEbicee32.exeInebpgbf.exeQbmhdp32.exeQnciiq32.exeJkabmi32.exeIpkema32.exeNdgbgefh.exeNcnlnaim.exeCmdaeo32.exeHagepa32.exeJpqgkpcl.exeKninog32.exeMioeeifi.exePmfmej32.exeAkgibd32.exeEhlkfn32.exeLjjhdm32.exeMaapjjml.exeJbijcgbc.exeChhpgn32.exeIdbgbahq.exeJbedkhie.exeOkqgcb32.exeHabkeacd.exeKnbgnhfd.exePfando32.exeAcggbffj.exeJgnchplb.exeGapoob32.exeOeegnj32.exePogegeoj.exeCbajme32.exeCikbjpqd.exeImkeneja.exeElmkmo32.exeFldabn32.exeKmhhae32.exeOafedmlb.exeAkjfhdka.exeHeijidbn.exeDgfpni32.exeJhqeka32.exeOegdcj32.exeHlqfqo32.exeEnpdjfgj.exeJknicnpf.exeNmjmekan.exeNhpabdqd.exeLcffgnnc.exedescription ioc process File created C:\Windows\SysWOW64\Mmepgeck.dll Bepjjn32.exe File created C:\Windows\SysWOW64\Dpimnjhm.dll Dpdfemkm.exe File opened for modification C:\Windows\SysWOW64\Ogddhmdl.exe Opjlkc32.exe File opened for modification C:\Windows\SysWOW64\Kjcedj32.exe Kfgjdlme.exe File created C:\Windows\SysWOW64\Oipenooj.dll Npiiafpa.exe File created C:\Windows\SysWOW64\Heknhioh.dll Ngencpel.exe File opened for modification C:\Windows\SysWOW64\Ojfcdo32.exe Oggghc32.exe File opened for modification C:\Windows\SysWOW64\Kkhdml32.exe Kcamln32.exe File opened for modification C:\Windows\SysWOW64\Mlmjgnaa.exe Mecbjd32.exe File created C:\Windows\SysWOW64\Mchokq32.exe Meeopdhb.exe File created C:\Windows\SysWOW64\Gfanqcch.dll Ebicee32.exe File opened for modification C:\Windows\SysWOW64\Idokma32.exe Inebpgbf.exe File opened for modification C:\Windows\SysWOW64\Qekdpkgj.exe Qbmhdp32.exe File created C:\Windows\SysWOW64\Kiodkmcc.dll Qnciiq32.exe File created C:\Windows\SysWOW64\Jakjjcnd.exe Jkabmi32.exe File created C:\Windows\SysWOW64\Acniaj32.dll Jkabmi32.exe File created C:\Windows\SysWOW64\Iciaim32.exe Ipkema32.exe File created C:\Windows\SysWOW64\Pakpllpl.dll Ndgbgefh.exe File opened for modification C:\Windows\SysWOW64\Oemhjlha.exe Ncnlnaim.exe File opened for modification C:\Windows\SysWOW64\Cdnjaibm.exe Cmdaeo32.exe File created C:\Windows\SysWOW64\Hfdmhh32.exe Hagepa32.exe File created C:\Windows\SysWOW64\Mffjmq32.dll Jpqgkpcl.exe File created C:\Windows\SysWOW64\Lqgjkbop.exe Kninog32.exe File created C:\Windows\SysWOW64\Mlmaad32.exe Mioeeifi.exe File opened for modification C:\Windows\SysWOW64\Pdndggcl.exe Pmfmej32.exe File created C:\Windows\SysWOW64\Jdpcdjii.dll Akgibd32.exe File created C:\Windows\SysWOW64\Hingbldn.dll Ehlkfn32.exe File created C:\Windows\SysWOW64\Ladpagin.exe Ljjhdm32.exe File created C:\Windows\SysWOW64\Bfnihd32.dll Maapjjml.exe File created C:\Windows\SysWOW64\Dhlogjko.exe Dpdfemkm.exe File created C:\Windows\SysWOW64\Khcbpa32.exe Jbijcgbc.exe File opened for modification C:\Windows\SysWOW64\Ckiiiine.exe Chhpgn32.exe File created C:\Windows\SysWOW64\Edhpaa32.exe Ebicee32.exe File created C:\Windows\SysWOW64\Pdglfeli.dll Idbgbahq.exe File created C:\Windows\SysWOW64\Jddqgdii.exe Jbedkhie.exe File created C:\Windows\SysWOW64\Icdhnn32.exe Idbgbahq.exe File created C:\Windows\SysWOW64\Oqmokioh.exe Okqgcb32.exe File created C:\Windows\SysWOW64\Knmmkb32.dll Habkeacd.exe File created C:\Windows\SysWOW64\Khglkqfj.exe Knbgnhfd.exe File created C:\Windows\SysWOW64\Pipjpj32.exe Pfando32.exe File opened for modification C:\Windows\SysWOW64\Afecna32.exe Acggbffj.exe File created C:\Windows\SysWOW64\Gkokcp32.dll Jgnchplb.exe File opened for modification C:\Windows\SysWOW64\Hhjgll32.exe Gapoob32.exe File created C:\Windows\SysWOW64\Hbfdeplh.dll Oeegnj32.exe File created C:\Windows\SysWOW64\Pfando32.exe Pogegeoj.exe File created C:\Windows\SysWOW64\Cikbjpqd.exe Cbajme32.exe File opened for modification C:\Windows\SysWOW64\Cmfnjnin.exe Cikbjpqd.exe File created C:\Windows\SysWOW64\Iebmpcjc.exe Imkeneja.exe File created C:\Windows\SysWOW64\Ebicee32.exe Elmkmo32.exe File opened for modification C:\Windows\SysWOW64\Flfnhnfm.exe Fldabn32.exe File created C:\Windows\SysWOW64\Hadbbkpk.dll Gapoob32.exe File created C:\Windows\SysWOW64\Knjdimdh.exe Kmhhae32.exe File created C:\Windows\SysWOW64\Oddbqhkf.exe Oafedmlb.exe File created C:\Windows\SysWOW64\Amkbpm32.exe Akjfhdka.exe File opened for modification C:\Windows\SysWOW64\Hidfjckg.exe Heijidbn.exe