Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
8b53e3a39ac84335f5f6d9f6a62b624c39c5b0e9aba17bef56a906aa42e3c3edN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
8b53e3a39ac84335f5f6d9f6a62b624c39c5b0e9aba17bef56a906aa42e3c3edN.exe
Resource
win10v2004-20241007-en
General
-
Target
8b53e3a39ac84335f5f6d9f6a62b624c39c5b0e9aba17bef56a906aa42e3c3edN.exe
-
Size
67KB
-
MD5
a4584981cacc52fba113b319ff9f0c70
-
SHA1
c1c783f7d974d85ddd662cf6e6e5300b12be6311
-
SHA256
8b53e3a39ac84335f5f6d9f6a62b624c39c5b0e9aba17bef56a906aa42e3c3ed
-
SHA512
db5ae773a47d64796f99d6351742fcfaa1a9dec8138c17e8cd1fd2b1f1fc880e4dcfca90576b4abd0e126bf996478b3d09cb4c313e69e940993d1885afe5b728
-
SSDEEP
1536:CmwAfM0V7xpuQP7bJ0Sh3VRuLZykNSSEbYy1cgCe8uC:dwAf/V/DbB3VRuLZRGYyugCe8uC
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Oodcdb32.exeCfnjpfcl.exeJghpbk32.exeNjhgbp32.exeNgndaccj.exePnfiplog.exeJjafok32.exeNelfeo32.exeHiacacpg.exeDfiildio.exeKcidmkpq.exeLmdnbn32.exeOnkidm32.exeHpkknmgd.exeNnicid32.exeCfbcke32.exeCleegp32.exeDnpdegjp.exeEbdcld32.exeEiahnnph.exeBhpofl32.exeGbiockdj.exeNlfnaicd.exeBllbaa32.exePjcikejg.exeIlfennic.exeJhkbdmbg.exeAhdged32.exeDheibpje.exeFijkdmhn.exeGlkmmefl.exeLncjlq32.exeEklajcmc.exeMmnhcb32.exeMkohaj32.exeLedepn32.exeDmennnni.exeGppcmeem.exeJocefm32.exeEkcgkb32.exeGmiclo32.exeMepfiq32.exeLomqcjie.exeNmdgikhi.exeLancko32.exeNfqnbjfi.exeLnadagbm.exeCdbfab32.exeDkekjdck.exePbcncibp.exeHkicaahi.exeKoodbl32.exeMgaokl32.exeQdbdcg32.exeOmbcji32.exePfiddm32.exeBpdnjple.exeKkpbin32.exeMccfdmmo.exeIijfhbhl.exeKeifdpif.exeEgohdegl.exeJojdlfeo.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnjpfcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfiplog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjafok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiacacpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfiildio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcidmkpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onkidm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkknmgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnicid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cleegp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpdegjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiahnnph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bllbaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcikejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilfennic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhkbdmbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dheibpje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glkmmefl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncjlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkohaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmennnni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppcmeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocefm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mepfiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lancko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfqnbjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnadagbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkekjdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbcncibp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkicaahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koodbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgaokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdbdcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkmmefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpdnjple.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpbin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccfdmmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iijfhbhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keifdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egohdegl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojdlfeo.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Gpecbk32.exeGbdoof32.exeGkkgpc32.exeGmiclo32.exeGphphj32.exeGbfldf32.exeGkmdecbg.exeHloqml32.exeHpjmnjqn.exeHgdejd32.exeHibafp32.exeHlambk32.exeHckeoeno.exeHienlpel.exeHpofii32.exeHginecde.exeHigjaoci.exeHlegnjbm.exeHdmoohbo.exeHkfglb32.exeHiiggoaf.exeHlhccj32.exeHpcodihc.exeHcblpdgg.exeHkicaahi.exeIcdheded.exeIinqbn32.exeIdcepgmg.exeIcfekc32.exeIjqmhnko.exeIloidijb.exeIciaqc32.exeIkpjbq32.exeInnfnl32.exeIpmbjgpi.exeIcknfcol.exeIkbfgppo.exeInqbclob.exeIpoopgnf.exeIcnklbmj.exeIkdcmpnl.exeJncoikmp.exeJpaleglc.exeJcphab32.exeJkgpbp32.exeJnelok32.exeJpdhkf32.exeJcbdgb32.exeJkimho32.exeJnhidk32.exeJpfepf32.exeJdaaaeqg.exeJgpmmp32.exeJjoiil32.exeJqhafffk.exeJcgnbaeo.exeJgbjbp32.exeJjafok32.exeJqknkedi.exeJdfjld32.exeKkpbin32.exeKmaopfjm.exeKdigadjo.exeKjepjkhf.exepid process 2052 Gpecbk32.exe 2512 Gbdoof32.exe 1416 Gkkgpc32.exe 1796 Gmiclo32.exe 2616 Gphphj32.exe 872 Gbfldf32.exe 2572 Gkmdecbg.exe 2992 Hloqml32.exe 216 Hpjmnjqn.exe 2568 Hgdejd32.exe 1280 Hibafp32.exe 1768 Hlambk32.exe 748 Hckeoeno.exe 3340 Hienlpel.exe 1964 Hpofii32.exe 4376 Hginecde.exe 2976 Higjaoci.exe 228 Hlegnjbm.exe 392 Hdmoohbo.exe 1008 Hkfglb32.exe 1132 Hiiggoaf.exe 3948 Hlhccj32.exe 3620 Hpcodihc.exe 3344 Hcblpdgg.exe 4880 Hkicaahi.exe 3144 Icdheded.exe 4348 Iinqbn32.exe 116 Idcepgmg.exe 3212 Icfekc32.exe 384 Ijqmhnko.exe 4360 Iloidijb.exe 3416 Iciaqc32.exe 3632 Ikpjbq32.exe 2092 Innfnl32.exe 4624 Ipmbjgpi.exe 3688 Icknfcol.exe 2136 Ikbfgppo.exe 3840 Inqbclob.exe 3752 Ipoopgnf.exe 5000 Icnklbmj.exe 3464 Ikdcmpnl.exe 4536 Jncoikmp.exe 4840 Jpaleglc.exe 816 Jcphab32.exe 4936 Jkgpbp32.exe 4236 Jnelok32.exe 4268 Jpdhkf32.exe 208 Jcbdgb32.exe 4556 Jkimho32.exe 2008 Jnhidk32.exe 2716 Jpfepf32.exe 2940 Jdaaaeqg.exe 3576 Jgpmmp32.exe 2920 Jjoiil32.exe 1872 Jqhafffk.exe 4320 Jcgnbaeo.exe 5104 Jgbjbp32.exe 2944 Jjafok32.exe 5004 Jqknkedi.exe 3488 Jdfjld32.exe 4312 Kkpbin32.exe 4696 Kmaopfjm.exe 4492 Kdigadjo.exe 3556 Kjepjkhf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mepfiq32.exeNhmofj32.exeMcfbkpab.exeHefnkkkj.exeHmpcbhji.exeMaiccajf.exeAkglloai.exeBhnikc32.exeCfkmkf32.exeNmaciefp.exeKjjiej32.exeCfbcke32.exePhajna32.exeKheekkjl.exeCkmonl32.exeNmcpoedn.exeIcfekc32.exeNmgjia32.exeCoqncejg.exeObgohklm.exeIdcepgmg.exeMmkkmc32.exeNghekkmn.exeOpeiadfg.exeJljbeali.exeCponen32.exeHaodle32.exeHiiggoaf.exeJgpfbjlo.exeMhjhmhhd.exeEbnfbcbc.exeKcmmhj32.exeKncaec32.exeNqfbpb32.exeHlblcn32.exeNqcejcha.exeEfgemb32.exeJocefm32.exeKnnhjcog.exeBmeandma.exePplhhm32.exeOmgcpokp.exeOjfcdnjc.exeFoclgq32.exeKemooo32.exeEnkmfolf.exeHginecde.exeGpelhd32.exeLqkqhm32.exeNmdgikhi.exePdmdnadc.exeMablfnne.exeFflohaij.exeBoenhgdd.exePbcncibp.exeBmjkic32.exeMbdiknlb.exeNlfnaicd.exeCkeimm32.exeEiahnnph.exeMmpmnl32.exeNnhmnn32.exeKomhll32.exeHibafp32.exedescription ioc process File created C:\Windows\SysWOW64\Odgpqgeo.dll Mepfiq32.exe File created C:\Windows\SysWOW64\Gehcdm32.dll Nhmofj32.exe File created C:\Windows\SysWOW64\Mdcajc32.dll Mcfbkpab.exe File created C:\Windows\SysWOW64\Hibjli32.exe Hefnkkkj.exe File created C:\Windows\SysWOW64\Hblkjo32.exe Hmpcbhji.exe File opened for modification C:\Windows\SysWOW64\Meepdp32.exe Maiccajf.exe File created C:\Windows\SysWOW64\Bochmn32.exe Akglloai.exe File opened for modification C:\Windows\SysWOW64\Bklfgo32.exe Bhnikc32.exe File opened for modification C:\Windows\SysWOW64\Cleegp32.exe Cfkmkf32.exe File opened for modification C:\Windows\SysWOW64\Noppeaed.exe Nmaciefp.exe File created C:\Windows\SysWOW64\Aljejh32.dll Kjjiej32.exe File