Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe
Resource
win10v2004-20241007-en
General
-
Target
8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe
-
Size
512KB
-
MD5
ee5ba0af50ea5f9fb5d860dbe430f7f0
-
SHA1
370cb4205570099711b3ebd39e14ff5fca93bf1e
-
SHA256
8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28
-
SHA512
1c710a8469d524f2706cd655e2b94acdc40b3cd9928b5025cfa34564ff40b8a76a701dd2adc8719e7ba581e51dc6b7fbfc7c795844ad831a02f88e82e6d8d5a5
-
SSDEEP
6144:guOY2eEpCPSo853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:vOY2qQBpnchWcZ
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gdniqh32.exeHmfjha32.exeIlcmjl32.exeOebimf32.exeOlonpp32.exeOappcfmb.exeBehgcf32.exePkpagq32.exeFjongcbl.exeHapicp32.exeJjdmmdnh.exeLinphc32.exeQngmgjeb.exeAdnopfoj.exeFfklhqao.exeHoopae32.exeKeednado.exeLpekon32.exePjadmnic.exeDlgldibq.exeEfaibbij.exeMhjbjopf.exeNncahjgl.exeAmkpegnj.exeGedbdlbb.exeGnmgmbhb.exeGohjaf32.exePndpajgd.exeFhqbkhch.exeIamimc32.exeIdnaoohk.exeLccdel32.exeMffimglk.exeMabgcd32.exeNkmdpm32.exePfoocjfd.exeEjkima32.exeHkhnle32.exeHoamgd32.exeJhljdm32.exeLfdmggnm.exeNekbmgcn.exePiekcd32.exe8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exeDkcofe32.exeFcjcfe32.exeIleiplhn.exeLmebnb32.exeLlohjo32.exeNlcnda32.exeBhndldcn.exeCafecmlj.exeCnobnmpl.exeKbdklf32.exeKbidgeci.exeLanaiahq.exeNofdklgl.exeBfpnmj32.exeApdhjq32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdniqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcmjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebimf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olonpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oappcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkpagq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjongcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdmmdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Linphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngmgjeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffklhqao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keednado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpekon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hapicp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjbjopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gedbdlbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohjaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndpajgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqbkhch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamimc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkmdpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhnle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdmmdnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoamgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhljdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfdmggnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nekbmgcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piekcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcofe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcjcfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileiplhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcnda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafecmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdklf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbidgeci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanaiahq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffimglk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofdklgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpnmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apdhjq32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Nlbeqb32.exeNncahjgl.exeNdmjedoi.exeOqkqkdne.exeOobjaqaj.exePfoocjfd.exePjadmnic.exePkpagq32.exeQabcjgkh.exeAmkpegnj.exeAnojbobe.exeAdnopfoj.exeAjhgmpfg.exeBhndldcn.exeBlbfjg32.exeBblogakg.exeCafecmlj.exeCnmehnan.exeCnobnmpl.exeCdikkg32.exeCcngld32.exeDlgldibq.exeDjklnnaj.exeDliijipn.exeDjmicm32.exeDcenlceh.exeDkcofe32.exeEbmgcohn.exeEqbddk32.exeEgllae32.exeEjkima32.exeEfaibbij.exeEcejkf32.exeEjobhppq.exeEffcma32.exeFmpkjkma.exeFcjcfe32.exeFfhpbacb.exeFncdgcqm.exeFfklhqao.exeFiihdlpc.exeFbamma32.exeFljafg32.exeFnhnbb32.exeFhqbkhch.exeFjongcbl.exeGedbdlbb.exeGnmgmbhb.exeGdjpeifj.exeGifhnpea.exeGanpomec.exeGjfdhbld.exeGiieco32.exeGdniqh32.exeGohjaf32.exeGbcfadgl.exeGhqnjk32.exeHbfbgd32.exeHkaglf32.exeHakphqja.exeHlqdei32.exeHoopae32.exeHhgdkjol.exeHoamgd32.exepid Process 2928 Nlbeqb32.exe 1868 Nncahjgl.exe 2936 Ndmjedoi.exe 2096 Oqkqkdne.exe 1252 Oobjaqaj.exe 2548 Pfoocjfd.exe 3032 Pjadmnic.exe 2156 Pkpagq32.exe 792 Qabcjgkh.exe 2492 Amkpegnj.exe 1724 Anojbobe.exe 2072 Adnopfoj.exe 2280 Ajhgmpfg.exe 2440 Bhndldcn.exe 1788 Blbfjg32.exe 1896 Bblogakg.exe 1700 Cafecmlj.exe 1192 Cnmehnan.exe 276 Cnobnmpl.exe 1688 Cdikkg32.exe 2288 Ccngld32.exe 2028 Dlgldibq.exe 2764 Djklnnaj.exe 1540 Dliijipn.exe 2776 Djmicm32.exe 1752 Dcenlceh.exe 2672 Dkcofe32.exe 2708 Ebmgcohn.exe 1612 Eqbddk32.exe 2164 Egllae32.exe 2272 Ejkima32.exe 1440 Efaibbij.exe 592 Ecejkf32.exe 2068 Ejobhppq.exe 1556 Effcma32.exe 1224 Fmpkjkma.exe 3004 Fcjcfe32.exe 1740 Ffhpbacb.exe 2212 Fncdgcqm.exe 304 Ffklhqao.exe 284 Fiihdlpc.exe 444 Fbamma32.exe 1796 Fljafg32.exe 1988 Fnhnbb32.exe 2020 Fhqbkhch.exe 2456 Fjongcbl.exe 1792 Gedbdlbb.exe 2872 Gnmgmbhb.exe 2796 Gdjpeifj.exe 3012 Gifhnpea.exe 2944 Ganpomec.exe 2476 Gjfdhbld.exe 2484 Giieco32.exe 2624 Gdniqh32.exe 2876 Gohjaf32.exe 2836 Gbcfadgl.exe 1584 Ghqnjk32.exe 3064 Hbfbgd32.exe 2644 Hkaglf32.exe 2224 Hakphqja.exe 1812 Hlqdei32.exe 1416 Hoopae32.exe 800 Hhgdkjol.exe 1484 Hoamgd32.exe -
Loads dropped DLL 64 IoCs
Processes:
8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exeNlbeqb32.exeNncahjgl.exeNdmjedoi.exeOqkqkdne.exeOobjaqaj.exePfoocjfd.exePjadmnic.exePkpagq32.exeQabcjgkh.exeAmkpegnj.exeAnojbobe.exeAdnopfoj.exeAjhgmpfg.exeBhndldcn.exeBlbfjg32.exeBblogakg.exeCafecmlj.exeCnmehnan.exeCnobnmpl.exeCdikkg32.exeCcngld32.exeDlgldibq.exeDjklnnaj.exeDliijipn.exeDjmicm32.exeDcenlceh.exeDkcofe32.exeEbmgcohn.exeEqbddk32.exeEgllae32.exeEjkima32.exepid Process 2800 8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe 2800 8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe 2928 Nlbeqb32.exe 2928 Nlbeqb32.exe 1868 Nncahjgl.exe 1868 Nncahjgl.exe 2936 Ndmjedoi.exe 2936 Ndmjedoi.exe 2096 Oqkqkdne.exe 2096 Oqkqkdne.exe 1252 Oobjaqaj.exe 1252 Oobjaqaj.exe 2548 Pfoocjfd.exe 2548 Pfoocjfd.exe 3032 Pjadmnic.exe 3032 Pjadmnic.exe 2156 Pkpagq32.exe 2156 Pkpagq32.exe 792 Qabcjgkh.exe 792 Qabcjgkh.exe 2492 Amkpegnj.exe 2492 Amkpegnj.exe 1724 Anojbobe.exe 1724 Anojbobe.exe 2072 Adnopfoj.exe 2072 Adnopfoj.exe 2280 Ajhgmpfg.exe 2280 Ajhgmpfg.exe 2440 Bhndldcn.exe 2440 Bhndldcn.exe 1788 Blbfjg32.exe 1788 Blbfjg32.exe 1896 Bblogakg.exe 1896 Bblogakg.exe 1700 Cafecmlj.exe 1700 Cafecmlj.exe 1192 Cnmehnan.exe 1192 Cnmehnan.exe 276 Cnobnmpl.exe 276 Cnobnmpl.exe 1688 Cdikkg32.exe 1688 Cdikkg32.exe 2288 Ccngld32.exe 2288 Ccngld32.exe 2028 Dlgldibq.exe 2028 Dlgldibq.exe 2764 Djklnnaj.exe 2764 Djklnnaj.exe 1540 Dliijipn.exe 1540 Dliijipn.exe 2776 Djmicm32.exe 2776 Djmicm32.exe 1752 Dcenlceh.exe 1752 Dcenlceh.exe 2672 Dkcofe32.exe 2672 Dkcofe32.exe 2708 Ebmgcohn.exe 2708 Ebmgcohn.exe 1612 Eqbddk32.exe 1612 Eqbddk32.exe 2164 Egllae32.exe 2164 Egllae32.exe 2272 Ejkima32.exe 2272 Ejkima32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lanaiahq.exeLlohjo32.exeNkmdpm32.exeIamimc32.exeNekbmgcn.exeBehgcf32.exeIdnaoohk.exeJnffgd32.exeBnkbam32.exeCdikkg32.exeDliijipn.exeLjffag32.exeDjklnnaj.exeHlqdei32.exeFnhnbb32.exeGifhnpea.exeQngmgjeb.exeOebimf32.exeOdlojanh.exeAigchgkh.exeNlbeqb32.exeFhqbkhch.exeHoopae32.exeIlcmjl32.exeNpagjpcd.exeBfpnmj32.exeEjobhppq.exeHkhnle32.exePjadmnic.exeJmplcp32.exePicnndmb.exeAjhgmpfg.exeIleiplhn.exeDcenlceh.exeHmfjha32.exeIlqpdm32.exePjbjhgde.exeBeejng32.exeAmkpegnj.exeBblogakg.exeFbamma32.exeGhqnjk32.exeQqeicede.exeIpjoplgo.exeJgojpjem.exeKjifhc32.exe8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exeNdmjedoi.exeLmebnb32.exeMponel32.exeKincipnk.exeAecaidjl.exeBbikgk32.exeFljafg32.exeGiieco32.exeGedbdlbb.exePgpeal32.exeAjbggjfq.exedescription