File opened for modification C:\Windows\SysWOW64\Dcmpcjcf.exe Dgfpni32.exe File created C:\Windows\SysWOW64\Jllakpdk.exe Jhqeka32.exe File created C:\Windows\SysWOW64\Opmhqc32.exe Oegdcj32.exe File opened for modification C:\Windows\SysWOW64\Hdhnal32.exe Hlqfqo32.exe File created C:\Windows\SysWOW64\Ehfhgogp.exe Enpdjfgj.exe File created C:\Windows\SysWOW64\Jjqiok32.exe Jknicnpf.exe File opened for modification C:\Windows\SysWOW64\Npiiafpa.exe Nmjmekan.exe File opened for modification C:\Windows\SysWOW64\Nmmjjk32.exe Nhpabdqd.exe File opened for modification C:\Windows\SysWOW64\Lfdbcing.exe Lcffgnnc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5204 5164 WerFault.exe Ockdmn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dammoahg.exeHipmoc32.exeIhjcko32.exeJlghpa32.exeLpapgnpb.exeOgmngn32.exeElmkmo32.exeCdnjaibm.exeHagepa32.exeLkcgapjl.exeFqpbpo32.exeLlbnnq32.exeBhnffi32.exeJgppmpjp.exeGllpflng.exeFqffgapf.exeHpfoboml.exeLffohikd.exeLmfgkh32.exePqplqile.exeEocfmh32.exeHhjgll32.exeHidfjckg.exeJkabmi32.exeLcppgbjd.exeChblqlcj.exeDhibakmb.exeIigcobid.exeMagfjebk.exeBacefpbg.exeHdhdlbpk.exeBnhncclq.exeGipqpplq.exeMmcpjfcj.exeFpbihl32.exeOggghc32.exeJghcbjll.exeKqcqpc32.exePjofjm32.exeGhenamai.exeQonlhd32.exeEcjibgdh.exeHpoofm32.exeJbijcgbc.exeOcdnloph.exeOgddhmdl.exeOlkjaflh.exeQidckjae.exeGnlpeh32.exeKikokf32.exe19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exeGfdhck32.exeBimbql32.exeFbiijb32.exeJfpmifoa.exeHflndjin.exeIciaim32.exeMfkebkjk.exeGdflgo32.exeFbfldc32.exeNejdjf32.exeGfiaojkq.exeJjqiok32.exeHmefad32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dammoahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihjcko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlghpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpapgnpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmngn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnjaibm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagepa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkcgapjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqpbpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgppmpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllpflng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqffgapf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfoboml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffohikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfgkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqplqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eocfmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidfjckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkabmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcppgbjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chblqlcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhibakmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigcobid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magfjebk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacefpbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhdlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhncclq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipqpplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcpjfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oggghc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghcbjll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqcqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjofjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghenamai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qonlhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjibgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpoofm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbijcgbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdnloph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogddhmdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkjaflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qidckjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikokf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdhck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimbql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbiijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpmifoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hflndjin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkebkjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdflgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejdjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfiaojkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjqiok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmefad32.exe -
