Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:58
Static task
static1
Behavioral task
behavioral1
Sample
b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe
Resource
win10v2004-20241007-en
General
-
Target
b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe
-
Size
5.5MB
-
MD5
cd5166991ae61663ce1f005d55ea41a8
-
SHA1
166b6e7b2dd6fdc4f8651ea6585a45f34fcb58f8
-
SHA256
b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f
-
SHA512
4897b528a00913ff4b62a44d04f0017cc8c58fe620f316324016e507ad19b4ac4ed279d3d09bc57893d12abb623f6c69b100993bc2c9aa6dac4bd13a3af9853c
-
SSDEEP
12288:935jvwm0sKA5p8Wgx+gWVBmLnWrOxNuxC7:9pVoAL8WJm8MoC7
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hflndjin.exeOnapdmma.exeCooddbfh.exeOjoood32.exeBpqain32.exeFgadda32.exeMcqombic.exeDqddmd32.exeJjgpjjak.exeAoagccfn.exeEgajnfoe.exeMeffjjln.exeIipgeb32.exeDlcfnk32.exeOcjfgo32.exeDkqbaecc.exeOfdclinq.exeBmjekahk.exeAafnpkii.exePdcgeejf.exeKifgllbc.exeHkljljko.exeBlelpeoa.exeNfnneb32.exePcnfdl32.exePcmoie32.exeGhenamai.exePccelqeb.exeGceailog.exeCbnfmo32.exeNepkia32.exeHpnpam32.exeGeeemeif.exeHiioin32.exeLlalgdbj.exeKljabgnh.exeQpjchicb.exeOohmmojn.exePnbcij32.exeGgkibhjf.exeEjabqi32.exeOhqbbi32.exeDnjoco32.exeAhpddmia.exeDkmghe32.exeIqnlpq32.exeFdlpnamm.exeLfhiepbn.exeJohlpoij.exeMlnbmikh.exeKkileele.exeNhiholof.exePafbadcm.exePhnpagdp.exeMjaddn32.exeJjocoedg.exeLlpfjomf.exeMhalngad.exeGmamfddp.exeLfgaaa32.exeAmnanefa.exeFdcncg32.exeBhfhnofg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflndjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onapdmma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cooddbfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojoood32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpqain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgadda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqombic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqddmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgpjjak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egajnfoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meffjjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlcfnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkqbaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofdclinq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmjekahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aafnpkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdcgeejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kifgllbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkljljko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blelpeoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcnfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghenamai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pccelqeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gceailog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnfmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nepkia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geeemeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiioin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llalgdbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kljabgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpjchicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohmmojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbcij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geeemeif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkibhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejabqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahpddmia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmghe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqnlpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdlpnamm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhiepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johlpoij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnbmikh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkileele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhiholof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafbadcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phnpagdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjocoedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhalngad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmamfddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgaaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnanefa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdcncg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfhnofg.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Dkqbaecc.exeDdigjkid.exeEjobhppq.exeGjakmc32.exeJjbpgd32.exeKilfcpqm.exeMkklljmg.exeOcfigjlp.exePckoam32.exePdlkiepd.exeBfkpqn32.exeEgiiapci.exeFcbbjcif.exeFjlkgn32.exeHdkape32.exeKkileele.exeKcgmoggn.exeMjekfd32.exeMfllkece.exeNbjcqe32.exeNamclbil.exeNhiholof.exeNadimacd.exeOlbchn32.exeOoqpdj32.exePafbadcm.exePhpjnnki.exePqkobqhd.exePcnejk32.exeAollokco.exeAffdle32.exeAoohekal.exeBnhoag32.exeBpqain32.exeBbonei32.exeCemjae32.exeCbdgqimc.exeCffljlpc.exeDgoopkgh.exeEoompl32.exeEkfndmfb.exeEpbfmd32.exeEjpdai32.exeElnqmd32.exeFfkoai32.exeFgadda32.exeGbfiaj32.exeGeeemeif.exeGjdjklek.exeHbfepmmn.exeHhcmhdke.exeHpjeialg.exeHjdfjo32.exeHanogipc.exeIipiljgf.exeIlofhffj.exeIlcoce32.exeIoakoq32.exeJagnlkjd.exeJdejhfig.exeJnnnalph.exeKljabgnh.exeKcdjoaee.exeLkdhoc32.exepid process 2732 Dkqbaecc.exe 2776 Ddigjkid.exe 2852 Ejobhppq.exe 2596 Gjakmc32.exe 304 Jjbpgd32.exe 984 Kilfcpqm.exe 2804 Mkklljmg.exe 2436 Ocfigjlp.exe 496 Pckoam32.exe 1140 Pdlkiepd.exe 1944 Bfkpqn32.exe 1604 Egiiapci.exe 1692 Fcbbjcif.exe 2396 Fjlkgn32.exe 1344 Hdkape32.exe 1012 Kkileele.exe 1784 Kcgmoggn.exe 1780 Mjekfd32.exe 668 Mfllkece.exe 2128 Nbjcqe32.exe 604 Namclbil.exe 2124 Nhiholof.exe 2348 Nadimacd.exe 1348 Olbchn32.exe 1732 Ooqpdj32.exe 1596 Pafbadcm.exe 2648 Phpjnnki.exe 2632 Pqkobqhd.exe 2640 Pcnejk32.exe 2768 Aollokco.exe 484 Affdle32.exe 1120 Aoohekal.exe 2824 Bnhoag32.exe 2440 Bpqain32.exe 1624 Bbonei32.exe 1788 Cemjae32.exe 2468 Cbdgqimc.exe 1628 Cffljlpc.exe 2832 Dgoopkgh.exe 2960 Eoompl32.exe 2112 Ekfndmfb.exe 2180 Epbfmd32.exe 408 Ejpdai32.exe 444 Elnqmd32.exe 2144 Ffkoai32.exe 2020 Fgadda32.exe 2420 Gbfiaj32.exe 1100 Geeemeif.exe 1340 Gjdjklek.exe 2668 Hbfepmmn.exe 2656 Hhcmhdke.exe 2552 Hpjeialg.exe 884 Hjdfjo32.exe 2944 Hanogipc.exe 264 Iipiljgf.exe 1856 Ilofhffj.exe 2816 Ilcoce32.exe 1912 Ioakoq32.exe 1864 Jagnlkjd.exe 1244 Jdejhfig.exe 1088 Jnnnalph.exe 2172 Kljabgnh.exe 1852 Kcdjoaee.exe 1620 Lkdhoc32.exe -
Loads dropped DLL 64 IoCs
Processes:
b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exeDkqbaecc.exeDdigjkid.exeEjobhppq.exeGjakmc32.exeJjbpgd32.exeKilfcpqm.exeMkklljmg.exeOcfigjlp.exePckoam32.exePdlkiepd.exeBfkpqn32.exeEgiiapci.exeFcbbjcif.exeFjlkgn32.exeHdkape32.exeKkileele.exeKcgmoggn.exeMjekfd32.exeMfllkece.exeNbjcqe32.exeNamclbil.exeNhiholof.exeNadimacd.exeOlbchn32.exeOoqpdj32.exePafbadcm.exePhpjnnki.exePqkobqhd.exePcnejk32.exeAollokco.exeAffdle32.exepid process 3004 b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe 3004 b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe 2732 Dkqbaecc.exe 2732 Dkqbaecc.exe 2776 Ddigjkid.exe 2776 Ddigjkid.exe 2852 Ejobhppq.exe 2852 Ejobhppq.exe 2596 Gjakmc32.exe 2596 Gjakmc32.exe 304 Jjbpgd32.exe 304 Jjbpgd32.exe 984 Kilfcpqm.exe 984 Kilfcpqm.exe 2804 Mkklljmg.exe 2804 Mkklljmg.exe 2436 Ocfigjlp.exe 2436 Ocfigjlp.exe 496 Pckoam32.exe 496 Pckoam32.exe 1140 Pdlkiepd.exe 1140 Pdlkiepd.exe 1944 Bfkpqn32.exe 1944 Bfkpqn32.exe 1604 Egiiapci.exe 1604 Egiiapci.exe 1692 Fcbbjcif.exe 1692 Fcbbjcif.exe 2396 Fjlkgn32.exe 2396 Fjlkgn32.exe 1344 Hdkape32.exe 1344 Hdkape32.exe 1012 Kkileele.exe 1012 Kkileele.exe 1784 Kcgmoggn.exe 1784 Kcgmoggn.exe 1780 Mjekfd32.exe 1780 Mjekfd32.exe 668 Mfllkece.exe 668 Mfllkece.exe 2128 Nbjcqe32.exe 2128 Nbjcqe32.exe 604 Namclbil.exe 604 Namclbil.exe 2124 Nhiholof.exe 2124 Nhiholof.exe 2348 Nadimacd.exe 2348 Nadimacd.exe 1348 Olbchn32.exe 1348 Olbchn32.exe 1732 Ooqpdj32.exe 1732 Ooqpdj32.exe 1596 Pafbadcm.exe 1596 Pafbadcm.exe 2648 Phpjnnki.exe 2648 Phpjnnki.exe 2632 Pqkobqhd.exe 2632 Pqkobqhd.exe 2640 Pcnejk32.exe 2640 Pcnejk32.exe 2768 Aollokco.exe 2768 Aollokco.exe 484 Affdle32.exe 484 Affdle32.exe -
Drops file in System32 directory 64 IoCs
Processes:
