Analysis
-
max time kernel
27s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:58
Static task
static1
Behavioral task
behavioral1
Sample
b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe
Resource
win10v2004-20241007-en
General
-
Target
b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe
-
Size
112KB
-
MD5
b2dbc74a9c2ea473c195eef96ed24416
-
SHA1
dda183993270437693e5e81735291f352c351f26
-
SHA256
b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463
-
SHA512
d813ffa26047f643fc15e1e9c4c25b70e2c6b725a07b9c2b9bf6e60c930627117093d560a977abe6c729d8252ec2f5889c58c663cd290f634ebbede9fda79f47
-
SSDEEP
1536:T2Of5sUNS2L+TIIHeLptNpmT85roDRTe7VEVZcG4TXMtDhGJ5taRFkIsoh+RWGHP:h576TIJV3pjod5VZcGmhaR5sS+vfv
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Boifinfg.exeHnjdpm32.exeOnfadc32.exeOheieo32.exeFaikbkhj.exeIlmgef32.exeNiaihojk.exeQckcdj32.exeQdkfic32.exeDlnjjc32.exeCicggcke.exeBineidcj.exeJbdokceo.exeMnfhfmhc.exeEplood32.exeAodqok32.exeKghkppbp.exeJpomnilc.exeKdooij32.exeGkgbioee.exeAcemeo32.exeKphpdhdh.exeEpbamc32.exeGcljdpke.exeObonfj32.exeEocieq32.exeKdakoj32.exePbkgegad.exeMgnkfjho.exeIenfml32.exeMbbkabdh.exeGaajfi32.exeDajlhc32.exeHngngo32.exeKneflplf.exeLbpolb32.exeBjnjfffm.exeKoelibnh.exePpegdapd.exeLahaqm32.exeGmnlog32.exeBdmhcp32.exeCcileljk.exeCafbmdbh.exeIbeloo32.exeOmlahqeo.exeIjenpn32.exeMnlilb32.exeNhffikob.exeJffhec32.exeNlmiojla.exeAdfbbabc.exeHigiih32.exeFdbgia32.exeFcgdjmlo.exeOhbmppia.exeDfegjknm.exeHdapggln.exeLohiob32.exeHnikmnho.exeHfflfp32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boifinfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjdpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oheieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faikbkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niaihojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qckcdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdkfic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlnjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicggcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bineidcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbdokceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnfhfmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdkfic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplood32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodqok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kghkppbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpomnilc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgbioee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acemeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphpdhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epbamc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcljdpke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obonfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eocieq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdakoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkgegad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnkfjho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbbkabdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaajfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hngngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kneflplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbpolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnjfffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koelibnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppegdapd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahaqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmnlog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmhcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccileljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cafbmdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibeloo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmnlog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omlahqeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijenpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnlilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jffhec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlmiojla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfbbabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Higiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcgdjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohbmppia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfegjknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lohiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acemeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnikmnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfflfp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Kccbgh32.exeLlkgpmck.exeLnmcge32.exeLdfldpqf.exeLgiakjld.exeMmifiahi.exeMgnkfjho.exeMidqiaih.exeMbmebgpi.exeMbobgfnf.exeNhljpmlm.exeNafknbqk.exeNaihdb32.exeNblaajbd.exeObonfj32.exeObakli32.exeOlioeoeo.exeOojhfj32.exeOhbmppia.exeOheieo32.exePamnnemo.exePapkcd32.exePpegdapd.exePllhib32.exePpiapp32.exeQdkfic32.exeAocgll32.exeAjmhljip.exeAcemeo32.exeAchikonn.exeAonjpp32.exeBbocak32.exeBkghjq32.exeBmgddcnf.exeBineidcj.exeBjanfl32.exeCancif32.exeCjkamk32.exeDlnjjc32.exeDlqgob32.exeDlcceboa.exeDhjdjc32.exeDgoakpjn.exeEhonebqq.exeEgdjfo32.exeEplood32.exeEeiggk32.exeEoalpaaa.exeEigpmjqg.exeEocieq32.exeEhlmnfeo.exeFcaaloed.exeFkmfpabp.exeFebjmj32.exeFaikbkhj.exeFkapkq32.exeFqnhcgma.exeFkdlaplh.exeFdlqjf32.exeGmgenh32.exeGgmjkapi.exeGqendf32.exeGfbfln32.exeGbigao32.exepid process 2284 Kccbgh32.exe 2948 Llkgpmck.exe 2864 Lnmcge32.exe 3032 Ldfldpqf.exe 2576 Lgiakjld.exe 2096 Mmifiahi.exe 2448 Mgnkfjho.exe 2092 Midqiaih.exe 2552 Mbmebgpi.exe 1880 Mbobgfnf.exe 1732 Nhljpmlm.exe 1196 Nafknbqk.exe 2568 Naihdb32.exe 1052 Nblaajbd.exe 2084 Obonfj32.exe 2504 Obakli32.exe 2480 Olioeoeo.exe 3048 Oojhfj32.exe 2148 Ohbmppia.exe 1840 Oheieo32.exe 2396 Pamnnemo.exe 1844 Papkcd32.exe 2200 Ppegdapd.exe 1020 Pllhib32.exe 868 Ppiapp32.exe 1684 Qdkfic32.exe 1696 Aocgll32.exe 2952 Ajmhljip.exe 2980 Acemeo32.exe 1384 Achikonn.exe 2868 Aonjpp32.exe 964 Bbocak32.exe 1016 Bkghjq32.exe 2088 Bmgddcnf.exe 796 Bineidcj.exe 1800 Bjanfl32.exe 2720 Cancif32.exe 3024 Cjkamk32.exe 2204 Dlnjjc32.exe 2280 Dlqgob32.exe 1040 Dlcceboa.exe 2240 Dhjdjc32.exe 1284 Dgoakpjn.exe 2388 Ehonebqq.exe 2816 Egdjfo32.exe 1296 Eplood32.exe 108 Eeiggk32.exe 836 Eoalpaaa.exe 2328 Eigpmjqg.exe 2052 Eocieq32.exe 2164 Ehlmnfeo.exe 2484 Fcaaloed.exe 2884 Fkmfpabp.exe 2564 Febjmj32.exe 2232 Faikbkhj.exe 2716 Fkapkq32.exe 1392 Fqnhcgma.exe 1744 Fkdlaplh.exe 2640 Fdlqjf32.exe 1496 Gmgenh32.exe 940 Ggmjkapi.exe 2660 Gqendf32.exe 2244 Gfbfln32.exe 696 Gbigao32.exe -
Loads dropped DLL 64 IoCs
Processes:
b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exeKccbgh32.exeLlkgpmck.exeLnmcge32.exeLdfldpqf.exeLgiakjld.exeMmifiahi.exeMgnkfjho.exeMidqiaih.exeMbmebgpi.exeMbobgfnf.exeNhljpmlm.exeNafknbqk.exeNaihdb32.exeNblaajbd.exeObonfj32.exeObakli32.exeOlioeoeo.exeOojhfj32.exeOhbmppia.exeOheieo32.exePamnnemo.exePapkcd32.exePpegdapd.exePllhib32.exePpiapp32.exeAndkbien.exeAocgll32.exeAjmhljip.exeAcemeo32.exeAchikonn.exeAonjpp32.exepid process 2500 b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe 2500 b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe 2284 Kccbgh32.exe 2284 Kccbgh32.exe 2948 Llkgpmck.exe 2948 Llkgpmck.exe 2864 Lnmcge32.exe 2864 Lnmcge32.exe 3032 Ldfldpqf.exe 3032 Ldfldpqf.exe 2576 Lgiakjld.exe 2576 Lgiakjld.exe 2096 Mmifiahi.exe 2096 Mmifiahi.exe 2448 Mgnkfjho.exe 2448 Mgnkfjho.exe 2092 Midqiaih.exe 2092 Midqiaih.exe 2552 Mbmebgpi.exe 2552 Mbmebgpi.exe 1880 Mbobgfnf.exe 1880 Mbobgfnf.exe 1732 Nhljpmlm.exe 1732 Nhljpmlm.exe 1196 Nafknbqk.exe 1196 Nafknbqk.exe 2568 Naihdb32.exe 2568 Naihdb32.exe 1052 Nblaajbd.exe 1052 Nblaajbd.exe 2084 Obonfj32.exe 2084 Obonfj32.exe 2504 Obakli32.exe 2504 Obakli32.exe 2480 Olioeoeo.exe 2480 Olioeoeo.exe 3048 Oojhfj32.exe 3048 Oojhfj32.exe 2148 Ohbmppia.exe 2148 Ohbmppia.exe 1840 Oheieo32.exe 1840 Oheieo32.exe 2396 Pamnnemo.exe 2396 Pamnnemo.exe 1844 Papkcd32.exe 1844 Papkcd32.exe 2200 Ppegdapd.exe 2200 Ppegdapd.exe 1020 Pllhib32.exe 1020 Pllhib32.exe 868 Ppiapp32.exe 868 Ppiapp32.exe 2972 Andkbien.exe 2972 Andkbien.exe 1696 Aocgll32.exe 1696 Aocgll32.exe 2952 Ajmhljip.exe 2952 Ajmhljip.exe 2980 Acemeo32.exe 2980 Acemeo32.exe 1384 Achikonn.exe 1384 Achikonn.exe 2868 Aonjpp32.exe 2868 