created C:\Windows\SysWOW64\Chqogq32.exe Cfbcke32.exe File opened for modification C:\Windows\SysWOW64\Pfdjinjo.exe Phajna32.exe File created C:\Windows\SysWOW64\Hlqeenhm.dll Kheekkjl.exe File created C:\Windows\SysWOW64\Clgbhl32.dll Ckmonl32.exe File opened for modification C:\Windows\SysWOW64\Nqoloc32.exe Nmcpoedn.exe File opened for modification C:\Windows\SysWOW64\Ijqmhnko.exe Icfekc32.exe File created C:\Windows\SysWOW64\Onlche32.dll Nmgjia32.exe File created C:\Windows\SysWOW64\Qfoaecol.dll Coqncejg.exe File opened for modification C:\Windows\SysWOW64\Ofckhj32.exe Obgohklm.exe File created C:\Windows\SysWOW64\Icfekc32.exe Idcepgmg.exe File created C:\Windows\SysWOW64\Mohjdmko.dll Mmkkmc32.exe File created C:\Windows\SysWOW64\Pqnpfi32.dll Nghekkmn.exe File created C:\Windows\SysWOW64\Ohlqcagj.exe Opeiadfg.exe File created C:\Windows\SysWOW64\Jpenfp32.exe Jljbeali.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe Cponen32.exe File created C:\Windows\SysWOW64\Hifmmb32.exe Haodle32.exe File created C:\Windows\SysWOW64\Oajpfn32.dll Hiiggoaf.exe File opened for modification C:\Windows\SysWOW64\Jinboekc.exe Jgpfbjlo.exe File created C:\Windows\SysWOW64\Fdflknog.dll Mhjhmhhd.exe File created C:\Windows\SysWOW64\Hojncj32.dll Ebnfbcbc.exe File created C:\Windows\SysWOW64\Bnnkgo32.dll Kcmmhj32.exe File opened for modification C:\Windows\SysWOW64\Klfaapbl.exe Kncaec32.exe File created C:\Windows\SysWOW64\Pqolaipg.dll Nqfbpb32.exe File opened for modification C:\Windows\SysWOW64\Hnphoj32.exe Hlblcn32.exe File created C:\Windows\SysWOW64\Kebkgjkg.dll Nqcejcha.exe File opened for modification C:\Windows\SysWOW64\Eejeiocj.exe Efgemb32.exe File created C:\Windows\SysWOW64\Jgkmgk32.exe Jocefm32.exe File created C:\Windows\SysWOW64\Mfcjqc32.dll Knnhjcog.exe File created C:\Windows\SysWOW64\Ccoecbmi.dll Bmeandma.exe File created C:\Windows\SysWOW64\Pidlqb32.exe Pplhhm32.exe File opened for modification C:\Windows\SysWOW64\Okkdic32.exe Omgcpokp.exe File opened for modification C:\Windows\SysWOW64\Onapdl32.exe Ojfcdnjc.exe File opened for modification C:\Windows\SysWOW64\Fbbicl32.exe Foclgq32.exe File created C:\Windows\SysWOW64\Bjdjokcd.dll Kemooo32.exe File created C:\Windows\SysWOW64\Eqiibjlj.exe Enkmfolf.exe File created C:\Windows\SysWOW64\Jjdejk32.dll Hginecde.exe File opened for modification C:\Windows\SysWOW64\Gbchdp32.exe Gpelhd32.exe File created C:\Windows\SysWOW64\Oonnoglh.dll Lqkqhm32.exe File opened for modification C:\Windows\SysWOW64\Ncnofeof.exe Nmdgikhi.exe File created C:\Windows\SysWOW64\Qfkqjmdg.exe Pdmdnadc.exe File opened for modification C:\Windows\SysWOW64\Mjidgkog.exe Mablfnne.exe File created C:\Windows\SysWOW64\Fijkdmhn.exe Fflohaij.exe File created C:\Windows\SysWOW64\Lqppgj32.dll Boenhgdd.exe File created C:\Windows\SysWOW64\Pjjfdfbb.exe Pbcncibp.exe File created C:\Windows\SysWOW64\Bphgeo32.exe Bmjkic32.exe File opened for modification C:\Windows\SysWOW64\Mjlalkmd.exe Mbdiknlb.exe File opened for modification C:\Windows\SysWOW64\Nmgjia32.exe Nlfnaicd.exe File opened for modification C:\Windows\SysWOW64\Coadnlnb.exe Ckeimm32.exe File opened for modification C:\Windows\SysWOW64\Emmdom32.exe Eiahnnph.exe File created C:\Windows\SysWOW64\Mcifkf32.exe Mmpmnl32.exe File opened for modification C:\Windows\SysWOW64\Nagiji32.exe Nnhmnn32.exe File opened for modification C:\Windows\SysWOW64\Kcidmkpq.exe Komhll32.exe File created C:\Windows\SysWOW64\Hllbndih.dll Hibafp32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 17280 17072 WerFault.exe