b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exeDbgdgm32.exeKnfopnkk.exeLafekm32.exeDahifbpk.exeGmhbkohm.exeJqbbhg32.exeMifmoa32.exeBpqain32.exeHidfjckg.exeAollokco.exeDbiocd32.exeAabhiikm.exePhnpagdp.exeApeflmjc.exeAdkbgf32.exeGmhmdc32.exeJkgfgl32.exeAoohekal.exeAjehnk32.exeAcggbffj.exeOhncdp32.exeIqllghon.exeHeakefnf.exeDlqgob32.exeJoicje32.exeHhcmhdke.exePnfnajed.exePhcleoho.exePolobd32.exeAialjgbh.exePccdqloh.exeOfbikf32.exeBceibfgj.exeMkibjgli.exeKolhdbjh.exeFqpbpo32.exeCqqbgoba.exeBgibnj32.exeCnjbfhqa.exeKpkocpjj.exeIipiljgf.exeBojipjcj.exeImchcplm.exeEgfglocf.exeNgahmngp.exeFkhbgbkc.exeJelhmlgm.exeNckmpicl.exeIdemkp32.exeBmegodpi.exePckajebj.exePkihpi32.exeFdbgia32.exeMgmbbkij.exeGnkoid32.exeLqbfdp32.exeAbegfa32.exeFgldnkkf.exeLpabpcdf.exeFefcmehe.exePaocnkph.exedescription ioc process File created C:\Windows\SysWOW64\Ckgkkllh.dll b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe File created C:\Windows\SysWOW64\Eomgdlji.dll Dbgdgm32.exe File created C:\Windows\SysWOW64\Lmlepi32.dll Knfopnkk.exe File created C:\Windows\SysWOW64\Lkoidcaj.exe Lafekm32.exe File created C:\Windows\SysWOW64\Elilld32.dll Dahifbpk.exe File created C:\Windows\SysWOW64\Hkgioloi.dll Gmhbkohm.exe File created C:\Windows\SysWOW64\Fdcbqe32.dll Jqbbhg32.exe File created C:\Windows\SysWOW64\Mfmpqk32.dll Mifmoa32.exe File created C:\Windows\SysWOW64\Kbdjhe32.dll Bpqain32.exe File created C:\Windows\SysWOW64\Lmkcfaod.dll Hidfjckg.exe File opened for modification C:\Windows\SysWOW64\Affdle32.exe Aollokco.exe File created C:\Windows\SysWOW64\Iclnjd32.dll Dbiocd32.exe File created C:\Windows\SysWOW64\Gpfeadne.dll Aabhiikm.exe File created C:\Windows\SysWOW64\Pkmlmbcd.exe Phnpagdp.exe File opened for modification C:\Windows\SysWOW64\Aadbfp32.exe Apeflmjc.exe File created C:\Windows\SysWOW64\Ibjnpail.dll Adkbgf32.exe File created C:\Windows\SysWOW64\Onpoob32.dll Gmhmdc32.exe File created C:\Windows\SysWOW64\Pdopmade.dll Jkgfgl32.exe File opened for modification C:\Windows\SysWOW64\Bnhoag32.exe Aoohekal.exe File created C:\Windows\SysWOW64\Daeclf32.dll Ajehnk32.exe File opened for modification C:\Windows\SysWOW64\Bfmjoqoe.exe Acggbffj.exe File opened for modification C:\Windows\SysWOW64\Oafhmf32.exe Ohncdp32.exe File opened for modification C:\Windows\SysWOW64\Igeddb32.exe Iqllghon.exe File created C:\Windows\SysWOW64\Hlkcbp32.exe Heakefnf.exe File created C:\Windows\SysWOW64\Ddqeodjj.exe Dlqgob32.exe File created C:\Windows\SysWOW64\Jhahcjcf.exe Joicje32.exe File opened for modification C:\Windows\SysWOW64\Hpjeialg.exe Hhcmhdke.exe File opened for modification C:\Windows\SysWOW64\Peeoidik.exe Pnfnajed.exe File created C:\Windows\SysWOW64\Hdbcmcno.dll Phcleoho.exe File opened for modification C:\Windows\SysWOW64\Aepnkjcd.exe Polobd32.exe File created C:\Windows\SysWOW64\Kagbmg32.dll Aialjgbh.exe File opened for modification C:\Windows\SysWOW64\Pnihneon.exe Pccdqloh.exe File created C:\Windows\SysWOW64\Omlahqeo.exe Ofbikf32.exe File opened for modification C:\Windows\SysWOW64\Bfdenafn.exe Bceibfgj.exe File opened for modification C:\Windows\SysWOW64\Nnodgbed.exe Mkibjgli.exe File created C:\Windows\SysWOW64\Knfopnkk.exe Kolhdbjh.exe File opened for modification C:\Windows\SysWOW64\Kepgmh32.exe Knfopnkk.exe File created C:\Windows\SysWOW64\Fkihmn32.dll Fqpbpo32.exe File created C:\Windows\SysWOW64\Cincaq32.exe Cqqbgoba.exe File created C:\Windows\SysWOW64\Cpfdhl32.exe Bgibnj32.exe File opened for modification C:\Windows\SysWOW64\Dlfina32.exe Cnjbfhqa.exe File created C:\Windows\SysWOW64\Kbikokin.exe Kpkocpjj.exe File created C:\Windows\SysWOW64\Ilofhffj.exe Iipiljgf.exe File created C:\Windows\SysWOW64\Cncolfcl.exe Bojipjcj.exe File opened for modification C:\Windows\SysWOW64\Imkndofe.exe Imchcplm.exe File created C:\Windows\SysWOW64\Kogohg32.dll Egfglocf.exe File opened for modification C:\Windows\SysWOW64\Ocjfgo32.exe Ngahmngp.exe File created C:\Windows\SysWOW64\Fpdkpiik.exe Fkhbgbkc.exe File created C:\Windows\SysWOW64\Jkfpjf32.exe Jelhmlgm.exe File opened for modification C:\Windows\SysWOW64\Odacbpee.exe Nckmpicl.exe File created C:\Windows\SysWOW64\Igffmkno.exe Idemkp32.exe File opened for modification C:\Windows\SysWOW64\Bcopkn32.exe Bmegodpi.exe File opened for modification C:\Windows\SysWOW64\Pejmfqan.exe Pckajebj.exe File created C:\Windows\SysWOW64\Pnqligpm.dll Pkihpi32.exe File created C:\Windows\SysWOW64\Kmpokgjb.dll Fdbgia32.exe File opened for modification C:\Windows\SysWOW64\Minldf32.exe Mgmbbkij.exe File created C:\Windows\SysWOW64\Lkpbohhb.dll Gnkoid32.exe File created C:\Windows\SysWOW64\Mjodhe32.exe Lqbfdp32.exe File created C:\Windows\SysWOW64\Adcdbl32.exe Abegfa32.exe File opened for modification C:\Windows\SysWOW64\Gceailog.exe Fgldnkkf.exe File created C:\Windows\SysWOW64\Pebncn32.dll Lpabpcdf.exe File created C:\Windows\SysWOW64\Najnhfnn.dll Fefcmehe.exe File created C:\Windows\SysWOW64\Igeddb32.exe Iqllghon.exe File opened for modification C:\Windows\SysWOW64\Aognbnkm.exe Paocnkph.