ioc Process File created C:\Windows\SysWOW64\Ljffag32.exe Lanaiahq.exe File created C:\Windows\SysWOW64\Lfdmggnm.exe Llohjo32.exe File opened for modification C:\Windows\SysWOW64\Oebimf32.exe Nkmdpm32.exe File created C:\Windows\SysWOW64\Ilcmjl32.exe Iamimc32.exe File opened for modification C:\Windows\SysWOW64\Nmbknddp.exe Nekbmgcn.exe File opened for modification C:\Windows\SysWOW64\Bmclhi32.exe Behgcf32.exe File created C:\Windows\SysWOW64\Nmfmhhoj.dll Idnaoohk.exe File opened for modification C:\Windows\SysWOW64\Jhljdm32.exe Jnffgd32.exe File created C:\Windows\SysWOW64\Eoqbnm32.dll Bnkbam32.exe File opened for modification C:\Windows\SysWOW64\Ccngld32.exe Cdikkg32.exe File created C:\Windows\SysWOW64\Odifab32.dll Dliijipn.exe File created C:\Windows\SysWOW64\Lmebnb32.exe Ljffag32.exe File created C:\Windows\SysWOW64\Dliijipn.exe Djklnnaj.exe File created C:\Windows\SysWOW64\Hoopae32.exe Hlqdei32.exe File created C:\Windows\SysWOW64\Lhghcb32.dll Fnhnbb32.exe File created C:\Windows\SysWOW64\Jfdnjb32.dll Gifhnpea.exe File created C:\Windows\SysWOW64\Imjcfnhk.dll Qngmgjeb.exe File created C:\Windows\SysWOW64\Migkgb32.dll Oebimf32.exe File opened for modification C:\Windows\SysWOW64\Oappcfmb.exe Odlojanh.exe File opened for modification C:\Windows\SysWOW64\Afkdakjb.exe Aigchgkh.exe File opened for modification C:\Windows\SysWOW64\Nncahjgl.exe Nlbeqb32.exe File created C:\Windows\SysWOW64\Qkekligg.dll Fhqbkhch.exe File created C:\Windows\SysWOW64\Mjapln32.dll Hoopae32.exe File created C:\Windows\SysWOW64\Icmegf32.exe Ilcmjl32.exe File created C:\Windows\SysWOW64\Dnlbnp32.dll Npagjpcd.exe File created C:\Windows\SysWOW64\Bnkbam32.exe Bfpnmj32.exe File created C:\Windows\SysWOW64\Effcma32.exe Ejobhppq.exe File opened for modification C:\Windows\SysWOW64\Hmfjha32.exe Hkhnle32.exe File opened for modification C:\Windows\SysWOW64\Ilcmjl32.exe Iamimc32.exe File created C:\Windows\SysWOW64\Pkpagq32.exe Pjadmnic.exe File created C:\Windows\SysWOW64\Jjdmmdnh.exe Jmplcp32.exe File created C:\Windows\SysWOW64\Pjbjhgde.exe Picnndmb.exe File opened for modification C:\Windows\SysWOW64\Bhndldcn.exe Ajhgmpfg.exe File created C:\Windows\SysWOW64\Jnffgd32.exe Ileiplhn.exe File created C:\Windows\SysWOW64\Cbcodmih.dll Dcenlceh.exe File created C:\Windows\SysWOW64\Iccbqh32.exe Hmfjha32.exe File opened for modification C:\Windows\SysWOW64\Iamimc32.exe Ilqpdm32.exe File created C:\Windows\SysWOW64\Ngoohnkj.dll Nekbmgcn.exe File opened for modification C:\Windows\SysWOW64\Piekcd32.exe Pjbjhgde.exe File opened for modification C:\Windows\SysWOW64\Bbikgk32.exe Beejng32.exe File created C:\Windows\SysWOW64\Jifnmmhq.dll Amkpegnj.exe File created C:\Windows\SysWOW64\Cafecmlj.exe Bblogakg.exe File created C:\Windows\SysWOW64\Fljafg32.exe Fbamma32.exe File created C:\Windows\SysWOW64\Jmamaoln.dll Ghqnjk32.exe File created C:\Windows\SysWOW64\Abeemhkh.exe Qqeicede.exe File created C:\Windows\SysWOW64\Affcmdmb.dll Ejobhppq.exe File created C:\Windows\SysWOW64\Igchlf32.exe Ipjoplgo.exe File created C:\Windows\SysWOW64\Lekjcmbe.dll Jgojpjem.exe File opened for modification C:\Windows\SysWOW64\Kbdklf32.exe Kjifhc32.exe File created C:\Windows\SysWOW64\Kpbbidem.dll 8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe File opened for modification C:\Windows\SysWOW64\Oqkqkdne.exe Ndmjedoi.exe File created C:\Windows\SysWOW64\Leljop32.exe Lmebnb32.exe File opened for modification C:\Windows\SysWOW64\Mhjbjopf.exe Mponel32.exe File opened for modification C:\Windows\SysWOW64\Jqgoiokm.exe Jgojpjem.exe