Analysis
-
max time kernel
44s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 02:00
Static task
static1
Behavioral task
behavioral1
Sample
b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe
Resource
win10v2004-20241007-en
General
-
Target
b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe
-
Size
80KB
-
MD5
ae894aed667136018332d67e6282ece8
-
SHA1
308e72e9046308f53f4cfe398335f4c6dc14498d
-
SHA256
b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024
-
SHA512
130778a0f1198b3f8b8be9ed35c809d11a196ae9a3bfc0becdc2a28ce879f549ab3fe1765fde2f1cee9d6bdc3ed981eb2afebbbffd6b2ab1f1322a4bef0bb754
-
SSDEEP
1536:5aV0H0PMmyTZoSNjjV+0BoE34Z2LYS5DUHRbPa9b6i+sIk:z1myloSRV+0Bb3TYS5DSCopsIk
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ogfagmck.exeJmaedolh.exeGacgli32.exeBofbih32.exeNadpdg32.exeEfoobkej.exeHhnpih32.exeCnekcblk.exeEgbffj32.exeDkaihkih.exeEmadjj32.exeDnkggjpj.exeDclikp32.exeGekncjfe.exeHojqjp32.exeEmilqb32.exeMgbeqjpd.exeIkhlaaif.exePeooek32.exeJcpglhpo.exeCgnbepjp.exeGemhpq32.exeDndahokk.exeIhfmdm32.exeOjakdd32.exeAdenqd32.exeHnmcne32.exeDcffmb32.exeFpoleilj.exePbjoaibo.exeFhifmcfa.exeQolmip32.exeJkgfgl32.exeGdobqgpn.exeOhajic32.exeAjpgkb32.exeFhcehngk.exeInaliedk.exeNqbdllld.exeBcjhig32.exeAbehcbci.exeJakjlpif.exeIapfmg32.exeKifgllbc.exeIolohhpc.exeLooahi32.exeEndmgb32.exeGijncn32.exeOpoocb32.exePikmob32.exeHfdbji32.exeNdhlfh32.exeGepgni32.exeOpkpme32.exeJkcllmhb.exeChccfe32.exeHpfoekhm.exeHfjfpkji.exeIodlcnmf.exeKfcmcckn.exeBbegkn32.exeGhkbccdn.exeMhobldaf.exeAamekk32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogfagmck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmaedolh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacgli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bofbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadpdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efoobkej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnpih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnekcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egbffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkaihkih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emadjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnkggjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dclikp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekncjfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojqjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emilqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbeqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikhlaaif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peooek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcpglhpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnbepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemhpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndahokk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihfmdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojakdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adenqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmcne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcffmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpoleilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjoaibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhifmcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgfgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobqgpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohajic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpgkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcehngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inaliedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqbdllld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjhig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abehcbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jakjlpif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapfmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kifgllbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iolohhpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Looahi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endmgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijncn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opoocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikmob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhlfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opkpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkcllmhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chccfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpfoekhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjfpkji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iodlcnmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcmcckn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbegkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkbccdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhobldaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamekk32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Ekeiel32.exeEgljjmkp.exeFmholgpj.exeFpihnbmk.exeFefpfi32.exeFlbehbqm.exeFhifmcfa.exeGhkbccdn.exeGacgli32.exeGafcahil.exeGqkqbe32.exeGmbagf32.exeHfjfpkji.exeHkiknb32.exeHdapggln.exeHnjdpm32.exeHojqjp32.exeHibebeqb.exeIeiegf32.exeIapfmg32.exeIjhkembk.exeIpecndab.exeIiodliep.exeIbhieo32.exeJmmmbg32.exeJhgnbehe.exeJifkmh32.exeJaaoakmc.exeJadlgjjq.exeJfadoaih.exeKiamql32.exeKblooa32.exeKifgllbc.exeKhkdmh32.exeLafekm32.exeLaknfmgd.exeLgjcdc32.exeMnfhfmhc.exeMdigakic.exeMbmgkp32.exeNqbdllld.exeNbaafocg.exeNjmejaqb.exeNgafdepl.exeNqijmkfm.exeNffcebdd.exeNidoamch.exeNpngng32.exeOlehbh32.exeOfklpa32.exeOpcaiggo.exeOepianef.exeOnhnjclg.exeOllncgjq.exeOdgchjhl.exeOjakdd32.exePdjpmi32.exePjchjcmf.exePpqqbjkm.exePjfdpckc.exePbaide32.exePmijgn32.exePipklo32.exeQpjchicb.exepid process 2548 Ekeiel32.exe 2784 Egljjmkp.exe 2912 Fmholgpj.exe 2144 Fpihnbmk.exe 2864 Fefpfi32.exe 2708 Flbehbqm.exe 2236 Fhifmcfa.exe 2032 Ghkbccdn.exe 516 Gacgli32.exe 852 Gafcahil.exe 236 Gqkqbe32.exe 1628 Gmbagf32.exe 1832 Hfjfpkji.exe 2208 Hkiknb32.exe 2276 Hdapggln.exe 2436 Hnjdpm32.exe 2600 Hojqjp32.exe 2216 Hibebeqb.exe 964 Ieiegf32.exe 1688 Iapfmg32.exe 1028 Ijhkembk.exe 2476 Ipecndab.exe 2624 Iiodliep.exe 1912 Ibhieo32.exe 1260 Jmmmbg32.exe 2000 Jhgnbehe.exe 2188 Jifkmh32.exe 2440 Jaaoakmc.exe 2148 Jadlgjjq.exe 2852 Jfadoaih.exe 2920 Kiamql32.exe 2768 Kblooa32.exe 2752 Kifgllbc.exe 1176 Khkdmh32.exe 3016 Lafekm32.exe 3008 Laknfmgd.exe 816 Lgjcdc32.exe 1020 Mnfhfmhc.exe 700 Mdigakic.exe 320 Mbmgkp32.exe 2260 Nqbdllld.exe 2180 Nbaafocg.exe 2124 Njmejaqb.exe 1056 Ngafdepl.exe 880 Nqijmkfm.exe 276 Nffcebdd.exe 1180 Nidoamch.exe 2640 Npngng32.exe 2152 Olehbh32.exe 1616 Ofklpa32.exe 2008 Opcaiggo.exe 1608 Oepianef.exe 2772 Onhnjclg.exe 2888 Ollncgjq.exe 2828 Odgchjhl.exe 2684 Ojakdd32.exe 568 Pdjpmi32.exe 2312 Pjchjcmf.exe 1928 Ppqqbjkm.exe 3004 Pjfdpckc.exe 1984 Pbaide32.exe 2452 Pmijgn32.exe 2544 Pipklo32.exe 840 Qpjchicb.exe -
Loads dropped DLL 64 IoCs
Processes:
b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exeEkeiel32.exeEgljjmkp.exeFmholgpj.exeFpihnbmk.exeFefpfi32.exeFlbehbqm.exeFhifmcfa.exeGhkbccdn.exeGacgli32.exeGafcahil.exeGqkqbe32.exeGmbagf32.exeHfjfpkji.exeHkiknb32.exeHdapggln.exeHnjdpm32.exeHojqjp32.exeHibebeqb.exeIeiegf32.exeIapfmg32.exeIjhkembk.exeIpecndab.exeIiodliep.exeIbhieo32.exeJmmmbg32.exeJhgnbehe.exeJifkmh32.exeJaaoakmc.exeJadlgjjq.exeJfadoaih.exeKiamql32.exepid process 108 b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe 108 b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe 2548 Ekeiel32.exe 2548 Ekeiel32.exe 2784 Egljjmkp.exe 2784 Egljjmkp.exe 2912 Fmholgpj.exe 2912 Fmholgpj.exe 2144 Fpihnbmk.exe 2144 Fpihnbmk.exe 2864 Fefpfi32.exe 2864 Fefpfi32.exe 2708 Flbehbqm.exe 2708 Flbehbqm.exe 2236 Fhifmcfa.exe 2236 Fhifmcfa.exe 2032 Ghkbccdn.exe 2032 Ghkbccdn.exe 516 Gacgli32.exe 516 Gacgli32.exe 852 Gafcahil.exe 852 Gafcahil.exe 236 Gqkqbe32.exe 236 Gqkqbe32.exe 1628 Gmbagf32.exe 1628 Gmbagf32.exe 1832 Hfjfpkji.exe 1832 Hfjfpkji.exe 2208 Hkiknb32.exe 2208 Hkiknb32.exe 2276 Hdapggln.exe 2276 Hdapggln.exe 2436 Hnjdpm32.exe 2436 Hnjdpm32.exe 2600 Hojqjp32.exe 2600 Hojqjp32.exe 2216 Hibebeqb.exe 2216 Hibebeqb.exe 964 Ieiegf32.exe 964 Ieiegf32.exe 1688 Iapfmg32.exe 1688 Iapfmg32.exe 1028 Ijhkembk.exe 1028 Ijhkembk.exe 2476 Ipecndab.exe 2476 Ipecndab.exe 2624 Iiodliep.exe 2624 Iiodliep.exe 1912 Ibhieo32.exe 1912 Ibhieo32.exe 1260 Jmmmbg32.exe 1260 Jmmmbg32.exe 2000 Jhgnbehe.exe 2000 Jhgnbehe.exe 2188 Jifkmh32.exe 2188 Jifkmh32.exe 2440 Jaaoakmc.exe 2440 Jaaoakmc.exe 2148 Jadlgjjq.exe 2148 Jadlgjjq.exe 2852 Jfadoaih.exe 2852 Jfadoaih.exe 2920 Kiamql32.exe 2920 