Modifies registry class 64 IoCs
Processes:
Fqffgapf.exeFcfohlmg.exeAakhkj32.exeDnhgoa32.exeGnmihgkh.exeMhfhaoec.exeMiaaki32.exeHhopgkin.exeMlmjgnaa.exeGngfjicn.exeOlgpff32.exeKnbgnhfd.exeMldgbcoe.exeGhenamai.exeLelljepm.exeNeghdg32.exeOmjbihpn.exeFpbihl32.exeOlkjaflh.exeHeijidbn.exeKhcbpa32.exeKninog32.exeNilndfgl.exeGeddoa32.exeHlqfqo32.exeLmfgkh32.exeHbboiknb.exeNcnlnaim.exeFgjkmijh.exeGindjqnc.exeHndoifdp.exeLqgjkbop.exeNhcgkbja.exe19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exeGmcikd32.exeIcdhnn32.exeKdfmlc32.exeKfgjdlme.exePgjdmc32.exeDchpnd32.exeFcoolj32.exeLpcmlnnp.exeEcoihm32.exeGdihmo32.exeIdbgbahq.exeLjgkom32.exeQbodjofc.exeNmjmekan.exeBdgcaj32.exeNbilhkig.exeOpjlkc32.exeDcmpcjcf.exeGnlpeh32.exeIpabfcdm.exeIpkema32.exeLgdfgbhf.exeFqpbpo32.exeIjampgde.exeAiflpm32.exeCikbjpqd.exeIlkpac32.exeMoqgiopk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqffgapf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcfohlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqdhbiml.dll" Aakhkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnhgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhopbilb.dll" Gnmihgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akljeqga.dll" Mhfhaoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljppd32.dll" Miaaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceicae32.dll" Hhopgkin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmjgnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gngfjicn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olgpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njbnon32.dll" Knbgnhfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mldgbcoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghenamai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjidml32.dll" Lelljepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegobiom.dll" Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omjbihpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghagcnje.dll" Olkjaflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heijidbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohecb32.dll" Khcbpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kninog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nilndfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geddoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljbfq32.dll" Hlqfqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfkol32.dll" Lmfgkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemldo32.dll" Hbboiknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcedjfb.dll" Ncnlnaim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgjkmijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cebedebg.dll" Gindjqnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hndoifdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmggpigb.dll" Lqgjkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhcgkbja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmcikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icdhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbbbol32.dll" Kdfmlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgjdlme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgjdmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dchpnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcoolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdejenb.dll" Lpcmlnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdhiehfo.dll" Ecoihm