File opened for modification C:\Windows\SysWOW64\Kbfhbeek.exe Kincipnk.exe File opened for modification C:\Windows\SysWOW64\Anlfbi32.exe Aecaidjl.exe File opened for modification C:\Windows\SysWOW64\Behgcf32.exe Bbikgk32.exe File opened for modification C:\Windows\SysWOW64\Fnhnbb32.exe Fljafg32.exe File created C:\Windows\SysWOW64\Mncfoa32.dll Giieco32.exe File created C:\Windows\SysWOW64\Gdfjcc32.dll Iamimc32.exe File created C:\Windows\SysWOW64\Obknqjig.dll Gedbdlbb.exe File created C:\Windows\SysWOW64\Afcklihm.dll Ipjoplgo.exe File opened for modification C:\Windows\SysWOW64\Pjnamh32.exe Pgpeal32.exe File created C:\Windows\SysWOW64\Agfgqo32.exe Ajbggjfq.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3056 640 WerFault.exe 204 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Pjadmnic.exeAjhgmpfg.exeHapicp32.exeIleiplhn.exeOokmfk32.exeQabcjgkh.exeGifhnpea.exeGbcfadgl.exeKqqboncb.exeMeppiblm.exeOdeiibdq.exeEjkima32.exeIgchlf32.exePdaheq32.exeBdmddc32.exeAnojbobe.exeDkcofe32.exeHmfjha32.exeJhljdm32.exePiekcd32.exeBnkbam32.exePfoocjfd.exeFjongcbl.exeHkhnle32.exeIpjoplgo.exeGedbdlbb.exeHkaglf32.exeJgojpjem.exeLibicbma.exeAigchgkh.exeCdoajb32.exeCcngld32.exeDjklnnaj.exeKkaiqk32.exeAjbggjfq.exeBehgcf32.exeFfklhqao.exeHbfbgd32.exeKbidgeci.exeBfpnmj32.exeKbdklf32.exeKincipnk.exeNncahjgl.exeAdnopfoj.exeEffcma32.exeFncdgcqm.exeHhgdkjol.exeKjifhc32.exeLmebnb32.exeQqeicede.exeBbikgk32.exePkfceo32.exeGohjaf32.exeLjffag32.exeLjibgg32.exeNmnace32.exeOlonpp32.exeOalfhf32.exeNmbknddp.exeOqacic32.exeNlbeqb32.exeNdmjedoi.exeBlbfjg32.exeEbmgcohn.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjadmnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhgmpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hapicp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileiplhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qabcjgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifhnpea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcfadgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqqboncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meppiblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odeiibdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejkima32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igchlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdaheq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anojbobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfjha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhljdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piekcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfoocjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjongcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkhnle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjoplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gedbdlbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkaglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgojpjem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libicbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aigchgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdoajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccngld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djklnnaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaiqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajbggjfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behgcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffklhqao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbfbgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbidgeci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpnmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbdklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kincipnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncahjgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnopfoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Effcma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncdgcqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhgdkjol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjifhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmebnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqeicede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbikgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkfceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohjaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljffag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljibgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnace32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olonpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalfhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbknddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqacic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbeqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmjedoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blbfjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmgcohn.exe -
Modifies registry class 64 IoCs
Processes:
Jmplcp32.exeOalfhf32.exeAnlfbi32.exeIdnaoohk.exeFljafg32.exeGjfdhbld.exeNpojdpef.exeApdhjq32.exeNdmjedoi.exeDcenlceh.exeHkhnle32.exePkfceo32.exeQngmgjeb.exeCdikkg32.exeFbamma32.exeNofdklgl.exeCnobnmpl.exeNmbknddp.exeOlonpp32.exeHoopae32.exeIamimc32.exeMgalqkbk.exeAgfgqo32.exeAigchgkh.exeHmfjha32.exeGdniqh32.exeKbfhbeek.exeLpekon32.exePfoocjfd.exeMffimglk.exeLmebnb32.exeKeednado.exeKkaiqk32.exeBeejng32.exeKjifhc32.exeFcjcfe32.exeGiieco32.exeGhqnjk32.exeOkdkal32.exePckoam32.exeBlkioa32.exeBmclhi32.exeBhndldcn.exeGanpomec.exeLlohjo32.exeMpjqiq32.exeOgmhkmki.exePjadmnic.exeAecaidjl.exeBbikgk32.exeQgmdjp32.exeEjobhppq.exeFjongcbl.exeLfdmggnm.exePiekcd32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmplcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oalfhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anlfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfmhhoj.dll" Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fljafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmianb32.dll" Gjfdhbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apdhjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkfceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll" Qngmgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmhdknh.dll" Fbamma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khcpdm32.dll" Nofdklgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmbknddp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olonpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgalqkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll" Agfgqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aigchgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhnql32.dll" Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghcamqb.dll" Fljafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdniqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbddikd.dll" Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpekon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnffb32.dll" Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mffimglk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keednado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmebnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beejng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjifhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giieco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghqnjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll" Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll" Blkioa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbamma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplhdp32.dll" Kjifhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llohjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjqiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogmhkmki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljilnja.dll" Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll" Aecaidjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmdjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkkepg32.dll" Fjongcbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll" Piekcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbikgk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exeNlbeqb32.exeNncahjgl.exeNdmjedoi.exeOqkqkdne.exeOobjaqaj.exePfoocjfd.exePjadmnic.exePkpagq32.exeQabcjgkh.exeAmkpegnj.exeAnojbobe.exeAdnopfoj.exeAjhgmpfg.exeBhndldcn.exeBlbfjg32.exedescription pid Process procid_target PID 2800 wrote to memory of 2928 2800 8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe 30 PID 2800 wrote to memory of 2928 2800 8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe 30 PID 2800 wrote to memory of 2928 2800 8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe 30 PID 2800 wrote to memory of 2928 2800 8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe 30 PID 2928 wrote to memory of 1868 2928 Nlbeqb32.exe 31 PID 2928 wrote to memory of 1868 2928 Nlbeqb32.exe 31 PID 2928 wrote to memory of 1868 2928 Nlbeqb32.exe 31 PID 2928 wrote to memory of 1868 2928 Nlbeqb32.exe 31 PID 1868 wrote to memory of 2936 1868 Nncahjgl.exe 32 PID 1868 wrote to memory of 2936 1868 Nncahjgl.exe 32 PID 1868 wrote to memory of 2936 1868 Nncahjgl.exe 32 PID 1868 wrote to memory of 2936 1868 Nncahjgl.exe 32 PID 2936 wrote to memory of 2096 2936 Ndmjedoi.exe 33 PID 2936 wrote to memory of 2096 2936 Ndmjedoi.exe 33 PID 2936 wrote to memory of 2096 2936 Ndmjedoi.exe 33 PID 2936 wrote to memory of 2096 2936 Ndmjedoi.exe 33 PID 2096 wrote to memory of 1252 2096 Oqkqkdne.exe 34 PID 2096 wrote to memory of 1252 2096 Oqkqkdne.exe 34 PID 2096 wrote to memory of 1252 2096 Oqkqkdne.exe 34 PID 2096 wrote to memory of 1252 2096 Oqkqkdne.exe 34 PID 1252 wrote to memory of 2548 1252 Oobjaqaj.exe 35 PID 1252 wrote to memory of 2548 1252 Oobjaqaj.exe 35 PID 1252 wrote to memory of 2548 1252 Oobjaqaj.exe 35 PID 1252 wrote to memory of 2548 1252 Oobjaqaj.exe 35 PID 2548 wrote to memory of 3032 2548 Pfoocjfd.exe 36 PID 2548 wrote to memory of 3032 2548 Pfoocjfd.exe 36 PID 2548 wrote to memory of 3032 2548 Pfoocjfd.exe 36 PID 2548 wrote to memory of 3032 2548 Pfoocjfd.exe 36 PID 3032 wrote to memory of 2156 3032 Pjadmnic.exe 37 PID 3032 wrote to memory of 2156 3032 Pjadmnic.exe 37 PID 3032 wrote to memory of 2156 3032 Pjadmnic.exe 37 PID 3032 wrote to memory of 2156 3032 Pjadmnic.exe 37 PID 2156 wrote to memory of 792 2156 Pkpagq32.exe 38 PID 2156 wrote to memory of 792 2156 Pkpagq32.exe 38 PID 2156 wrote to memory of 792 2156 Pkpagq32.exe 38 PID 2156 wrote to memory of 792 2156 Pkpagq32.exe 38 PID 792 wrote to memory of 2492 792 Qabcjgkh.exe 39 PID 792 wrote to memory of 2492 792 Qabcjgkh.exe 39 PID 792 wrote to memory of 2492 792 Qabcjgkh.exe 39 PID 792 wrote to memory of 2492 792 Qabcjgkh.exe 39 PID 2492 wrote to memory of 1724 2492 Amkpegnj.exe 40 PID 2492 wrote to memory of 1724 2492 Amkpegnj.exe 40 PID 2492 wrote to memory of 1724 2492 Amkpegnj.exe 40 PID 2492 wrote to memory of 1724 2492 Amkpegnj.exe 40 PID 1724 wrote to memory of 2072 1724 Anojbobe.exe 41 PID 1724 wrote to memory of 2072 1724 Anojbobe.exe 41 PID 1724 wrote to memory of 2072 1724 Anojbobe.exe 41 PID 1724 wrote to memory of 2072 1724 Anojbobe.exe 41 PID 2072 wrote to memory of 2280 2072 Adnopfoj.exe 42 PID 2072 wrote to memory of 2280 2072 Adnopfoj.exe 42 PID 2072 wrote to memory of 2280 2072 Adnopfoj.exe 42 PID 2072 wrote to memory of 2280 2072 Adnopfoj.exe 42 PID 2280 wrote to memory of 2440 2280 Ajhgmpfg.exe 43 PID 2280 wrote to memory of 2440 2280 Ajhgmpfg.exe 43 PID 2280 wrote