Kiamql32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cfknjfbl.exeJjgpjjak.exeCdpdpl32.exeOgfagmck.exeAjfcgoec.exeDnmdmj32.exeNimaic32.exeDcgppana.exeFlbehbqm.exeHmojfcdk.exeLpmhgc32.exeMhobldaf.exeNqdjge32.exeDjnbdlla.exeJjpehn32.exeIcnealbb.exeIjkjde32.exeKpqaanqd.exeBfoffmhd.exeIcmlnmgb.exeNocgbl32.exeQjacai32.exeOnhnjclg.exeMnlkdk32.exePfkkhmjn.exeIhefjg32.exeAgmacgcc.exePmbfoh32.exeIkkoagjo.exeLjnebe32.exePikmob32.exeFgibijkb.exeGpccgppq.exeIodlcnmf.exeJmhile32.exeOmbjpd32.exeGiogonlb.exeDbaflm32.exeGcocnk32.exeBkefcc32.exeIhedan32.exeJnppei32.exePnhegi32.exeFfahgn32.exeGpledf32.exeKidlodkj.exeKbajci32.exeOkmqlp32.exeCpcaeghc.exeFhcehngk.exeOgpkhb32.exeMkhocj32.exeBofebqlb.exeFpoleilj.exeEmnelbdi.exeJckkhplq.exePeooek32.exeFqdong32.exeKebgea32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Cqqbgoba.exe Cfknjfbl.exe File created C:\Windows\SysWOW64\Jldglccm.dll Jjgpjjak.exe File created C:\Windows\SysWOW64\Fdhadgoa.dll Cdpdpl32.exe File created C:\Windows\SysWOW64\Ombjpd32.exe Ogfagmck.exe File created C:\Windows\SysWOW64\Aelgdhei.exe Ajfcgoec.exe File opened for modification C:\Windows\SysWOW64\Dgehfodh.exe Dnmdmj32.exe File created C:\Windows\SysWOW64\Noiiaj32.exe Nimaic32.exe File opened for modification C:\Windows\SysWOW64\Dnmdmj32.exe Dcgppana.exe File opened for modification C:\Windows\SysWOW64\Fhifmcfa.exe Flbehbqm.exe File created C:\Windows\SysWOW64\Omincc32.dll Hmojfcdk.exe File opened for modification C:\Windows\SysWOW64\Lejppj32.exe Lpmhgc32.exe File opened for modification C:\Windows\SysWOW64\Mnlkdk32.exe Mhobldaf.exe File opened for modification C:\Windows\SysWOW64\Nhookh32.exe Nqdjge32.exe File created C:\Windows\SysWOW64\Dcffmb32.exe Djnbdlla.exe File opened for modification C:\Windows\SysWOW64\Jakjlpif.exe Jjpehn32.exe File created C:\Windows\SysWOW64\Indiodbh.exe Icnealbb.exe File created C:\Windows\SysWOW64\Ifddhm32.dll Ijkjde32.exe File created C:\Windows\SysWOW64\Kmdbkbpn.exe Kpqaanqd.exe File created C:\Windows\SysWOW64\Bimbbhgh.exe Bfoffmhd.exe File created C:\Windows\SysWOW64\Clgmka32.dll Icmlnmgb.exe File created C:\Windows\SysWOW64\Cbcdjpba.exe Cdpdpl32.exe File opened for modification C:\Windows\SysWOW64\Npecjdaf.exe Nocgbl32.exe File created C:\Windows\SysWOW64\Qcigjolm.exe Qjacai32.exe File created C:\Windows\SysWOW64\Nbihec32.dll Onhnjclg.exe File created C:\Windows\SysWOW64\Mjcljlea.exe Mnlkdk32.exe File created C:\Windows\SysWOW64\Dihbqgdl.dll Pfkkhmjn.exe File created C:\Windows\SysWOW64\Jnjbig32.dll Ihefjg32.exe File opened for modification C:\Windows\SysWOW64\Aodjdede.exe Agmacgcc.exe File opened for modification C:\Windows\SysWOW64\Pfkkhmjn.exe Pmbfoh32.exe File opened for modification C:\Windows\SysWOW64\Ibehna32.exe Ikkoagjo.exe File created C:\Windows\SysWOW64\Ldgikklb.exe Ljnebe32.exe File created C:\Windows\SysWOW64\Ceidfi32.dll Pikmob32.exe File opened for modification C:\Windows\SysWOW64\Gpagbp32.exe Fgibijkb.exe File created C:\Windows\SysWOW64\Ggmldj32.exe Gpccgppq.exe File created C:\Windows\SysWOW64\Gfbjnb32.dll Iodlcnmf.exe File created C:\Windows\SysWOW64\Bkocic32.dll Jmhile32.exe File created C:\Windows\SysWOW64\Ojgkih32.exe Ombjpd32.exe File created C:\Windows\SysWOW64\Fccffm32.dll Giogonlb.exe File created C:\Windows\SysWOW64\Dmkdanef.dll Dbaflm32.exe File created C:\Windows\SysWOW64\Epnfkjll.dll Gcocnk32.exe File created C:\Windows\SysWOW64\Igdndl32.exe Hmojfcdk.exe File opened for modification C:\Windows\SysWOW64\Bhiglh32.exe Bkefcc32.exe File opened for modification C:\Windows\SysWOW64\Inaliedk.exe Ihedan32.exe File created C:\Windows\SysWOW64\Jjgpjjak.exe Jnppei32.exe File created C:\Windows\SysWOW64\Qnjbmh32.exe Pnhegi32.exe File created C:\Windows\SysWOW64\Fpjlpclc.exe Ffahgn32.exe File created C:\Windows\SysWOW64\Npphimpc.dll Gpledf32.exe File created C:\Windows\SysWOW64\Jakjlpif.exe Jjpehn32.exe File opened for modification C:\Windows\SysWOW64\Kjdiigbm.exe Kidlodkj.exe File created C:\Windows\SysWOW64\Qhjdoo32.dll Kbajci32.exe File created C:\Windows\SysWOW64\Cmcfpikj.dll Okmqlp32.exe File created C:\Windows\SysWOW64\Cfpinnfj.exe Cpcaeghc.exe File opened for modification C:\Windows\SysWOW64\Fgibijkb.exe Fhcehngk.exe File created C:\Windows\SysWOW64\Opkpme32.exe Ogpkhb32.exe File opened for modification C:\Windows\SysWOW64\Mebpchmb.exe Mkhocj32.exe File created C:\Windows\SysWOW64\Npecjdaf.exe Nocgbl32.exe File opened for modification C:\Windows\SysWOW64\Bdcmjg32.exe Bofebqlb.exe File created C:\Windows\SysWOW64\Gigano32.exe Fpoleilj.exe File opened for modification C:\Windows\SysWOW64\Edhmhl32.exe Emnelbdi.exe File opened for modification C:\Windows\SysWOW64\Jnppei32.exe Jckkhplq.exe File created C:\Windows\SysWOW64\Jcaahofh.exe Jmhile32.exe File opened for modification C:\Windows\SysWOW64\Pligbekc.exe Peooek32.exe File created C:\Windows\SysWOW64\Hnohbhdp.dll Fqdong32.exe File created C:\Windows\SysWOW64\Kidlodkj.exe Kebgea32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1644 