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdihmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idbgbahq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phplbpbl.dll" Kfgjdlme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljgkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khffjg32.dll" Qbodjofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlcbff32.dll" Nmjmekan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiddbefo.dll" Bdgcaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbilhkig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opjlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omhbed32.dll" Dcmpcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnlpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphklnhn.dll" Ipabfcdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnekmihd.dll" Ipkema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnlnf32.dll" Lgdfgbhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqpbpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heijidbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eljgid32.dll" Ijampgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfmmd32.dll" Aiflpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opqcibco.dll" Cikbjpqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilkpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagmlp32.dll" Moqgiopk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exeBacefpbg.exeBdaabk32.exeBiqfpb32.exeBeggec32.exeCbkgog32.exeChhpgn32.exeCkiiiine.exeChmibmlo.exeCeqjla32.exeChofhm32.exeCkpoih32.exeDgfpni32.exeDcmpcjcf.exeDpaqmnap.exeDlhaaogd.exedescription pid process target process PID 1464 wrote to memory of 2892 1464 19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe Bacefpbg.exe PID 1464 wrote to memory of 2892 1464 19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe Bacefpbg.exe PID 1464 wrote to memory of 2892 1464 19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe Bacefpbg.exe PID 1464 wrote to memory of 2892 1464 19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe Bacefpbg.exe PID 2892 wrote to memory of 2960 2892 Bacefpbg.exe Bdaabk32.exe PID 2892 wrote to memory of 2960 2892 Bacefpbg.exe Bdaabk32.exe PID 2892 wrote to memory of 2960 2892 Bacefpbg.exe Bdaabk32.exe PID 2892 wrote to memory of 2960 2892 Bacefpbg.exe Bdaabk32.exe PID 2960 wrote to memory of 2840 2960 Bdaabk32.exe Biqfpb32.exe PID 2960 wrote to memory of 2840 2960 Bdaabk32.exe Biqfpb32.exe PID 2960 wrote to memory of 2840 2960 Bdaabk32.exe Biqfpb32.exe PID 2960 wrote to memory of 2840 2960 Bdaabk32.exe Biqfpb32.exe PID 2840 wrote to memory of 2896 2840 Biqfpb32.exe Beggec32.exe PID 2840 wrote to memory of 2896 2840 Biqfpb32.exe Beggec32.exe PID 2840 wrote to memory of 2896 2840 Biqfpb32.exe Beggec32.exe PID 2840 wrote to memory of 2896 2840 Biqfpb32.exe Beggec32.exe PID 2896 wrote to memory of 2756 2896 Beggec32.exe Cbkgog32.exe PID 2896 wrote to memory of 2756 2896 Beggec32.exe Cbkgog32.exe PID 2896 wrote to memory of 2756 2896 Beggec32.exe Cbkgog32.exe PID 2896 wrote to memory of 2756 2896 Beggec32.exe Cbkgog32.exe PID 2756 wrote to memory of 2780 2756 Cbkgog32.exe Chhpgn32.exe PID 2756 wrote to memory of 2780 2756 Cbkgog32.exe Chhpgn32.exe PID 2756 wrote to memory of 2780 2756 Cbkgog32.exe Chhpgn32.exe PID 2756 wrote to memory of 2780 2756 Cbkgog32.exe Chhpgn32.exe PID 2780 wrote to memory of 1556 2780 Chhpgn32.exe Ckiiiine.exe PID 2780 wrote to memory of 1556 2780 Chhpgn32.exe Ckiiiine.exe PID 2780 wrote to memory of 1556 2780 Chhpgn32.exe Ckiiiine.exe PID 2780 wrote to memory of 1556 2780 Chhpgn32.exe Ckiiiine.exe PID 1556 wrote to memory of 2460 1556 Ckiiiine.exe Chmibmlo.exe PID 1556 wrote to memory of 2460 1556 Ckiiiine.exe Chmibmlo.exe PID 1556 wrote to memory of 2460 1556 Ckiiiine.exe Chmibmlo.exe PID 1556 wrote to memory of 2460 1556 Ckiiiine.exe Chmibmlo.exe PID 2460 wrote to memory of 2244 2460 Chmibmlo.exe Ceqjla32.exe PID 2460 wrote to memory of 2244 2460 Chmibmlo.exe Ceqjla32.exe PID 2460 wrote to memory of 2244 2460 Chmibmlo.exe Ceqjla32.exe PID 2460 wrote to memory of 2244 2460 