Pififb32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jcanll32.exeLpfgmnfp.exeApmhiq32.exeCoqncejg.exeJahqiaeb.exeKcbnnpka.exeGidnkkpc.exeIgajal32.exePbhgoh32.exeJdfjld32.exeChqogq32.exeJllhpkfk.exePehngkcg.exeCdlqqcnl.exeFpkibf32.exeOjdnid32.exeBebjdgmj.exeIefgbh32.exeFmcjpl32.exeGokbgpeg.exePidlqb32.exeKmaopfjm.exeKjepjkhf.exeEnpmld32.exeGlkmmefl.exePfoann32.exeBmeandma.exeBpdnjple.exeIhkjno32.exeLknojl32.exeMepfiq32.exeCfnjpfcl.exeMpclce32.exeNqcejcha.exeOmdieb32.exeEklajcmc.exeIeccbbkn.exeOmmceclc.exeQkipkani.exeAnmfbl32.exeDhphmj32.exeBhkfkmmg.exeLljdai32.exeMhckcgpj.exeHefnkkkj.exeDglkoeio.exeKhlklj32.exeJcphab32.exeJpfepf32.exeBedgjgkg.exeBllbaa32.exeLljklo32.exeOpqofe32.exeMjidgkog.exeNmcpoedn.exeJnelok32.exeLjaoeini.exeAafemk32.exeOokoaokf.exeLepleocn.exeDmcain32.exeJgpfbjlo.exeEgened32.exeLjpaqmgb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcanll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfgmnfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmhiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coqncejg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jahqiaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbnnpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidnkkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igajal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbhgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chqogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllhpkfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehngkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdnid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefgbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcjpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokbgpeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidlqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepjkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkmmefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfoann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmeandma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdnjple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihkjno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lknojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mepfiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnjpfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpclce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqcejcha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklajcmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieccbbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommceclc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkipkani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmfbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhphmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkfkmmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljdai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhckcgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefnkkkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglkoeio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlklj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfepf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedgjgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljklo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjidgkog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcpoedn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnelok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljaoeini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafemk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookoaokf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepleocn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egened32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpaqmgb.exe -
Modifies registry class 64 IoCs
Processes:
Jpdhkf32.exeMglfplgk.exeEifaim32.exeEnkmfolf.exeHnlodjpa.exeOdjeljhd.exeOaqbkn32.exePmpolgoi.exeAkpoaj32.exeFoclgq32.exeMgclpkac.exeAkccap32.exeIedjmioj.exeObjkmkjj.exeNelfeo32.exeEkkkoj32.exeIehmmb32.exeLkeekk32.exeHoobdp32.exeCpdgqmnb.exeEdplhjhi.exeGanldgib.exeJhifomdj.exeJjoiil32.exeIpgbdbqb.exeLnoaaaad.exeOjdgnn32.exeFilapfbo.exeFgjhpcmo.exeOmfekbdh.exeQmhlgmmm.exeHbhboolf.exeIefgbh32.exeNpepkf32.exeOpqofe32.exeKpqggh32.exeIcdheded.exeOkkdic32.exeQaalblgi.exeBffcpg32.exeKodnmkap.exeJkgpbp32.exeJdaaaeqg.exeMjaabq32.exeNjedbjej.exeAajohjon.exeBepmoh32.exeKhiofk32.exeAlnfpcag.exeKlfaapbl.exeLomqcjie.exeLomjicei.exeMhckcgpj.exePadnaq32.exeMaiccajf.exeBacjdbch.exeFgcjfbed.exeHlmchoan.exeIlibdmgp.exeOjhiogdd.exeKkeldnpi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpdhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigbqakg.dll" Eifaim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enkmfolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnfhilh.dll" Hnlodjpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjeljhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll" Pmpolgoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akpoaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foclgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkfjo32.dll" Mgclpkac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgbdnie.dll" Iedjmioj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Objkmkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doogdl32.dll" Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqlnnkp.dll" Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iehmmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkeekk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoobdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpdgqmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edplhjhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ganldgib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmknd32.dll" Jhifomdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipgbdbqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgqoll32.dll" Lnoaaaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojdgnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Filapfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll" Cpdgqmnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgjhpcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omfekbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbecoe32.dll" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefeek32.dll" Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opqofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobbbd32.dll" Icdheded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okkdic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklbeh32.dll" Bffcpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kodnmkap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkgpbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leilnmkp.dll" Mjaabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njedbjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlofpg32.dll" Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agchinmk.dll" Bepmoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khiofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnfpcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomjicei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobkhf32.dll" Akccap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhckcgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Padnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlihmi32.dll" Maiccajf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgcjfbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlmchoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilibdmgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojhiogdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkeldnpi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8b53e3a39ac84335f5f6d9f6a62b624c39c5b0e9aba17bef56a906aa42e3c3edN.exeGpecbk32.exeGbdoof32.exeGkkgpc32.exeGmiclo32.exeGphphj32.exeGbfldf32.exeGkmdecbg.exeHloqml32.exeHpjmnjqn.exeHgdejd32.exeHibafp32.exeHlambk32.exeHckeoeno.exeHienlpel.exeHpofii32.exeHginecde.exeHigjaoci.exeHlegnjbm.exeHdmoohbo.exeHkfglb32.exeHiiggoaf.exedescription