1536 WerFault.exe Joagkd32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jhgnbehe.exeInaliedk.exeAanonj32.exeDjoinbpm.exeLikbpceb.exeEqninhmc.exeIedmhlqf.exeFmmjpoci.exeJkgfgl32.exeCfpinnfj.exeBofbih32.exeJakjlpif.exeQcgkeonp.exeDnbbjf32.exeDjkodg32.exeEmilqb32.exePfkkhmjn.exeFhakkg32.exeNhjofbdk.exeHgnjlfam.exeFibqhibd.exeNffcebdd.exeKhdgabih.exePppihdha.exeQpmiahlp.exeKpqaanqd.exeNbaafocg.exeBoadlk32.exeHoflpbmo.exeGafcahil.exeNidoamch.exeHgkknm32.exeNqdjge32.exeAjfcgoec.exeKfqpmc32.exeDcgmgh32.exeMiphjf32.exeNppceo32.exeEkjjebed.exeGepgni32.exeIankbldh.exePeooek32.exeDmdkkm32.exeMlqakaqi.exeAdenqd32.exeKehidp32.exeJdlcnkfg.exeAkpfmnmh.exeJoagkd32.exeCmbiap32.exeGokmnlcf.exeBffgbo32.exeFpoleilj.exeMmaghc32.exeAjbdpblo.exeBnjipn32.exeGekncjfe.exeHiffbl32.exePjfdpckc.exeAodjdede.exeDjnbdlla.exeGlongpao.exeAmcfpl32.exeAifpcfjd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgnbehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inaliedk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoinbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likbpceb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqninhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedmhlqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmjpoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgfgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpinnfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofbih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakjlpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgkeonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbbjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emilqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfkkhmjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhakkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjofbdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnjlfam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibqhibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nffcebdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khdgabih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pppihdha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmiahlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpqaanqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaafocg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boadlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoflpbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gafcahil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidoamch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkknm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqdjge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajfcgoec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfqpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgmgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miphjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjjebed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iankbldh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peooek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlqakaqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adenqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kehidp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlcnkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpfmnmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokmnlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffgbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoleilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmaghc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajbdpblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnjipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekncjfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiffbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjfdpckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodjdede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djnbdlla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glongpao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcfpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifpcfjd.exe -
Modifies registry class 64 IoCs
Processes:
Dnmdmj32.exeEeijpdbd.exeFidkep32.exeAkpfmnmh.exePikmob32.exeNbaafocg.exeMaejpj32.exeMlfgkleh.exeNoajmlnj.exeDndahokk.exeGbglgcbc.exeAifpcfjd.exeHdapggln.exeIpecndab.exeCfknjfbl.exeCpldjajo.exeHiichkog.exeBagncl32.exeJnlhbb32.exeIjhkembk.exeLafekm32.exeNqbdllld.exeLihifhoq.exeFmmjpoci.exeBdcmjg32.exeBakgmgpe.exeIcmlnmgb.exeNhookh32.exeBjlpjp32.exeGenkhidc.exeHhqmogam.exeKifgllbc.exeQeihfp32.exeJmhile32.exeMcjihk32.exeHnbgdh32.exePcjbfbmm.exeBofebqlb.exeEkjjebed.exeFlbehbqm.exeLgjcdc32.exeNgafdepl.exeCbfhjfdk.exeIhefjg32.exeDcffmb32.exeGlgcec32.exeMnfhfmhc.exeOllncgjq.exeOgpkhb32.exeFplgljbm.exeGngdadoj.exeAamekk32.exeGmhmdc32.exeOjgkih32.exeKhkdmh32.exeBpnibl32.exeBhljlnma.exeEgedebgc.exeBhqdgm32.exeKpqaanqd.exeBhjppg32.exeLdgikklb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhddcifo.dll" Dnmdmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfgiimk.dll" Eeijpdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fidkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlaghmbg.dll" Akpfmnmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pikmob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbaafocg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maejpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlfgkleh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noajmlnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poenac32.dll" Dndahokk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbglgcbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aifpcfjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipecndab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khfnln32.dll" Cfknjfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maejpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpldjajo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiichkog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkonlh32.dll" Jnlhbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kimfdido.dll" Ijhkembk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lafekm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqbdllld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lihifhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmjpoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdcmjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgbhe32.dll" Bakgmgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqbdllld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icmlnmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmphmlf.dll" Nhookh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cebfcj32.dll" Genkhidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmlpkn32.dll" Hhqmogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kifgllbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeihfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcqbapk.dll" Mcjihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbenmb32.dll" Hnbgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcjbfbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaomchla.dll" Bofebqlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdcpb32.dll" Ekjjebed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoemjgn.dll" Flbehbqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgjcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngafdepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edbminqj.dll" Cbfhjfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnjbig32.dll" Ihefjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcffmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jccjek32.dll" Glgcec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfhfmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ollncgjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogpkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fplgljbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofhgafa.dll" Gngdadoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnbiqik.dll" Gmhmdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeelld32.dll" Ojgkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khkdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpnibl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhljlnma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egedebgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhqdgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpqaanqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhjppg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldgikklb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exeEkeiel32.exeEgljjmkp.exeFmholgpj.exeFpihnbmk.exeFefpfi32.exeFlbehbqm.exeFhifmcfa.exeGhkbccdn.exeGacgli32.exeGafcahil.exeGqkqbe32.exeGmbagf32.exeHfjfpkji.exeHkiknb32.exeHdapggln.exedescription pid process target process PID 108 wrote to memory of 2548 108 b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe Ekeiel32.exe