Aonjpp32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lgphke32.exeIeiegf32.exeNalnmahf.exePbkgegad.exeAcdfki32.exeBnqcaffa.exeFkdlaplh.exeIaegbmlq.exeNpkaei32.exeBjnjfffm.exeJpomnilc.exeCcileljk.exeCafbmdbh.exeHmnhnk32.exeIlceog32.exeIlmgef32.exeIenfml32.exeCemebcnf.exeCgmndokg.exeLlkgpmck.exeNhljpmlm.exeGbigao32.exeLfgaaa32.exeMmcbbo32.exeLohiob32.exeMdigakic.exeEeiggk32.exeEocieq32.exeFebjmj32.exeMjgclcjh.exeGnoaliln.exeLahaqm32.exeNdpmbjbk.exeMgnkfjho.exeGmgenh32.exeGcimop32.exeGcljdpke.exeHnjdpm32.exeIjenpn32.exeLhegcg32.exeIeelnkpd.exeKopikdgn.exeGnjhaj32.exeAchikonn.exeOmlahqeo.exeIbeloo32.exeNcjcnfcn.exeHnikmnho.exeJaoblk32.exeQckcdj32.exeAcbieing.exeBqciha32.exeAjmhljip.exeGmnlog32.exeMchadifq.exeEmfbgg32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Lfgaaa32.exe Lgphke32.exe File created C:\Windows\SysWOW64\Bebkdqbc.dll Ieiegf32.exe File created C:\Windows\SysWOW64\Nhffikob.exe Nalnmahf.exe File opened for modification C:\Windows\SysWOW64\Nhffikob.exe Nalnmahf.exe File created C:\Windows\SysWOW64\Pelpgb32.exe Pbkgegad.exe File opened for modification C:\Windows\SysWOW64\Adfbbabc.exe Acdfki32.exe File opened for modification C:\Windows\SysWOW64\Bjgdfg32.exe Bnqcaffa.exe File created C:\Windows\SysWOW64\Gekdej32.dll Fkdlaplh.exe File created C:\Windows\SysWOW64\Flfile32.dll Iaegbmlq.exe File created C:\Windows\SysWOW64\Hjbemm32.dll Npkaei32.exe File opened for modification C:\Windows\SysWOW64\Bqhbcqmj.exe Bjnjfffm.exe File opened for modification C:\Windows\SysWOW64\Janihlcf.exe Jpomnilc.exe File opened for modification C:\Windows\SysWOW64\Pelpgb32.exe Pbkgegad.exe File created C:\Windows\SysWOW64\Jhenkpja.dll Ccileljk.exe File created C:\Windows\SysWOW64\Eibcbbgq.dll Cafbmdbh.exe File created C:\Windows\SysWOW64\Hqggmb32.dll Hmnhnk32.exe File created C:\Windows\SysWOW64\Ieligmho.exe Ilceog32.exe File opened for modification C:\Windows\SysWOW64\Ieelnkpd.exe Ilmgef32.exe File created C:\Windows\SysWOW64\Ilhnjfmi.exe Ienfml32.exe File created C:\Windows\SysWOW64\Mmgcjqmc.dll Nalnmahf.exe File created C:\Windows\SysWOW64\Nnhkggli.dll Cemebcnf.exe File opened for modification C:\Windows\SysWOW64\Cafbmdbh.exe Cgmndokg.exe File created C:\Windows\SysWOW64\Igiqqgkc.dll Llkgpmck.exe File created C:\Windows\SysWOW64\Nafknbqk.exe Nhljpmlm.exe File created C:\Windows\SysWOW64\Gmnlog32.exe Gbigao32.exe File created C:\Windows\SysWOW64\Iiaaooka.dll Ilmgef32.exe File created C:\Windows\SysWOW64\Lfingaaf.exe Lfgaaa32.exe File opened for modification C:\Windows\SysWOW64\Mpaoojjb.exe Mmcbbo32.exe File created C:\Windows\SysWOW64\Jmifofko.dll Lohiob32.exe File created C:\Windows\SysWOW64\Bqhmkq32.dll Mdigakic.exe File created C:\Windows\SysWOW64\Bgbcfflb.dll Eeiggk32.exe File opened for modification C:\Windows\SysWOW64\Ehlmnfeo.exe Eocieq32.exe File created C:\Windows\SysWOW64\Fbeidk32.dll Febjmj32.exe File opened for modification C:\Windows\SysWOW64\Nmeohnil.exe Mjgclcjh.exe File created C:\Windows\SysWOW64\Dnffmh32.dll Gnoaliln.exe File created C:\Windows\SysWOW64\Jnllpnpo.dll Lahaqm32.exe File created C:\Windows\SysWOW64\Ogpaem32.dll Ndpmbjbk.exe File created C:\Windows\SysWOW64\Ffckpq32.dll Mgnkfjho.exe File opened for modification C:\Windows\SysWOW64\Ggmjkapi.exe Gmgenh32.exe File opened for modification C:\Windows\SysWOW64\Ieligmho.exe Ilceog32.exe File created C:\Windows\SysWOW64\Gnoaliln.exe Gcimop32.exe File created C:\Windows\SysWOW64\Hmdnme32.exe Gcljdpke.exe File created C:\Windows\SysWOW64\Hedllgjk.exe Hnjdpm32.exe File opened for modification C:\Windows\SysWOW64\Icnbic32.exe Ijenpn32.exe File created C:\Windows\SysWOW64\Lppkgi32.exe Lhegcg32.exe File created C:\Windows\SysWOW64\Jffhec32.exe Ieelnkpd.exe File opened for modification C:\Windows\SysWOW64\Khhndi32.exe Kopikdgn.exe File created C:\Windows\SysWOW64\Cfllpb32.dll Gnjhaj32.exe File opened for modification C:\Windows\SysWOW64\Aonjpp32.exe Achikonn.exe File created C:\Windows\SysWOW64\Donklh32.dll Omlahqeo.exe File created C:\Windows\SysWOW64\Clllno32.dll Ibeloo32.exe File created C:\Windows\SysWOW64\Imfkindn.dll Ncjcnfcn.exe File created C:\Windows\SysWOW64\Lnmcge32.exe Llkgpmck.exe File opened for modification C:\Windows\SysWOW64\Hcfceeff.exe Hnikmnho.exe File created C:\Windows\SysWOW64\Jlegic32.exe Jaoblk32.exe File created C:\Windows\SysWOW64\Nmeohnil.exe Mjgclcjh.exe File created C:\Windows\SysWOW64\Qlcgmpkp.exe Qckcdj32.exe File opened for modification C:\Windows\SysWOW64\Ahoamplo.exe Acbieing.exe File created C:\Windows\SysWOW64\Cihikk32.dll Bqciha32.exe File created C:\Windows\SysWOW64\Cmapna32.exe Ccileljk.exe File created C:\Windows\SysWOW64\Aomolh32.dll Ajmhljip.exe File created C:\Windows\SysWOW64\Gfgpgmql.exe Gmnlog32.exe File created C:\Windows\SysWOW64\Mqlbnnej.exe Mchadifq.exe File created C:\Windows\SysWOW64\Dlodea32.dll Emfbgg32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3860 3784 WerFault.exe Ohnemidj.