Chmibmlo.exe Ceqjla32.exe PID 2244 wrote to memory of 2164 2244 Ceqjla32.exe Chofhm32.exe PID 2244 wrote to memory of 2164 2244 Ceqjla32.exe Chofhm32.exe PID 2244 wrote to memory of 2164 2244 Ceqjla32.exe Chofhm32.exe PID 2244 wrote to memory of 2164 2244 Ceqjla32.exe Chofhm32.exe PID 2164 wrote to memory of 2128 2164 Chofhm32.exe Ckpoih32.exe PID 2164 wrote to memory of 2128 2164 Chofhm32.exe Ckpoih32.exe PID 2164 wrote to memory of 2128 2164 Chofhm32.exe Ckpoih32.exe PID 2164 wrote to memory of 2128 2164 Chofhm32.exe Ckpoih32.exe PID 2128 wrote to memory of 2520 2128 Ckpoih32.exe Dgfpni32.exe PID 2128 wrote to memory of 2520 2128 Ckpoih32.exe Dgfpni32.exe PID 2128 wrote to memory of 2520 2128 Ckpoih32.exe Dgfpni32.exe PID 2128 wrote to memory of 2520 2128 Ckpoih32.exe Dgfpni32.exe PID 2520 wrote to memory of 1016 2520 Dgfpni32.exe Dcmpcjcf.exe PID 2520 wrote to memory of 1016 2520 Dgfpni32.exe Dcmpcjcf.exe PID 2520 wrote to memory of 1016 2520 Dgfpni32.exe Dcmpcjcf.exe PID 2520 wrote to memory of 1016 2520 Dgfpni32.exe Dcmpcjcf.exe PID 1016 wrote to memory of 2196 1016 Dcmpcjcf.exe Dpaqmnap.exe PID 1016 wrote to memory of 2196 1016 Dcmpcjcf.exe Dpaqmnap.exe PID 1016 wrote to memory of 2196 1016 Dcmpcjcf.exe Dpaqmnap.exe PID 1016 wrote to memory of 2196 1016 Dcmpcjcf.exe Dpaqmnap.exe PID 2196 wrote to memory of 2088 2196 Dpaqmnap.exe Dlhaaogd.exe PID 2196 wrote to memory of 2088 2196 Dpaqmnap.exe Dlhaaogd.exe PID 2196 wrote to memory of 2088 2196 Dpaqmnap.exe Dlhaaogd.exe PID 2196 wrote to memory of 2088 2196 Dpaqmnap.exe Dlhaaogd.exe PID 2088 wrote to memory of 2544 2088 Dlhaaogd.exe Dcbjni32.exe PID 2088 wrote to memory of 2544 2088 Dlhaaogd.exe Dcbjni32.exe PID 2088 wrote to memory of 2544 2088 Dlhaaogd.exe Dcbjni32.exe PID 2088 wrote to memory of 2544 2088 Dlhaaogd.exe Dcbjni32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe"C:\Users\Admin\AppData\Local\Temp\19015693b1bf8ec48ac83181a12614d047cf80f2a565f8cbd488c2671f207f84N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Bdaabk32.exeC:\Windows\system32\Bdaabk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Biqfpb32.exeC:\Windows\system32\Biqfpb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Beggec32.exeC:\Windows\system32\Beggec32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Chhpgn32.exeC:\Windows\system32\Chhpgn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ckiiiine.exeC:\Windows\system32\Ckiiiine.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Chmibmlo.exeC:\Windows\system32\Chmibmlo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Ceqjla32.exeC:\Windows\system32\Ceqjla32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Chofhm32.exeC:\Windows\system32\Chofhm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Ckpoih32.exeC:\Windows\system32\Ckpoih32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Dgfpni32.exeC:\Windows\system32\Dgfpni32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Dpaqmnap.exeC:\Windows\system32\Dpaqmnap.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Dcbjni32.exeC:\Windows\system32\Dcbjni32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Dfbbpd32.exeC:\Windows\system32\Dfbbpd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Elmkmo32.exeC:\Windows\system32\Elmkmo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Ebicee32.exeC:\Windows\system32\Ebicee32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Edhpaa32.exeC:\Windows\system32\Edhpaa32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Enpdjfgj.exeC:\Windows\system32\Enpdjfgj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Ecoihm32.exeC:\Windows\system32\Ecoihm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Emhnqbjo.exeC:\Windows\system32\Emhnqbjo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Edofbpja.exeC:\Windows\system32\Edofbpja.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Engjkeab.exeC:\Windows\system32\Engjkeab.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Fqffgapf.exeC:\Windows\system32\Fqffgapf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Fmlglb32.exeC:\Windows\system32\Fmlglb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Fcfohlmg.exeC:\Windows\system32\Fcfohlmg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Fichqckn.exeC:\Windows\system32\Fichqckn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Fladmn32.exeC:\Windows\system32\Fladmn32.exe33⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Fiedfb32.exeC:\Windows\system32\Fiedfb32.exe34⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Fldabn32.exeC:\Windows\system32\Fldabn32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Flfnhnfm.exeC:\Windows\system32\Flfnhnfm.exe36⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Fpbihl32.exeC:\Windows\system32\Fpbihl32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Gngfjicn.exeC:\Windows\system32\Gngfjicn.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Gbbbjg32.exeC:\Windows\system32\Gbbbjg32.exe39⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Glkgcmbg.exeC:\Windows\system32\Glkgcmbg.exe40⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Gjngoj32.exeC:\Windows\system32\Gjngoj32.exe41⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Gecklbih.exeC:\Windows\system32\Gecklbih.exe42⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Gdflgo32.exeC:\Windows\system32\Gdflgo32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Gfdhck32.exeC:\Windows\system32\Gfdhck32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Gnlpeh32.exeC:\Windows\system32\Gnlpeh32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Gdihmo32.exeC:\Windows\system32\Gdihmo32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Gfgdij32.exeC:\Windows\system32\Gfgdij32.exe47⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Gieaef32.exeC:\Windows\system32\Gieaef32.exe48⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Gamifcmi.exeC:\Windows\system32\Gamifcmi.exe49⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Gfiaojkq.exeC:\Windows\system32\Gfiaojkq.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Gmcikd32.exeC:\Windows\system32\Gmcikd32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Gdmbhnjj.exeC:\Windows\system32\Gdmbhnjj.exe52⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Hflndjin.exeC:\Windows\system32\Hflndjin.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Hmefad32.exeC:\Windows\system32\Hmefad32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe55⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Hbboiknb.exeC:\Windows\system32\Hbboiknb.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Heakefnf.exeC:\Windows\system32\Heakefnf.exe57⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Hilgfe32.exeC:\Windows\system32\Hilgfe32.exe58⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Hpfoboml.exeC:\Windows\system32\Hpfoboml.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:532 -
C:\Windows\SysWOW64\Hiockd32.exeC:\Windows\system32\Hiockd32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Hlmphp32.exeC:\Windows\system32\Hlmphp32.exe61⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Holldk32.exeC:\Windows\system32\Holldk32.exe62⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Hajhpgag.exeC:\Windows\system32\Hajhpgag.exe63⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Hdhdlbpk.exeC:\Windows\system32\Hdhdlbpk.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Hkbmil32.exeC:\Windows\system32\Hkbmil32.exe65⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Hmqieh32.exeC:\Windows\system32\Hmqieh32.exe66⤵PID:1724
-
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe67⤵PID:676
-
C:\Windows\SysWOW64\Hkejnl32.exeC:\Windows\system32\Hkejnl32.exe68⤵PID:2856
-
C:\Windows\SysWOW64\Iopeoknn.exeC:\Windows\system32\Iopeoknn.exe69⤵PID:2832
-
C:\Windows\SysWOW64\Ipabfcdm.exeC:\Windows\system32\Ipabfcdm.exe70⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Idmnga32.exeC:\Windows\system32\Idmnga32.exe71⤵PID:2872
-
C:\Windows\SysWOW64\Igkjcm32.exeC:\Windows\system32\Igkjcm32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:656 -
C:\Windows\SysWOW64\Inebpgbf.exeC:\Windows\system32\Inebpgbf.exe73⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Idokma32.exeC:\Windows\system32\Idokma32.exe74⤵PID:2068
