Analysis
-
max time kernel
82s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 16:45
Static task
static1
Behavioral task
behavioral1
Sample
8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exe
Resource
win10v2004-20241007-en
General
-
Target
8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exe
-
Size
72KB
-
MD5
17b7ac1cb95e0f18fa5b9b62454aa820
-
SHA1
933a5c0c488d8eb49842a858d5a243590c9d117f
-
SHA256
8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424
-
SHA512
51566b6309e2b96605cb18b990ae242b014c6e4595e3252283828a89bc80e4c8ca9a43cae919aaafc0f8aa87007e2d500f134574300056b9fb473066032f1916
-
SSDEEP
768:yRgDHBa3lGJ3EZb7s4ZscesOfeQAjJ3B/1H58NU9UiEb/KEiEixV38Hiv+X2td4A:yyk3lEgHsCCfYh7vPgUN3QivEtA
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nhhdiknb.exePifdog32.exeJbmdig32.exeFflgahfm.exeAbfmecba.exeJbmgapgc.exeFdafkm32.exeCfddcn32.exeNgmbfl32.exeNcjijhch.exeFcfojhhh.exeEnjmlgoj.exeHehgbg32.exeQhabfibb.exeCbpendha.exeJpnffoci.exeMleedphf.exeCgppep32.exeKbmahjbk.exeBlhifemo.exePenlon32.exeQcgfcbbh.exeGibadm32.exeMadcgpao.exeDmfkcf32.exeNlfdjphd.exeKqijck32.exeEained32.exeHfmfjh32.exeLkmbliip.exeCqkace32.exeFmffhi32.exePfpflenm.exeAfdmphme.exeAnbohn32.exeQcgkeonp.exeMfkjnmje.exeIbklddof.exeHmpemkkf.exeIlfeidmk.exeOpdkgj32.exePlqjilia.exeGlefpd32.exeHmdohj32.exeObbonk32.exeDhfnca32.exeNmlekj32.exeOodhca32.exeKiepca32.exeBmahbhei.exeQokhjjbk.exeEnblpe32.exeNejjfh32.exeMkeogn32.exeJbinbd32.exeJnmlgpeo.exeOhljcnlh.exeImokbhjf.exeBnagecdp.exeNhjcgccc.exeCfimnmoa.exeQmhcnd32.exeEoefea32.exeKfioaaah.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhdiknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifdog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbmdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fflgahfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfmecba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbmgapgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdafkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfddcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngmbfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjijhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcfojhhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enjmlgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehgbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhabfibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpendha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnffoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mleedphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgppep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmahjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhifemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penlon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgfcbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gibadm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madcgpao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmfkcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfdjphd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqijck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eained32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfmfjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmbliip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqkace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmffhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfpflenm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdmphme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anbohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgkeonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfkjnmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibklddof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmpemkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfeidmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opdkgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plqjilia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glefpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbonk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfnca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlekj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodhca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiepca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmahbhei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qokhjjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enblpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejjfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkeogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbinbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmlgpeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohljcnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imokbhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnagecdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhjcgccc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfimnmoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmhcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoefea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfioaaah.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Elnagijk.exeEheblj32.exeEmdgjpkd.exeFncddc32.exeFpgmak32.exeFmknko32.exeFhgkqmph.exeGaamobdf.exeGepeep32.exeGddbfm32.exeGgekhhle.exeHifdjcif.exeHjkneb32.exeHohfmi32.exeHahoodqi.exeIbklddof.exeIqbekpal.exeIogbllfc.exeJfdgnf32.exeJbmdig32.exeJabajc32.exeJgnflmia.exeKcgdgnmc.exeKbmahjbk.exeKpcngnob.exeLljolodf.exeLomdcj32.exeLghigl32.exeMlndfa32.exeMamjchoa.exeNapfihmn.exeNabcog32.exeNcellpog.exeNqjmec32.exeNgcebnen.exeNlpmjdce.exeOcjfgo32.exeOmbjpd32.exeOmeged32.exeObbonk32.exeOofpgolq.exeOindpd32.exeOnkmhl32.exeOeeeeehe.exePqlfjfni.exePnpfckmc.exePclolakk.exePnbcij32.exePgjgapaa.exePcahga32.exePllmkcdp.exeQmlief32.exeQbiamm32.exeQlaffbqk.exeAeikohgk.exeAnbohn32.exeAndlmnki.exeAfoqbpid.exeApheke32.exeAhomlb32.exeApjbpemb.exeBplofekp.exeBiecoj32.exeBgichoqj.exepid Process 2160 Elnagijk.exe 2392 Eheblj32.exe 2916 Emdgjpkd.exe 2800 Fncddc32.exe 2864 Fpgmak32.exe 1968 Fmknko32.exe 564 Fhgkqmph.exe 980 Gaamobdf.exe 2984 Gepeep32.exe 2988 Gddbfm32.exe 2992 Ggekhhle.exe 1652 Hifdjcif.exe 2200 Hjkneb32.exe 2364 Hohfmi32.exe 2556 Hahoodqi.exe 2092 Ibklddof.exe 1988 Iqbekpal.exe 2644 Iogbllfc.exe 1328 Jfdgnf32.exe 1984 Jbmdig32.exe 1624 Jabajc32.exe 1932 Jgnflmia.exe 872 Kcgdgnmc.exe 2148 Kbmahjbk.exe 2484 Kpcngnob.exe 2788 Lljolodf.exe 2332 Lomdcj32.exe 2688 Lghigl32.exe 2708 Mlndfa32.exe 2756 Mamjchoa.exe 2184 Napfihmn.exe 2300 Nabcog32.exe 2084 Ncellpog.exe 948 Nqjmec32.exe 1852 Ngcebnen.exe 2312 Nlpmjdce.exe 2372 Ocjfgo32.exe 2192 Ombjpd32.exe 2216 Omeged32.exe 2280 Obbonk32.exe 2564 Oofpgolq.exe 2656 Oindpd32.exe 2252 Onkmhl32.exe 1860 Oeeeeehe.exe 1408 Pqlfjfni.exe 1972 Pnpfckmc.exe 2168 Pclolakk.exe 2308 Pnbcij32.exe 2112 Pgjgapaa.exe 2496 Pcahga32.exe 1504 Pllmkcdp.exe 3020 Qmlief32.exe 2868 Qbiamm32.exe 2100 Qlaffbqk.exe 2208 Aeikohgk.exe 2616 Anbohn32.exe 2668 Andlmnki.exe 1764 Afoqbpid.exe 2928 Apheke32.exe 1588 Ahomlb32.exe 928 Apjbpemb.exe 2860 Bplofekp.exe 2272 Biecoj32.exe 608 Bgichoqj.exe -