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gmnlog32.exeHcfceeff.exeKngcbpjc.exeGfgpgmql.exeLfgaaa32.exeEmfbgg32.exeFaikbkhj.exeMqgahh32.exeMidqiaih.exeOaaghp32.exeBjgdfg32.exeHoegoqng.exePlheil32.exeOojhfj32.exeCancif32.exeEoalpaaa.exeFkmfpabp.exeGmgenh32.exeHnikmnho.exeFcgdjmlo.exeJmhpfl32.exeLcqdidim.exeNgcbie32.exeOlehbh32.exeEplood32.exeNbbhpegc.exeIefeaj32.exeDmalmdcg.exeNcjcnfcn.exeLdfldpqf.exeLgiakjld.exeGgmjkapi.exeKopikdgn.exeMchadifq.exeObgmjh32.exePlfhdlfb.exeGcljdpke.exeKghkppbp.exeMdigakic.exeDlqgob32.exeIenfml32.exeJanihlcf.exeNiombolm.exeNaokbq32.exeOnehadbj.exeObakli32.exeHenjnica.exeIlceog32.exeAjjeld32.exeIceiibef.exeNjmejaqb.exeDlcceboa.exeEigpmjqg.exeMbbkabdh.exeAhoamplo.exeBdmhcp32.exeFclmem32.exeLppkgi32.exeOhbmppia.exeAchikonn.exeFdlqjf32.exeKdooij32.exeDajlhc32.exeKgjgepqm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmnlog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcfceeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngcbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfgpgmql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgaaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emfbgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faikbkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqgahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Midqiaih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaghp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgdfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoegoqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plheil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojhfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cancif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoalpaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmfpabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmgenh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnikmnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcgdjmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhpfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcqdidim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcbie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olehbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbhpegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefeaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmalmdcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjcnfcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfldpqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgiakjld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmjkapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopikdgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchadifq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgmjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfhdlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcljdpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghkppbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdigakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlqgob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ienfml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janihlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niombolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naokbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onehadbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obakli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Henjnica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilceog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iceiibef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmejaqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlcceboa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eigpmjqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbkabdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahoamplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmhcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fclmem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppkgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbmppia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achikonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlqjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdooij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajlhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjgepqm.exe -