PID 108 wrote to memory of 2548 108 b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe Ekeiel32.exe PID 108 wrote to memory of 2548 108 b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe Ekeiel32.exe PID 108 wrote to memory of 2548 108 b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe Ekeiel32.exe PID 2548 wrote to memory of 2784 2548 Ekeiel32.exe Egljjmkp.exe PID 2548 wrote to memory of 2784 2548 Ekeiel32.exe Egljjmkp.exe PID 2548 wrote to memory of 2784 2548 Ekeiel32.exe Egljjmkp.exe PID 2548 wrote to memory of 2784 2548 Ekeiel32.exe Egljjmkp.exe PID 2784 wrote to memory of 2912 2784 Egljjmkp.exe Fmholgpj.exe PID 2784 wrote to memory of 2912 2784 Egljjmkp.exe Fmholgpj.exe PID 2784 wrote to memory of 2912 2784 Egljjmkp.exe Fmholgpj.exe PID 2784 wrote to memory of 2912 2784 Egljjmkp.exe Fmholgpj.exe PID 2912 wrote to memory of 2144 2912 Fmholgpj.exe Fpihnbmk.exe PID 2912 wrote to memory of 2144 2912 Fmholgpj.exe Fpihnbmk.exe PID 2912 wrote to memory of 2144 2912 Fmholgpj.exe Fpihnbmk.exe PID 2912 wrote to memory of 2144 2912 Fmholgpj.exe Fpihnbmk.exe PID 2144 wrote to memory of 2864 2144 Fpihnbmk.exe Fefpfi32.exe PID 2144 wrote to memory of 2864 2144 Fpihnbmk.exe Fefpfi32.exe PID 2144 wrote to memory of 2864 2144 Fpihnbmk.exe Fefpfi32.exe PID 2144 wrote to memory of 2864 2144 Fpihnbmk.exe Fefpfi32.exe PID 2864 wrote to memory of 2708 2864 Fefpfi32.exe Flbehbqm.exe PID 2864 wrote to memory of 2708 2864 Fefpfi32.exe Flbehbqm.exe PID 2864 wrote to memory of 2708 2864 Fefpfi32.exe Flbehbqm.exe PID 2864 wrote to memory of 2708 2864 Fefpfi32.exe Flbehbqm.exe PID 2708 wrote to memory of 2236 2708 Flbehbqm.exe Fhifmcfa.exe PID 2708 wrote to memory of 2236 2708 Flbehbqm.exe Fhifmcfa.exe PID 2708 wrote to memory of 2236 2708 Flbehbqm.exe Fhifmcfa.exe PID 2708 wrote to memory of 2236 2708 Flbehbqm.exe Fhifmcfa.exe PID 2236 wrote to memory of 2032 2236 Fhifmcfa.exe Ghkbccdn.exe PID 2236 wrote to memory of 2032 2236 Fhifmcfa.exe Ghkbccdn.exe PID 2236 wrote to memory of 2032 2236 Fhifmcfa.exe Ghkbccdn.exe PID 2236 wrote to memory of 2032 2236 Fhifmcfa.exe Ghkbccdn.exe PID 2032 wrote to memory of 516 2032 Ghkbccdn.exe Gacgli32.exe PID 2032 wrote to memory of 516 2032 Ghkbccdn.exe Gacgli32.exe PID 2032 wrote to memory of 516 2032 Ghkbccdn.exe Gacgli32.exe PID 2032 wrote to memory of 516 2032 Ghkbccdn.exe Gacgli32.exe PID 516 wrote to memory of 852 516 Gacgli32.exe Gafcahil.exe PID 516 wrote to memory of 852 516 Gacgli32.exe Gafcahil.exe PID 516 wrote to memory of 852 516 Gacgli32.exe Gafcahil.exe PID 516 wrote to memory of 852 516 Gacgli32.exe Gafcahil.exe PID 852 wrote to memory of 236 852 Gafcahil.exe Gqkqbe32.exe PID 852 wrote to memory of 236 852 Gafcahil.exe Gqkqbe32.exe PID 852 wrote to memory of 236 852 Gafcahil.exe Gqkqbe32.exe PID 852 wrote to memory of 236 852 Gafcahil.exe Gqkqbe32.exe PID 236 wrote to memory of 1628 236 Gqkqbe32.exe Gmbagf32.exe PID 236 wrote to memory of 1628 236 Gqkqbe32.exe Gmbagf32.exe PID 236 wrote to memory of 1628 236 Gqkqbe32.exe Gmbagf32.exe PID 236 wrote to memory of 1628 236 Gqkqbe32.exe Gmbagf32.exe PID 1628 wrote to memory of 1832 1628 Gmbagf32.exe Hfjfpkji.exe PID 1628 wrote to memory of 1832 1628 Gmbagf32.exe Hfjfpkji.exe PID 1628 wrote to memory of 1832 1628 Gmbagf32.exe Hfjfpkji.exe PID 1628 wrote to memory of 1832 1628 Gmbagf32.exe Hfjfpkji.exe PID 1832 wrote to memory of 2208 1832 Hfjfpkji.exe Hkiknb32.exe PID 1832 wrote to memory of 2208 1832 Hfjfpkji.exe Hkiknb32.exe PID 1832 wrote to memory of 2208 1832 Hfjfpkji.exe Hkiknb32.exe PID 1832 wrote to memory of 2208 1832 Hfjfpkji.exe Hkiknb32.exe PID 2208 wrote to memory of 2276 2208 Hkiknb32.exe Hdapggln.exe PID 2208 wrote to memory of 2276 2208 Hkiknb32.exe Hdapggln.exe PID 2208 wrote to memory of 2276 2208 Hkiknb32.exe Hdapggln.exe PID 2208 wrote to memory of 2276 2208 Hkiknb32.exe Hdapggln.exe PID 2276 wrote to memory of 2436 2276 Hdapggln.exe Hnjdpm32.exe PID 2276 wrote to memory of 2436 2276 Hdapggln.exe Hnjdpm32.exe PID 2276 wrote to memory of 2436 2276 Hdapggln.exe Hnjdpm32.exe PID 2276 wrote to memory of 2436 2276 Hdapggln.exe Hnjdpm32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe"C:\Users\Admin\AppData\Local\Temp\b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Egljjmkp.exeC:\Windows\system32\Egljjmkp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Fmholgpj.exeC:\Windows\system32\Fmholgpj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Fefpfi32.exeC:\Windows\system32\Fefpfi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Flbehbqm.exeC:\Windows\system32\Flbehbqm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Fhifmcfa.exeC:\Windows\system32\Fhifmcfa.