-
C:\Windows\SysWOW64\Igngim32.exeC:\Windows\system32\Igngim32.exe75⤵PID:3040
-
C:\Windows\SysWOW64\Ikicikap.exeC:\Windows\system32\Ikicikap.exe76⤵PID:1288
-
C:\Windows\SysWOW64\Ilkpac32.exeC:\Windows\system32\Ilkpac32.exe77⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Idbgbahq.exeC:\Windows\system32\Idbgbahq.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Icdhnn32.exeC:\Windows\system32\Icdhnn32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Injlkf32.exeC:\Windows\system32\Injlkf32.exe80⤵PID:556
-
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe81⤵PID:1868
-
C:\Windows\SysWOW64\Igbqdlea.exeC:\Windows\system32\Igbqdlea.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Ijampgde.exeC:\Windows\system32\Ijampgde.exe83⤵
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Ipkema32.exeC:\Windows\system32\Ipkema32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Jfhmehji.exeC:\Windows\system32\Jfhmehji.exe86⤵PID:2720
-
C:\Windows\SysWOW64\Jhfjadim.exeC:\Windows\system32\Jhfjadim.exe87⤵PID:2724
-
C:\Windows\SysWOW64\Jlaeab32.exeC:\Windows\system32\Jlaeab32.exe88⤵PID:2276
-
C:\Windows\SysWOW64\Jclnnmic.exeC:\Windows\system32\Jclnnmic.exe89⤵PID:2912
-
C:\Windows\SysWOW64\Jdmjfe32.exeC:\Windows\system32\Jdmjfe32.exe90⤵PID:2916
-
C:\Windows\SysWOW64\Jldbgb32.exeC:\Windows\system32\Jldbgb32.exe91⤵PID:2016
-
C:\Windows\SysWOW64\Jneoojeb.exeC:\Windows\system32\Jneoojeb.exe92⤵PID:2348
-
C:\Windows\SysWOW64\Jflgph32.exeC:\Windows\system32\Jflgph32.exe93⤵PID:2008
-
C:\Windows\SysWOW64\Jgnchplb.exeC:\Windows\system32\Jgnchplb.exe94⤵
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Jqfhqe32.exeC:\Windows\system32\Jqfhqe32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Jgppmpjp.exeC:\Windows\system32\Jgppmpjp.exe96⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Jjnlikic.exeC:\Windows\system32\Jjnlikic.exe97⤵PID:2248
-
C:\Windows\SysWOW64\Jbedkhie.exeC:\Windows\system32\Jbedkhie.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Jddqgdii.exeC:\Windows\system32\Jddqgdii.exe99⤵PID:3008
-
C:\Windows\SysWOW64\Jknicnpf.exeC:\Windows\system32\Jknicnpf.exe100⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Jjqiok32.exeC:\Windows\system32\Jjqiok32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Kmoekf32.exeC:\Windows\system32\Kmoekf32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Kdfmlc32.exeC:\Windows\system32\Kdfmlc32.exe103⤵
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Kfgjdlme.exeC:\Windows\system32\Kfgjdlme.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Kjcedj32.exeC:\Windows\system32\Kjcedj32.exe105⤵PID:2372
-
C:\Windows\SysWOW64\Kmabqf32.exeC:\Windows\system32\Kmabqf32.exe106⤵PID:2324
-
C:\Windows\SysWOW64\Kckjmpko.exeC:\Windows\system32\Kckjmpko.exe107⤵PID:696
-
C:\Windows\SysWOW64\Kmdofebo.exeC:\Windows\system32\Kmdofebo.exe108⤵PID:2376
-
C:\Windows\SysWOW64\Kqokgd32.exeC:\Windows\system32\Kqokgd32.exe109⤵PID:980
-
C:\Windows\SysWOW64\Kcngcp32.exeC:\Windows\system32\Kcngcp32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Kikokf32.exeC:\Windows\system32\Kikokf32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Kmfklepl.exeC:\Windows\system32\Kmfklepl.exe112⤵PID:1976
-
C:\Windows\SysWOW64\Kcpcho32.exeC:\Windows\system32\Kcpcho32.exe113⤵PID:2764
-
C:\Windows\SysWOW64\Kfopdk32.exeC:\Windows\system32\Kfopdk32.exe114⤵PID:2064
-
C:\Windows\SysWOW64\Kmhhae32.exeC:\Windows\system32\Kmhhae32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Knjdimdh.exeC:\Windows\system32\Knjdimdh.exe116⤵PID:2300
-
C:\Windows\SysWOW64\Kfaljjdj.exeC:\Windows\system32\Kfaljjdj.exe117⤵PID:2448
-
C:\Windows\SysWOW64\Lgbibb32.exeC:\Windows\system32\Lgbibb32.exe118⤵PID:1676
-
C:\Windows\SysWOW64\Lpiacp32.exeC:\Windows\system32\Lpiacp32.exe119⤵PID:1896
-
C:\Windows\SysWOW64\Liaeleak.exeC:\Windows\system32\Liaeleak.exe120⤵PID:1448
-
C:\Windows\SysWOW64\Lgdfgbhf.exeC:\Windows\system32\Lgdfgbhf.exe121⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Ljcbcngi.exeC:\Windows\system32\Ljcbcngi.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-