Modifies registry class 64 IoCs
Processes:
Lgiakjld.exeAjmhljip.exeGmnlog32.exeLdfldpqf.exeNmeohnil.exeOmlahqeo.exePmlngdhk.exeCcileljk.exeLhegcg32.exeLfgaaa32.exeMchadifq.exeOnehadbj.exeClkfjman.exeDajlhc32.exeFqnhcgma.exeEocieq32.exeKngcbpjc.exeMhopcl32.exeOegflcbj.exeJmhpfl32.exeb5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exeNiaihojk.exeBnqcaffa.exeCafbmdbh.exeGaajfi32.exeAchikonn.exeIglkoaad.exeDgoakpjn.exeLbpolb32.exeBjgdfg32.exeGdbchd32.exeHnjdpm32.exeJohlpoij.exeOnfadc32.exeGqendf32.exeJljgni32.exeBjnjfffm.exeJhgnbehe.exeJpomnilc.exeNiombolm.exeAjjeld32.exeHmdnme32.exeIcnbic32.exeMmifiahi.exeAocgll32.exeIpameehe.exePlfhdlfb.exeLlkgpmck.exeBqhbcqmj.exeLahaqm32.exeNjmejaqb.exeDlqgob32.exePapkcd32.exeJbdokceo.exeOaaghp32.exeGnoaliln.exeIjenpn32.exeEgdjfo32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgiakjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajmhljip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmnlog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldfldpqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmeohnil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omlahqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmcnf32.dll" Pmlngdhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccileljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhegcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfgaaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchadifq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onehadbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clkfjman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmldh32.dll" Dajlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffaoi32.dll" Fqnhcgma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbocnbmi.dll" Lgiakjld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eocieq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kngcbpjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhopcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oegflcbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmhpfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niaihojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnqcaffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccileljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cafbmdbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaajfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Achikonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nicjncgf.dll" Niaihojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iglkoaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgoakpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmicb32.dll" Lbpolb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjgdfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdbchd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnjdpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Johlpoij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onfadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqendf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjebph32.dll" Jljgni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjnjfffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ediaanpp.dll" Jhgnbehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dankdeoi.dll" Gmnlog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpomnilc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niombolm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajjeld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdnme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icnbic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmifiahi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aocgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipameehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnnbm32.dll" Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igiqqgkc.dll" Llkgpmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqhbcqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibcbbgq.dll" Cafbmdbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lahaqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njmejaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdfqfd32.dll" Dlqgob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Papkcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbdokceo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaaghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnffmh32.dll" Gnoaliln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijenpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egdjfo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exeKccbgh32.exeLlkgpmck.exeLnmcge32.exeLdfldpqf.exeLgiakjld.exeMmifiahi.exeMgnkfjho.exeMidqiaih.exeMbmebgpi.exeMbobgfnf.exeNhljpmlm.exeNafknbqk.exeNaihdb32.exeNblaajbd.exeObonfj32.exedescription pid process target process PID 2500 wrote to memory of 2284 2500 b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe Kccbgh32.exe PID 2500 wrote to memory of 2284 2500 b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe Kccbgh32.exe PID 2500 wrote to memory of 2284 2500 b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe Kccbgh32.exe PID 2500 wrote to memory of 2284 2500 b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe Kccbgh32.exe PID 2284 wrote to memory of 2948 2284 Kccbgh32.exe Llkgpmck.exe PID 2284 wrote to memory of 2948 2284 Kccbgh32.exe Llkgpmck.exe PID 2284 wrote to memory of 2948 2284 Kccbgh32.exe Llkgpmck.exe PID 2284 wrote to memory of 2948 2284 Kccbgh32.exe Llkgpmck.exe PID 2948 wrote to memory of 2864 2948 Llkgpmck.exe Lnmcge32.exe PID 2948 wrote to memory of 2864 2948 Llkgpmck.exe Lnmcge32.exe PID 2948 wrote to memory of 2864 2948 Llkgpmck.exe Lnmcge32.exe PID 2948 wrote to memory of 2864 2948 Llkgpmck.exe Lnmcge32.exe PID 2864 wrote to memory of 3032 2864 Lnmcge32.exe Ldfldpqf.exe PID 2864 wrote to memory of 3032 2864 Lnmcge32.exe Ldfldpqf.exe PID 2864 wrote to memory of 3032 2864 Lnmcge32.exe Ldfldpqf.exe PID 2864 wrote to memory of 3032 2864 Lnmcge32.exe Ldfldpqf.exe PID 3032 wrote to memory of 2576 3032 Ldfldpqf.exe Lgiakjld.exe PID 3032 wrote to memory of 2576 3032 Ldfldpqf.exe Lgiakjld.exe PID 3032 wrote to memory of 2576 3032 Ldfldpqf.exe Lgiakjld.exe PID 3032 wrote to memory of 2576 3032 Ldfldpqf.exe Lgiakjld.exe PID 2576 wrote to memory of 2096 2576 Lgiakjld.exe Mmifiahi.exe PID 2576 wrote to memory of 2096 2576 Lgiakjld.exe Mmifiahi.exe PID 2576 wrote to memory of 2096 2576 Lgiakjld.exe Mmifiahi.exe PID 2576 wrote to memory of 2096 2576 Lgiakjld.exe Mmifiahi.exe PID 2096 wrote to memory of 2448 2096 Mmifiahi.exe Mgnkfjho.exe PID 2096 wrote to memory of 2448 2096 Mmifiahi.exe Mgnkfjho.exe PID 2096 wrote to memory of 2448 2096 Mmifiahi.exe Mgnkfjho.exe PID 2096 wrote to memory of 2448 2096 Mmifiahi.exe Mgnkfjho.exe PID 2448 wrote to memory of 2092 2448 Mgnkfjho.exe Midqiaih.exe PID 2448 wrote to memory of 2092 2448 Mgnkfjho.exe Midqiaih.exe PID 2448 wrote to memory of 2092 2448 Mgnkfjho.exe Midqiaih.exe PID 2448 wrote to memory of 2092 2448 Mgnkfjho.exe Midqiaih.exe PID 2092 wrote to memory of 2552 2092 Midqiaih.exe Mbmebgpi.exe PID 2092 wrote to memory of 2552 2092 Midqiaih.exe Mbmebgpi.exe PID 2092 wrote to memory of 2552 2092 Midqiaih.exe Mbmebgpi.exe PID 2092 wrote to memory of 2552 2092 Midqiaih.exe Mbmebgpi.exe PID 2552 wrote to memory of 1880 2552 Mbmebgpi.exe Mbobgfnf.exe PID 2552 wrote to memory of 1880 2552 Mbmebgpi.exe Mbobgfnf.exe PID 2552 wrote to memory of 1880 2552 Mbmebgpi.exe Mbobgfnf.exe PID 2552 wrote to memory of 1880 2552 Mbmebgpi.exe Mbobgfnf.exe PID 1880 wrote to memory of 1732 1880 Mbobgfnf.exe Nhljpmlm.exe PID 1880 wrote to memory of 1732 1880 Mbobgfnf.exe Nhljpmlm.exe PID 1880 wrote to memory of 1732 1880 Mbobgfnf.exe Nhljpmlm.exe PID 1880 wrote to memory of 1732 1880 Mbobgfnf.exe Nhljpmlm.exe PID 1732 wrote to memory of 1196 1732 Nhljpmlm.exe Nafknbqk.exe PID 1732 wrote to memory of 1196 1732 Nhljpmlm.exe Nafknbqk.exe PID 1732 wrote to memory of 1196 1732 Nhljpmlm.exe Nafknbqk.exe PID 1732 wrote to memory