to memory of 2440 2280 Ajhgmpfg.exe 43 PID 2280 wrote to memory of 2440 2280 Ajhgmpfg.exe 43 PID 2440 wrote to memory of 1788 2440 Bhndldcn.exe 44 PID 2440 wrote to memory of 1788 2440 Bhndldcn.exe 44 PID 2440 wrote to memory of 1788 2440 Bhndldcn.exe 44 PID 2440 wrote to memory of 1788 2440 Bhndldcn.exe 44 PID 1788 wrote to memory of 1896 1788 Blbfjg32.exe 45 PID 1788 wrote to memory of 1896 1788 Blbfjg32.exe 45 PID 1788 wrote to memory of 1896 1788 Blbfjg32.exe 45 PID 1788 wrote to memory of 1896 1788 Blbfjg32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe"C:\Users\Admin\AppData\Local\Temp\8b58db1641606b84ede64e0f4230c809e955ab38454d2099c547dc29ff7c9c28N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Djmicm32.exeC:\Windows\system32\Djmicm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Dcenlceh.exeC:\Windows\system32\Dcenlceh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Ecejkf32.exeC:\Windows\system32\Ecejkf32.exe34⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe37⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe39⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:304 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe42⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Fbamma32.exeC:\Windows\system32\Fbamma32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe50⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe61⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:800 -
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe69⤵PID:1448
-
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe70⤵PID:1532
-
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe71⤵PID:2136
-
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe73⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe74⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:380 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe77⤵PID:2720
-
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe80⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe83⤵PID:968
-
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe84⤵PID:972
-
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe85⤵PID:2412
-
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe86⤵PID:2392
-
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe89⤵PID:2908
-
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe90⤵PID:1732
-
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe91⤵
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe92⤵PID:2976
-
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe96⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe98⤵PID:1104
-
C:\Windows\SysWOW64\Kbidgeci.exeC:\Windows\system32\Kbidgeci.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Kkaiqk32.exeC:\Windows\system32\Kkaiqk32.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Knpemf32.exeC:\Windows\system32\Knpemf32.exe101⤵PID:1428
-
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe105⤵PID:2508
-
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe106⤵
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe107⤵PID:600
-
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1924 -
C:\Windows\SysWOW64\Lccdel32.exeC:\Windows\system32\Lccdel32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Llohjo32.exeC:\Windows\system32\Llohjo32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe113⤵
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe115⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe117⤵PID:2828
-
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2064 -
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe119⤵PID:1372
-
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe120⤵
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Mgalqkbk.exeC:\Windows\system32\Mgalqkbk.exe121⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe122⤵
- Modifies registry class
PID:1012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-