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Clclhmin.exeDkjkcfjc.exeCqqbgoba.exeBaojapfj.exeEihgfd32.exeFoahmh32.exeKbmfgk32.exeCcnifd32.exeLggpdmap.exeQoaaqb32.exeIipgeb32.exePckoam32.exeIpmqgmcd.exeJbhebfck.exeEfppqoil.exeMhalngad.exePghklq32.exeGeeemeif.exeFgldnkkf.exeEikimeff.exeKapbmo32.exeFdbgia32.exeOdacbpee.exeKepgmh32.exeCiebdj32.exeAljmbknm.exeGknhjn32.exePccelqeb.exeNamclbil.exePcnejk32.exeEmaijk32.exeHiioin32.exeOninhgae.exeIjehdl32.exeKlhioioc.exeLhfpdi32.exeLbbnjgik.exeMdkmld32.exeJjbpgd32.exeKolhdbjh.exeApeflmjc.exeJjgpjjak.exeBodhlane.exeLpjiik32.exeCiokijfd.exeNbkgbg32.exePcnfdl32.exeHogcil32.exeBfppgohb.exeMjekfd32.exeAollokco.exeJbcjnnpl.exeCmhjdiap.exeFlcojeak.exeOcjfgo32.exeAoagccfn.exeHndaao32.exeJoicje32.exeLafekm32.exeHkljljko.exeGmmfaa32.exeBckefnki.exeMagdam32.exeOpmhqc32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clclhmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjkcfjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqqbgoba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baojapfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihgfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foahmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmfgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggpdmap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoaaqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipgeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckoam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmqgmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhebfck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efppqoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhalngad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghklq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geeemeif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgldnkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikimeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapbmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbgia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odacbpee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kepgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciebdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljmbknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknhjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccelqeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Namclbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnejk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emaijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiioin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oninhgae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijehdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhioioc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfpdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbnjgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolhdbjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apeflmjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgpjjak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bodhlane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpjiik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciokijfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbkgbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfppgohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjekfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aollokco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcjnnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhjdiap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcojeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoagccfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hndaao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joicje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafekm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkljljko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmfaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckefnki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magdam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opmhqc32.exe -
Modifies registry class 64 IoCs
Processes:
Macilmnk.exeCbdiia32.exeMkibjgli.exePcnejk32.exeCagjqbam.exeFcfohlmg.exeHginnmml.exeFqpbpo32.exeFpoolael.exeFpbqcb32.exeKcipqi32.exeFgadda32.exePpinkcnp.exeGomjckqc.exeJhahcjcf.exeNmjicn32.exeGcgpiq32.exeNmhqokcq.exeAafnpkii.exePnbcij32.exeKilfcpqm.exeAlddjg32.exeElpldp32.exeFokaoh32.exePckoam32.exePccdqloh.exeMbhlek32.exeOcefpnom.exePlhaeofp.exeAjdcofop.exeAenileon.exeBgibnj32.exeNbjeinje.exePchbmigj.exeOhqbbi32.exeOjoood32.exeJnlbgq32.exeKlhioioc.exeAmebjgai.exeBblpae32.exeCncolfcl.exeAialjgbh.exePkihpi32.exePeeoidik.exeFdapcg32.exeGajjhkgh.exeJcekbk32.exeEmeobj32.exeKgmilmkb.exeNhjjgd32.exeIgeddb32.exeAbkkpd32.exeOcihgo32.exeDlnjjc32.exeb5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exeJjbpgd32.exePjihmmbk.exeAdohpe32.exeDiaaeepi.exeMphiqbon.exeIknafhjb.exeOnipqp32.exeGfgdij32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkcqmgj.dll" Macilmnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdbgnmd.dll" Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbmdane.dll" Pcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cagjqbam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcfohlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkpnjeha.dll" Hginnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkihmn32.dll" Fqpbpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpoolael.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbqcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcipqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aippal32.dll" Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbenmb32.dll" Gomjckqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhahcjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmjicn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmhqokcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aafnpkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnbcij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elpldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfamkl32.dll" Fokaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pccdqloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocefpnom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plhaeofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jafjpdlm.dll" Ajdcofop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmlbgc32.dll" Aenileon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgibnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglnmheg.dll" Pchbmigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coiajf32.dll" Ohqbbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojoood32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlbgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcfejhma.dll" Klhioioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcemgk32.dll" Amebjgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agdfjc32.dll" Bblpae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cncolfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aialjgbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkihpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peeoidik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdapcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gajjhkgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcekbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emeobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgmilmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmjicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhjjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igeddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhbop32.dll" Abkkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhbbpkh.dll" Ocihgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlnjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjbpgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alpppoaj.dll" Adohpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfkhk32.dll" Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mphiqbon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iknafhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onipqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfgdij32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exeDkqbaecc.exeDdigjkid.exeEjobhppq.exeGjakmc32.exeJjbpgd32.exeKilfcpqm.exeMkklljmg.exeOcfigjlp.exePckoam32.exePdlkiepd.exeBfkpqn32.exeEgiiapci.exeFcbbjcif.exeFjlkgn32.exeHdkape32.exedescription pid process target process PID 3004 wrote to memory of 2732 3004 b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe Dkqbaecc.exe PID 3004 wrote to memory of 2732 3004 b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe Dkqbaecc.exe PID 3004 wrote to memory of 2732 3004 b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe Dkqbaecc.exe PID 3004 wrote to memory of 2732 3004 b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe Dkqbaecc.exe PID 2732 wrote to memory of 2776 2732 Dkqbaecc.exe Ddigjkid.exe PID 2732 wrote to memory of 2776 2732 Dkqbaecc.exe Ddigjkid.exe PID 2732 wrote to memory of 2776 2732 Dkqbaecc.exe Ddigjkid.exe PID 2732 wrote to memory of 2776 2732 Dkqbaecc.exe Ddigjkid.exe PID 2776 wrote to memory of 2852 2776 Ddigjkid.exe Ejobhppq.exe PID 2776 wrote to memory of 2852 2776 Ddigjkid.exe Ejobhppq.exe PID 2776 wrote to memory of 2852 2776 Ddigjkid.exe Ejobhppq.exe PID 2776 wrote to memory of 2852 2776 Ddigjkid.exe Ejobhppq.exe PID 2852 wrote to memory of 2596 2852 Ejobhppq.exe Gjakmc32.exe PID 2852 wrote to memory of 2596 2852 Ejobhppq.exe Gjakmc32.exe PID 2852 wrote to memory of 2596 2852 Ejobhppq.exe Gjakmc32.exe PID 2852 wrote to memory of 2596 2852 Ejobhppq.exe Gjakmc32.exe PID 2596 wrote to memory of 304 2596 Gjakmc32.exe Jjbpgd32.exe PID 2596 wrote to memory of 304 2596 Gjakmc32.exe Jjbpgd32.exe PID 2596 wrote to memory of 304 2596 Gjakmc32.exe Jjbpgd32.exe PID 2596 wrote to memory of 304 2596 Gjakmc32.exe Jjbpgd32.exe PID 304 wrote to memory of 984 304 Jjbpgd32.exe Kilfcpqm.exe PID 304 wrote to memory of 984 304 Jjbpgd32.exe Kilfcpqm.exe PID 304 wrote to memory of 984 304 Jjbpgd32.exe Kilfcpqm.exe PID 304 wrote to memory of 984 304 Jjbpgd32.exe Kilfcpqm.exe PID 984 wrote to memory of 2804 984 Kilfcpqm.exe Mkklljmg.exe PID 984 wrote to memory of 2804 984 Kilfcpqm.exe Mkklljmg.exe PID 984 wrote to memory of 2804 984 Kilfcpqm.exe Mkklljmg.exe PID 984 wrote to memory of 2804 984 Kilfcpqm.exe Mkklljmg.exe PID 2804 wrote to memory of 2436 2804 Mkklljmg.exe Ocfigjlp.exe PID 2804 wrote to memory of 2436 2804 Mkklljmg.exe Ocfigjlp.exe PID 2804 wrote to memory of 2436 2804 Mkklljmg.exe Ocfigjlp.exe PID 2804 wrote to memory of 2436 2804 Mkklljmg.exe Ocfigjlp.exe PID 2436 wrote to memory of 496 2436 Ocfigjlp.exe Pckoam32.exe PID 2436 wrote to memory of 496 2436 Ocfigjlp.exe Pckoam32.exe PID 2436 wrote to memory of 496 2436 Ocfigjlp.exe Pckoam32.exe PID 2436 wrote to memory of 496 2436 Ocfigjlp.exe Pckoam32.exe PID 496 wrote to memory of 1140 496 Pckoam32.exe Pdlkiepd.exe PID 496 wrote to memory of 1140 496 Pckoam32.exe Pdlkiepd.exe PID 496 wrote to memory of 1140 496 Pckoam32.exe Pdlkiepd.exe PID 496 wrote to memory of 1140 496 Pckoam32.exe Pdlkiepd.exe PID 1140 wrote to memory of 1944 1140 Pdlkiepd.exe Bfkpqn32.exe PID 1140 wrote to memory of 1944 1140 Pdlkiepd.exe Bfkpqn32.exe PID 1140 wrote to memory of 1944 1140 Pdlkiepd.exe Bfkpqn32.exe PID 1140 wrote to memory of 1944 1140 Pdlkiepd.exe Bfkpqn32.exe PID 1944 wrote to memory of 1604 1944 Bfkpqn32.exe Egiiapci.exe PID 1944 wrote to memory of 1604 1944 Bfkpqn32.exe Egiiapci.exe PID 1944 wrote to memory of 1604 1944 Bfkpqn32.exe Egiiapci.exe PID 1944 wrote to memory of 1604 1944 Bfkpqn32.exe Egiiapci.exe PID 1604 wrote to memory of 1692 1604 Egiiapci.exe Fcbbjcif.exe PID 1604 wrote to memory of 1692 1604 Egiiapci.exe Fcbbjcif.exe PID 1604 wrote to memory of 1692 1604 Egiiapci.exe Fcbbjcif.exe PID 1604 wrote to memory of 1692 1604 Egiiapci.exe Fcbbjcif.exe PID 1692 wrote to memory of 2396 1692 Fcbbjcif.exe Fjlkgn32.exe PID 1692 wrote to memory of 2396 1692 Fcbbjcif.exe Fjlkgn32.exe PID 1692 wrote to memory of 2396 1692 Fcbbjcif.exe Fjlkgn32.exe PID 1692 wrote to memory of 2396 1692 Fcbbjcif.exe Fjlkgn32.exe PID 2396 wrote to memory of 1344 2396 Fjlkgn32.exe Hdkape32.exe PID 2396 wrote to memory of 1344 2396 Fjlkgn32.exe Hdkape32.exe PID 2396 wrote to memory of 1344 2396 Fjlkgn32.exe Hdkape32.exe PID 2396 wrote to memory of 1344 2396 Fjlkgn32.exe Hdkape32.exe PID 1344 wrote to memory of 1012 1344 Hdkape32.exe Kkileele.exe PID 1344 wrote to memory of 1012 1344 Hdkape32.exe Kkileele.exe PID 1344 wrote to memory of 1012 1344 Hdkape32.exe Kkileele.exe PID 1344 wrote to memory of 1012 1344 Hdkape32.exe Kkileele.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe"C:\Users\Admin\AppData\Local\Temp\b5c04b632cf079e4d0d75762ba35458f2dbf206cdfb37d215c74d998a0e9ac3f.