Loads dropped DLL 64 IoCs
Processes:
8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exeElnagijk.exeEheblj32.exeEmdgjpkd.exeFncddc32.exeFpgmak32.exeFmknko32.exeFhgkqmph.exeGaamobdf.exeGepeep32.exeGddbfm32.exeGgekhhle.exeHifdjcif.exeHjkneb32.exeHohfmi32.exeHahoodqi.exeIbklddof.exeIqbekpal.exeIogbllfc.exeJfdgnf32.exeJbmdig32.exeJabajc32.exeJgnflmia.exeKcgdgnmc.exeKbmahjbk.exeKpcngnob.exeLljolodf.exeLomdcj32.exeLghigl32.exeMlndfa32.exeMamjchoa.exeNapfihmn.exepid Process 2580 8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exe 2580 8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exe 2160 Elnagijk.exe 2160 Elnagijk.exe 2392 Eheblj32.exe 2392 Eheblj32.exe 2916 Emdgjpkd.exe 2916 Emdgjpkd.exe 2800 Fncddc32.exe 2800 Fncddc32.exe 2864 Fpgmak32.exe 2864 Fpgmak32.exe 1968 Fmknko32.exe 1968 Fmknko32.exe 564 Fhgkqmph.exe 564 Fhgkqmph.exe 980 Gaamobdf.exe 980 Gaamobdf.exe 2984 Gepeep32.exe 2984 Gepeep32.exe 2988 Gddbfm32.exe 2988 Gddbfm32.exe 2992 Ggekhhle.exe 2992 Ggekhhle.exe 1652 Hifdjcif.exe 1652 Hifdjcif.exe 2200 Hjkneb32.exe 2200 Hjkneb32.exe 2364 Hohfmi32.exe 2364 Hohfmi32.exe 2556 Hahoodqi.exe 2556 Hahoodqi.exe 2092 Ibklddof.exe 2092 Ibklddof.exe 1988 Iqbekpal.exe 1988 Iqbekpal.exe 2644 Iogbllfc.exe 2644 Iogbllfc.exe 1328 Jfdgnf32.exe 1328 Jfdgnf32.exe 1984 Jbmdig32.exe 1984 Jbmdig32.exe 1624 Jabajc32.exe 1624 Jabajc32.exe 1932 Jgnflmia.exe 1932 Jgnflmia.exe 872 Kcgdgnmc.exe 872 Kcgdgnmc.exe 2148 Kbmahjbk.exe 2148 Kbmahjbk.exe 2484 Kpcngnob.exe 2484 Kpcngnob.exe 2788 Lljolodf.exe 2788 Lljolodf.exe 2332 Lomdcj32.exe 2332 Lomdcj32.exe 2688 Lghigl32.exe 2688 Lghigl32.exe 2708 Mlndfa32.exe 2708 Mlndfa32.exe 2756 Mamjchoa.exe 2756 Mamjchoa.exe 2184 Napfihmn.exe 2184 Napfihmn.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gljfeimi.exeKfflal32.exeNfhcmkkg.exeCknikooe.exeIejpfjha.exeKpgpfdoj.exeIegnom32.exeKbkgfgam.exeOpbjpm32.exeLljolodf.exeOqibjq32.exeNpgknf32.exePbjpmmij.exeEenfnmfe.exeOngfai32.exeHcnfllcd.exeDpanffhn.exeAdokdbib.exeAfoqbpid.exeIopeagip.exeHhnpih32.exeOiepmajb.exeJebojh32.exeAacknfhl.exeNoiiaj32.exeFffabman.exeLmgaikep.exeMjfdfcjj.exeLlfiemfj.exeHjlekm32.exeLgnnicpe.exeCipaqqli.exeIachom32.exeOmeged32.exeKqijck32.exeGlpbiaqg.exeJpnffoci.exeHfioha32.exeMklhpfho.exeApphpp32.exeChldbl32.exeDkmmdg32.exeHpaaho32.exeKgfannba.exeGlmckikf.exeAjkokgia.exeJodmdboj.exePnfkjb32.exeMdbmkc32.exePoldnf32.exeAhdqdahc.exePhgjnm32.exeKhakhg32.exeHinolcbf.exeMcbjfjnp.exePajlidnk.exeOfbhlbja.exeBmahbhei.exeCbebjpaa.exeIbobhgno.exeAclhap32.exeJmdenl32.exeMdelik32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Gbdobc32.exe Gljfeimi.exe File created C:\Windows\SysWOW64\Ngjial32.dll Kfflal32.exe File created C:\Windows\SysWOW64\Napdfalf.dll Nfhcmkkg.exe File created C:\Windows\SysWOW64\Cqkace32.exe Cknikooe.exe File opened for modification C:\Windows\SysWOW64\Ippdcc32.exe Iejpfjha.exe File opened for modification C:\Windows\SysWOW64\Knlpphnd.exe Kpgpfdoj.exe File created C:\Windows\SysWOW64\Inpchbdl.exe Iegnom32.exe File created