of 1196 1732 Nhljpmlm.exe Nafknbqk.exe PID 1196 wrote to memory of 2568 1196 Nafknbqk.exe Naihdb32.exe PID 1196 wrote to memory of 2568 1196 Nafknbqk.exe Naihdb32.exe PID 1196 wrote to memory of 2568 1196 Nafknbqk.exe Naihdb32.exe PID 1196 wrote to memory of 2568 1196 Nafknbqk.exe Naihdb32.exe PID 2568 wrote to memory of 1052 2568 Naihdb32.exe Nblaajbd.exe PID 2568 wrote to memory of 1052 2568 Naihdb32.exe Nblaajbd.exe PID 2568 wrote to memory of 1052 2568 Naihdb32.exe Nblaajbd.exe PID 2568 wrote to memory of 1052 2568 Naihdb32.exe Nblaajbd.exe PID 1052 wrote to memory of 2084 1052 Nblaajbd.exe Obonfj32.exe PID 1052 wrote to memory of 2084 1052 Nblaajbd.exe Obonfj32.exe PID 1052 wrote to memory of 2084 1052 Nblaajbd.exe Obonfj32.exe PID 1052 wrote to memory of 2084 1052 Nblaajbd.exe Obonfj32.exe PID 2084 wrote to memory of 2504 2084 Obonfj32.exe Obakli32.exe PID 2084 wrote to memory of 2504 2084 Obonfj32.exe Obakli32.exe PID 2084 wrote to memory of 2504 2084 Obonfj32.exe Obakli32.exe PID 2084 wrote to memory of 2504 2084 Obonfj32.exe Obakli32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe"C:\Users\Admin\AppData\Local\Temp\b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Kccbgh32.exeC:\Windows\system32\Kccbgh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Ldfldpqf.exeC:\Windows\system32\Ldfldpqf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Lgiakjld.exeC:\Windows\system32\Lgiakjld.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Mgnkfjho.exeC:\Windows\system32\Mgnkfjho.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Midqiaih.exeC:\Windows\system32\Midqiaih.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Obakli32.exeC:\Windows\system32\Obakli32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Olioeoeo.exeC:\Windows\system32\Olioeoeo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Oojhfj32.exeC:\Windows\system32\Oojhfj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Ohbmppia.exeC:\Windows\system32\Ohbmppia.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Ppegdapd.exeC:\Windows\system32\Ppegdapd.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Ppiapp32.exeC:\Windows\system32\Ppiapp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Andkbien.exeC:\Windows\system32\Andkbien.exe28⤵
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Achikonn.exeC:\Windows\system32\Achikonn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Aonjpp32.exeC:\Windows\system32\Aonjpp32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe34⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe35⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe36⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe38⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Cancif32.exeC:\Windows\system32\Cancif32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe40⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Dlcceboa.exeC:\Windows\system32\Dlcceboa.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Dhjdjc32.exeC:\Windows\system32\Dhjdjc32.exe44⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe46⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Egdjfo32.exeC:\Windows\system32\Egdjfo32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Eplood32.exeC:\Windows\system32\Eplood32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Eeiggk32.exeC:\Windows\system32\Eeiggk32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Eoalpaaa.exeC:\Windows\system32\Eoalpaaa.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Eocieq32.exeC:\Windows\system32\Eocieq32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Ehlmnfeo.exeC:\Windows\system32\Ehlmnfeo.exe53⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Fcaaloed.exeC:\Windows\system32\Fcaaloed.exe54⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Fkmfpabp.exeC:\Windows\system32\Fkmfpabp.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Febjmj32.exeC:\Windows\system32\Febjmj32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Faikbkhj.exeC:\Windows\system32\Faikbkhj.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe58⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Fqnhcgma.exeC:\Windows\system32\Fqnhcgma.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Gqendf32.exeC:\Windows\system32\Gqendf32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Gfbfln32.exeC:\Windows\system32\Gfbfln32.exe65⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Gbigao32.exeC:\Windows\system32\Gbigao32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:696 -