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Ocfigjlp.exeC:\Windows\system32\Ocfigjlp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:668 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:604 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:484 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe34⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe36⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe37⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe38⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe39⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe40⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe41⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe42⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe43⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe44⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe45⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe46⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe48⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe50⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe51⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe53⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe54⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe55⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe57⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe58⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe59⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe60⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe61⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe62⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe64⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe65⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe66⤵PID:1960
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe67⤵PID:1544
-
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe68⤵PID:1408
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe69⤵PID:796
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe70⤵PID:2216
-
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe71⤵PID:2736
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe72⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe73⤵PID:2796
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe74⤵PID:2600
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe76⤵PID:2808
-
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe77⤵PID:1952
-
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe78⤵PID:1192
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe79⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe80⤵PID:2700
-
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe81⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe82⤵PID:2276
-
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe83⤵PID:3012
-
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe84⤵PID:1276
-
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe85⤵PID:1056
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe86⤵PID:928
-
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe87⤵PID:1976
-
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe88⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe90⤵PID:2388
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe91⤵PID:2772
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe92⤵PID:536
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe93⤵PID:2840
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe94⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe95⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe97⤵PID:3020
-
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe98⤵PID:3000
-
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe99⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe100⤵PID:2132
-
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe101⤵PID:900
-
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe104⤵PID:2748
-
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe105⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe106⤵PID:1064
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe107⤵PID:1664
-
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe108⤵PID:1684
-
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe109⤵PID:1812
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe111⤵PID:2400
-
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe112⤵PID:1920
-
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe113⤵PID:1256
-
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe114⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe115⤵PID:2248
-
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe116⤵PID:2612
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe117⤵PID:2528
-
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe119⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe120⤵PID:1724
-
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe122⤵PID:2240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-