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Ghkbccdn.exeC:\Windows\system32\Ghkbccdn.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Gacgli32.exeC:\Windows\system32\Gacgli32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Gafcahil.exeC:\Windows\system32\Gafcahil.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Gqkqbe32.exeC:\Windows\system32\Gqkqbe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Gmbagf32.exeC:\Windows\system32\Gmbagf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Hdapggln.exeC:\Windows\system32\Hdapggln.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Hnjdpm32.exeC:\Windows\system32\Hnjdpm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Hibebeqb.exeC:\Windows\system32\Hibebeqb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Ieiegf32.exeC:\Windows\system32\Ieiegf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Iapfmg32.exeC:\Windows\system32\Iapfmg32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Ijhkembk.exeC:\Windows\system32\Ijhkembk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Ipecndab.exeC:\Windows\system32\Ipecndab.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Iiodliep.exeC:\Windows\system32\Iiodliep.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Ibhieo32.exeC:\Windows\system32\Ibhieo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Jmmmbg32.exeC:\Windows\system32\Jmmmbg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Jhgnbehe.exeC:\Windows\system32\Jhgnbehe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Jifkmh32.exeC:\Windows\system32\Jifkmh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Jaaoakmc.exeC:\Windows\system32\Jaaoakmc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Jadlgjjq.exeC:\Windows\system32\Jadlgjjq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Jfadoaih.exeC:\Windows\system32\Jfadoaih.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Kiamql32.exeC:\Windows\system32\Kiamql32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Kblooa32.exeC:\Windows\system32\Kblooa32.exe33⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Kifgllbc.exeC:\Windows\system32\Kifgllbc.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Lafekm32.exeC:\Windows\system32\Lafekm32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Laknfmgd.exeC:\Windows\system32\Laknfmgd.exe37⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Lgjcdc32.exeC:\Windows\system32\Lgjcdc32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Mnfhfmhc.exeC:\Windows\system32\Mnfhfmhc.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Mdigakic.exeC:\Windows\system32\Mdigakic.exe40⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Mbmgkp32.exeC:\Windows\system32\Mbmgkp32.exe41⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Nqbdllld.exeC:\Windows\system32\Nqbdllld.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Nbaafocg.exeC:\Windows\system32\Nbaafocg.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Njmejaqb.exeC:\Windows\system32\Njmejaqb.exe44⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Ngafdepl.exeC:\Windows\system32\Ngafdepl.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe46⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Nffcebdd.exeC:\Windows\system32\Nffcebdd.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:276 -
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Npngng32.exeC:\Windows\system32\Npngng32.exe49⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe50⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe51⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe52⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe53⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Onhnjclg.exeC:\Windows\system32\Onhnjclg.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Ollncgjq.exeC:\Windows\system32\Ollncgjq.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Odgchjhl.exeC:\Windows\system32\Odgchjhl.exe56⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ojakdd32.exeC:\Windows\system32\Ojakdd32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Pdjpmi32.exeC:\Windows\system32\Pdjpmi32.exe58⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Pjchjcmf.exeC:\Windows\system32\Pjchjcmf.exe59⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ppqqbjkm.exeC:\Windows\system32\Ppqqbjkm.exe60⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Pjfdpckc.exeC:\Windows\system32\Pjfdpckc.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Pbaide32.exeC:\Windows\system32\Pbaide32.exe62⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe63⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Pipklo32.exeC:\Windows\system32\Pipklo32.exe64⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Qpjchicb.exeC:\Windows\system32\Qpjchicb.exe65⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Qakppa32.exeC:\Windows\system32\Qakppa32.exe66⤵PID:2200