C:\Windows\SysWOW64\Gmnlog32.exeC:\Windows\system32\Gmnlog32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Gfgpgmql.exeC:\Windows\system32\Gfgpgmql.exe68⤵
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Goodpb32.exeC:\Windows\system32\Goodpb32.exe69⤵PID:1348
-
C:\Windows\SysWOW64\Higiih32.exeC:\Windows\system32\Higiih32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2416 -
C:\Windows\SysWOW64\Hjieapck.exeC:\Windows\system32\Hjieapck.exe71⤵PID:1648
-
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe72⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Hngngo32.exeC:\Windows\system32\Hngngo32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe74⤵PID:3000
-
C:\Windows\SysWOW64\Hnikmnho.exeC:\Windows\system32\Hnikmnho.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Hcfceeff.exeC:\Windows\system32\Hcfceeff.exe76⤵
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Hmnhnk32.exeC:\Windows\system32\Hmnhnk32.exe77⤵
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Hfflfp32.exeC:\Windows\system32\Hfflfp32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1380 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Ieligmho.exeC:\Windows\system32\Ieligmho.exe80⤵PID:2984
-
C:\Windows\SysWOW64\Ipameehe.exeC:\Windows\system32\Ipameehe.exe81⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Ilhnjfmi.exeC:\Windows\system32\Ilhnjfmi.exe83⤵PID:1748
-
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe84⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Iljkofkg.exeC:\Windows\system32\Iljkofkg.exe85⤵PID:1944
-
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe86⤵PID:2684
-
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:620 -
C:\Windows\SysWOW64\Ieelnkpd.exeC:\Windows\system32\Ieelnkpd.exe88⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Jffhec32.exeC:\Windows\system32\Jffhec32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1924 -
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe91⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe92⤵PID:1852
-
C:\Windows\SysWOW64\Jgmofbpk.exeC:\Windows\system32\Jgmofbpk.exe93⤵PID:2808
-
C:\Windows\SysWOW64\Jljgni32.exeC:\Windows\system32\Jljgni32.exe94⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Jbdokceo.exeC:\Windows\system32\Jbdokceo.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Kphpdhdh.exeC:\Windows\system32\Kphpdhdh.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe97⤵PID:2192
-
C:\Windows\SysWOW64\Kkaaee32.exeC:\Windows\system32\Kkaaee32.exe98⤵PID:1096
-
C:\Windows\SysWOW64\Kaliaphd.exeC:\Windows\system32\Kaliaphd.exe99⤵PID:2368
-
C:\Windows\SysWOW64\Kopikdgn.exeC:\Windows\system32\Kopikdgn.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe101⤵PID:2044
-
C:\Windows\SysWOW64\Kneflplf.exeC:\Windows\system32\Kneflplf.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Kngcbpjc.exeC:\Windows\system32\Kngcbpjc.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Kdakoj32.exeC:\Windows\system32\Kdakoj32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe106⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Lfgaaa32.exeC:\Windows\system32\Lfgaaa32.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Lfingaaf.exeC:\Windows\system32\Lfingaaf.exe108⤵PID:1492
-
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe111⤵PID:756
-
C:\Windows\SysWOW64\Mhopcl32.exeC:\Windows\system32\Mhopcl32.exe112⤵
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Mchadifq.exeC:\Windows\system32\Mchadifq.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe115⤵PID:368
-
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe116⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe117⤵PID:2116
-
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe118⤵
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Nmeohnil.exeC:\Windows\system32\Nmeohnil.exe119⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Nbbhpegc.exeC:\Windows\system32\Nbbhpegc.exe120⤵
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe121⤵PID:2800
-
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe122⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-