pid process target process PID 4216 wrote to memory of 2052 4216 8b53e3a39ac84335f5f6d9f6a62b624c39c5b0e9aba17bef56a906aa42e3c3edN.exe Gpecbk32.exe PID 4216 wrote to memory of 2052 4216 8b53e3a39ac84335f5f6d9f6a62b624c39c5b0e9aba17bef56a906aa42e3c3edN.exe Gpecbk32.exe PID 4216 wrote to memory of 2052 4216 8b53e3a39ac84335f5f6d9f6a62b624c39c5b0e9aba17bef56a906aa42e3c3edN.exe Gpecbk32.exe PID 2052 wrote to memory of 2512 2052 Gpecbk32.exe Gbdoof32.exe PID 2052 wrote to memory of 2512 2052 Gpecbk32.exe Gbdoof32.exe PID 2052 wrote to memory of 2512 2052 Gpecbk32.exe Gbdoof32.exe PID 2512 wrote to memory of 1416 2512 Gbdoof32.exe Gkkgpc32.exe PID 2512 wrote to memory of 1416 2512 Gbdoof32.exe Gkkgpc32.exe PID 2512 wrote to memory of 1416 2512 Gbdoof32.exe Gkkgpc32.exe PID 1416 wrote to memory of 1796 1416 Gkkgpc32.exe Gmiclo32.exe PID 1416 wrote to memory of 1796 1416 Gkkgpc32.exe Gmiclo32.exe PID 1416 wrote to memory of 1796 1416 Gkkgpc32.exe Gmiclo32.exe PID 1796 wrote to memory of 2616 1796 Gmiclo32.exe Gphphj32.exe PID 1796 wrote to memory of 2616 1796 Gmiclo32.exe Gphphj32.exe PID 1796 wrote to memory of 2616 1796 Gmiclo32.exe Gphphj32.exe PID 2616 wrote to memory of 872 2616 Gphphj32.exe Gbfldf32.exe PID 2616 wrote to memory of 872 2616 Gphphj32.exe Gbfldf32.exe PID 2616 wrote to memory of 872 2616 Gphphj32.exe Gbfldf32.exe PID 872 wrote to memory of 2572 872 Gbfldf32.exe Gkmdecbg.exe PID 872 wrote to memory of 2572 872 Gbfldf32.exe Gkmdecbg.exe PID 872 wrote to memory of 2572 872 Gbfldf32.exe Gkmdecbg.exe PID 2572 wrote to memory of 2992 2572 Gkmdecbg.exe Hloqml32.exe PID 2572 wrote to memory of 2992 2572 Gkmdecbg.exe Hloqml32.exe PID 2572 wrote to memory of 2992 2572 Gkmdecbg.exe Hloqml32.exe PID 2992 wrote to memory of 216 2992 Hloqml32.exe Hpjmnjqn.exe PID 2992 wrote to memory of 216 2992 Hloqml32.exe Hpjmnjqn.exe PID 2992 wrote to memory of 216 2992 Hloqml32.exe Hpjmnjqn.exe PID 216 wrote to memory of 2568 216 Hpjmnjqn.exe Hgdejd32.exe PID 216 wrote to memory of 2568 216 Hpjmnjqn.exe Hgdejd32.exe PID 216 wrote to memory of 2568 216 Hpjmnjqn.exe Hgdejd32.exe PID 2568 wrote to memory of 1280 2568 Hgdejd32.exe Hibafp32.exe PID 2568 wrote to memory of 1280 2568 Hgdejd32.exe Hibafp32.exe PID 2568 wrote to memory of 1280 2568 Hgdejd32.exe Hibafp32.exe PID 1280 wrote to memory of 1768 1280 Hibafp32.exe Hlambk32.exe PID 1280 wrote to memory of 1768 1280 Hibafp32.exe Hlambk32.exe PID 1280 wrote to memory of 1768 1280 Hibafp32.exe Hlambk32.exe PID 1768 wrote to memory of 748 1768 Hlambk32.exe Hckeoeno.exe PID 1768 wrote to memory of 748 1768 Hlambk32.exe Hckeoeno.exe PID 1768 wrote to memory of 748 1768 Hlambk32.exe Hckeoeno.exe PID 748 wrote to memory of 3340 748 Hckeoeno.exe Hienlpel.exe PID 748 wrote to memory of 3340 748 Hckeoeno.exe Hienlpel.exe PID 748 wrote to memory of 3340 748 Hckeoeno.exe Hienlpel.exe PID 3340 wrote to memory of 1964 3340 Hienlpel.exe Hpofii32.exe PID 3340 wrote to memory of 1964 3340 Hienlpel.exe Hpofii32.exe PID 3340 wrote to memory of 1964 3340 Hienlpel.exe Hpofii32.exe PID 1964 wrote to memory of 4376 1964 Hpofii32.exe Hginecde.exe PID 1964 wrote to memory of 4376 1964 Hpofii32.exe Hginecde.exe PID 1964 wrote to memory of 4376 1964 Hpofii32.exe Hginecde.exe PID 4376 wrote to memory of 2976 