-
C:\Windows\SysWOW64\Qlqdmj32.exeC:\Windows\system32\Qlqdmj32.exe67⤵PID:456
-
C:\Windows\SysWOW64\Qeihfp32.exeC:\Windows\system32\Qeihfp32.exe68⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe69⤵PID:1572
-
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe70⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Aodjdede.exeC:\Windows\system32\Aodjdede.exe71⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe72⤵PID:2528
-
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe73⤵PID:2844
-
C:\Windows\SysWOW64\Ajpgkb32.exeC:\Windows\system32\Ajpgkb32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe75⤵PID:2924
-
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe76⤵
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Bcjhig32.exeC:\Windows\system32\Bcjhig32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:872 -
C:\Windows\SysWOW64\Bpnibl32.exeC:\Windows\system32\Bpnibl32.exe78⤵
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe79⤵PID:2984
-
C:\Windows\SysWOW64\Blejgm32.exeC:\Windows\system32\Blejgm32.exe80⤵PID:3020
-
C:\Windows\SysWOW64\Bcobdgoj.exeC:\Windows\system32\Bcobdgoj.exe81⤵PID:2192
-
C:\Windows\SysWOW64\Bhljlnma.exeC:\Windows\system32\Bhljlnma.exe82⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Bofbih32.exeC:\Windows\system32\Bofbih32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe84⤵PID:1144
-
C:\Windows\SysWOW64\Bbflkcao.exeC:\Windows\system32\Bbflkcao.exe85⤵PID:1728
-
C:\Windows\SysWOW64\Bhqdgm32.exeC:\Windows\system32\Bhqdgm32.exe86⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe87⤵PID:588
-
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe88⤵PID:2040
-
C:\Windows\SysWOW64\Cmbiap32.exeC:\Windows\system32\Cmbiap32.exe89⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe91⤵PID:2820
-
C:\Windows\SysWOW64\Cfmjoe32.exeC:\Windows\system32\Cfmjoe32.exe92⤵PID:2860
-
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe93⤵PID:2012
-
C:\Windows\SysWOW64\Cfpgee32.exeC:\Windows\system32\Cfpgee32.exe94⤵PID:1152
-
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe95⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe96⤵PID:2988
-
C:\Windows\SysWOW64\Dfdqpdja.exeC:\Windows\system32\Dfdqpdja.exe97⤵PID:1988
-
C:\Windows\SysWOW64\Dkaihkih.exeC:\Windows\system32\Dkaihkih.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Danaqbgp.exeC:\Windows\system32\Danaqbgp.exe99⤵PID:1008
-
C:\Windows\SysWOW64\Dnbbjf32.exeC:\Windows\system32\Dnbbjf32.exe100⤵
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe101⤵PID:752
-
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe102⤵PID:1108
-
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Emilqb32.exeC:\Windows\system32\Emilqb32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Eccdmmpk.exeC:\Windows\system32\Eccdmmpk.exe105⤵PID:2928
-
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe106⤵PID:2036
-
C:\Windows\SysWOW64\Emlhfb32.exeC:\Windows\system32\Emlhfb32.exe107⤵PID:1644
-
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe108⤵PID:1732
-
C:\Windows\SysWOW64\Emnelbdi.exeC:\Windows\system32\Emnelbdi.exe109⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe110⤵PID:1612
-
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe111⤵
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Ebmjihqn.exeC:\Windows\system32\Ebmjihqn.exe112⤵PID:1100
-
C:\Windows\SysWOW64\Fholmo32.exeC:\Windows\system32\Fholmo32.exe113⤵PID:368
-
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe115⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Gpagbp32.exeC:\Windows\system32\Gpagbp32.exe116⤵PID:2224
-
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe117⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Giikkehc.exeC:\Windows\system32\Giikkehc.exe118⤵PID:1620
-
C:\Windows\SysWOW64\Gpccgppq.exeC:\Windows\system32\Gpccgppq.exe119⤵
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Ggmldj32.exeC:\Windows\system32\Ggmldj32.exe120⤵PID:2308
-
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe121⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Ggphji32.exeC:\Windows\system32\Ggphji32.exe122⤵PID:1060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-