4376 Hginecde.exe Higjaoci.exe PID 4376 wrote to memory of 2976 4376 Hginecde.exe Higjaoci.exe PID 4376 wrote to memory of 2976 4376 Hginecde.exe Higjaoci.exe PID 2976 wrote to memory of 228 2976 Higjaoci.exe Hlegnjbm.exe PID 2976 wrote to memory of 228 2976 Higjaoci.exe Hlegnjbm.exe PID 2976 wrote to memory of 228 2976 Higjaoci.exe Hlegnjbm.exe PID 228 wrote to memory of 392 228 Hlegnjbm.exe Hdmoohbo.exe PID 228 wrote to memory of 392 228 Hlegnjbm.exe Hdmoohbo.exe PID 228 wrote to memory of 392 228 Hlegnjbm.exe Hdmoohbo.exe PID 392 wrote to memory of 1008 392 Hdmoohbo.exe Hkfglb32.exe PID 392 wrote to memory of 1008 392 Hdmoohbo.exe Hkfglb32.exe PID 392 wrote to memory of 1008 392 Hdmoohbo.exe Hkfglb32.exe PID 1008 wrote to memory of 1132 1008 Hkfglb32.exe Hiiggoaf.exe PID 1008 wrote to memory of 1132 1008 Hkfglb32.exe Hiiggoaf.exe PID 1008 wrote to memory of 1132 1008 Hkfglb32.exe Hiiggoaf.exe PID 1132 wrote to memory of 3948 1132 Hiiggoaf.exe Hlhccj32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b53e3a39ac84335f5f6d9f6a62b624c39c5b0e9aba17bef56a906aa42e3c3edN.exe"C:\Users\Admin\AppData\Local\Temp\8b53e3a39ac84335f5f6d9f6a62b624c39c5b0e9aba17bef56a906aa42e3c3edN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Hlegnjbm.exeC:\Windows\system32\Hlegnjbm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Hdmoohbo.exeC:\Windows\system32\Hdmoohbo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Hlhccj32.exeC:\Windows\system32\Hlhccj32.exe23⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe24⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe25⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Hkicaahi.exeC:\Windows\system32\Hkicaahi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe28⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:116 -
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe31⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe32⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe33⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe34⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe35⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe36⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe37⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe38⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe39⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe40⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe41⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe42⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe43⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe44⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:816 -
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4268 -
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe49⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Jkimho32.exeC:\Windows\system32\Jkimho32.exe50⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe51⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe54⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe56⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe57⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe58⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe60⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3488 -
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe64⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe66⤵PID:4852
-
C:\Windows\SysWOW64\Kdkdgchl.exeC:\Windows\system32\Kdkdgchl.exe67⤵PID:624
-
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe68⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe69⤵PID:3772
-
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe70⤵PID:2344
-
C:\Windows\SysWOW64\Kjjiej32.exeC:\Windows\system32\Kjjiej32.exe71⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe72⤵PID:4176
-
C:\Windows\SysWOW64\Kdpmbc32.exeC:\Windows\system32\Kdpmbc32.exe73⤵PID:4892
-
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe74⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe75⤵PID:5012
-
C:\Windows\SysWOW64\Kqfngd32.exeC:\Windows\system32\Kqfngd32.exe76⤵PID:3012
-
C:\Windows\SysWOW64\Kcejco32.exeC:\Windows\system32\Kcejco32.exe77⤵PID:2420
-
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe78⤵PID:1148
-
C:\Windows\SysWOW64\Lnjnqh32.exeC:\Windows\system32\Lnjnqh32.exe79⤵PID:4848
-
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe80⤵PID:2804
-
C:\Windows\SysWOW64\Lcggio32.exeC:\Windows\system32\Lcggio32.exe81⤵PID:2084
-
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe82⤵
- System Location Discovery: System Language Discovery
PID:3220 -
C:\Windows\SysWOW64\Ljaoeini.exeC:\Windows\system32\Ljaoeini.exe83⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe84⤵PID:3964
-
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe85⤵PID:4060
-
C:\Windows\SysWOW64\Lgepom32.exeC:\Windows\system32\Lgepom32.exe86⤵PID:3512
-
C:\Windows\SysWOW64\Ljclki32.exeC:\Windows\system32\Ljclki32.exe87⤵PID:4428
-
C:\Windows\SysWOW64\Ldipha32.exeC:\Windows\system32\Ldipha32.exe88⤵PID:4792
-
C:\Windows\SysWOW64\Lkchelci.exeC:\Windows\system32\Lkchelci.exe89⤵PID:3984
-
C:\Windows\SysWOW64\Lnadagbm.exeC:\Windows\system32\Lnadagbm.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4292 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe91⤵PID:2952
-
C:\Windows\SysWOW64\Lekmnajj.exeC:\Windows\system32\Lekmnajj.exe92⤵PID:2192
-
C:\Windows\SysWOW64\Lgjijmin.exeC:\Windows\system32\Lgjijmin.exe93⤵PID:5132
-
C:\Windows\SysWOW64\Lkeekk32.exeC:\Windows\system32\Lkeekk32.exe94⤵
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe95⤵PID:5220
-
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe96⤵PID:5264
-
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe97⤵PID:5308
-
C:\Windows\SysWOW64\Mglfplgk.exeC:\Windows\system32\Mglfplgk.exe98⤵
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe99⤵PID:5396
-
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe100⤵PID:5444
-
C:\Windows\SysWOW64\Mminhceb.exeC:\Windows\system32\Mminhceb.exe101⤵PID:5488
-
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Windows\SysWOW64\Mccfdmmo.exeC:\Windows\system32\Mccfdmmo.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5576 -
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe104⤵PID:5632
-
C:\Windows\SysWOW64\Mjmoag32.exeC:\Windows\system32\Mjmoag32.exe105⤵PID:5676
-
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe106⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Maggnali.exeC:\Windows\system32\Maggnali.exe107⤵PID:5776
-
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe108⤵PID:5824
-
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876 -
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe110⤵PID:5944
-
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5992 -
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe113⤵PID:6080
-
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe114⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5228 -
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe116⤵PID:5320
-
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe117⤵PID:5436
-
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe118⤵PID:5476
-
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe119⤵PID:5564
-
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe120⤵PID:5644
-
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe121⤵PID:5740
-
C:\Windows\SysWOW64\Nghekkmn.exeC:\Windows\system32\Nghekkmn.exe122⤵
- Drops file in System32 directory
PID:5832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-