C:\Windows\SysWOW64\Akafqmpa.dll Kbkgfgam.exe File created C:\Windows\SysWOW64\Oeobidll.exe Opbjpm32.exe File created C:\Windows\SysWOW64\Lomdcj32.exe Lljolodf.exe File created C:\Windows\SysWOW64\Eiiahf32.dll Oqibjq32.exe File created C:\Windows\SysWOW64\Kgmcedhg.dll Npgknf32.exe File created C:\Windows\SysWOW64\Cchnjh32.dll Pbjpmmij.exe File created C:\Windows\SysWOW64\Mhpgeh32.dll Eenfnmfe.exe File created C:\Windows\SysWOW64\Phpkjoim.exe Ongfai32.exe File created C:\Windows\SysWOW64\Hncjiecj.exe Hcnfllcd.exe File opened for modification C:\Windows\SysWOW64\Eenfnmfe.exe Dpanffhn.exe File created C:\Windows\SysWOW64\Agngqmhf.exe Adokdbib.exe File opened for modification C:\Windows\SysWOW64\Apheke32.exe Afoqbpid.exe File created C:\Windows\SysWOW64\Iejnna32.exe Iopeagip.exe File opened for modification C:\Windows\SysWOW64\Hebqbl32.exe Hhnpih32.exe File created C:\Windows\SysWOW64\Ogiqffhl.exe Oiepmajb.exe File created C:\Windows\SysWOW64\Lgajjfnp.dll Jebojh32.exe File opened for modification C:\Windows\SysWOW64\Bnjlcgnp.exe Aacknfhl.exe File opened for modification C:\Windows\SysWOW64\Ocbekmpi.exe Noiiaj32.exe File created C:\Windows\SysWOW64\Fpnekc32.exe Fffabman.exe File opened for modification C:\Windows\SysWOW64\Lgaaiian.exe Lmgaikep.exe File created C:\Windows\SysWOW64\Maplcm32.exe Mjfdfcjj.exe File opened for modification C:\Windows\SysWOW64\Labamcdb.exe Llfiemfj.exe File created C:\Windows\SysWOW64\Iiablido.exe Hjlekm32.exe File opened for modification C:\Windows\SysWOW64\Lnhffm32.exe Lgnnicpe.exe File created C:\Windows\SysWOW64\Ckpmqhfe.dll Cipaqqli.exe File opened for modification C:\Windows\SysWOW64\Jfpagd32.exe Iachom32.exe File created C:\Windows\SysWOW64\Obbonk32.exe Omeged32.exe File opened for modification C:\Windows\SysWOW64\Knmjmodm.exe Kqijck32.exe File opened for modification C:\Windows\SysWOW64\Hehgbg32.exe Glpbiaqg.exe File created C:\Windows\SysWOW64\Jkcjchco.exe Jpnffoci.exe File created C:\Windows\SysWOW64\Hcmoafph.exe Hfioha32.exe File created C:\Windows\SysWOW64\Ccgfec32.dll Mklhpfho.exe File opened for modification C:\Windows\SysWOW64\Algida32.exe Apphpp32.exe File created C:\Windows\SysWOW64\Mfodloop.dll Chldbl32.exe File created C:\Windows\SysWOW64\Dhqnnk32.exe Dkmmdg32.exe File created C:\Windows\SysWOW64\Aiclffeg.dll Hpaaho32.exe File created C:\Windows\SysWOW64\Klcjfdqi.exe Kgfannba.exe File created C:\Windows\SysWOW64\Geehcoaf.exe Glmckikf.exe File created C:\Windows\SysWOW64\Gaoihhbo.dll Ajkokgia.exe File created C:\Windows\SysWOW64\Kpdjnefm.exe Jodmdboj.exe File created C:\Windows\SysWOW64\Pkjkdfjk.exe Pnfkjb32.exe File opened for modification C:\Windows\SysWOW64\Mddjpbgl.exe Mdbmkc32.exe File opened for modification C:\Windows\SysWOW64\Pefmkpbl.exe Poldnf32.exe File created C:\Windows\SysWOW64\Adkaib32.exe Ahdqdahc.exe File opened for modification C:\Windows\SysWOW64\Adkaib32.exe Ahdqdahc.exe File created C:\Windows\SysWOW64\Pnabkgfb.exe Phgjnm32.exe File created C:\Windows\SysWOW64\Kfflal32.exe Khakhg32.exe File created C:\Windows\SysWOW64\Dekaiofi.dll Hinolcbf.exe File created C:\Windows\SysWOW64\Mljnoo32.exe Mcbjfjnp.exe File created C:\Windows\SysWOW64\Pngaopfb.dll Pajlidnk.exe File created C:\Windows\SysWOW64\Lapcki32.dll Ofbhlbja.exe File created C:\Windows\SysWOW64\Bfqliakm.dll Bmahbhei.exe File created C:\Windows\SysWOW64\Ccfoah32.exe Cbebjpaa.exe File created C:\Windows\SysWOW64\Ihkkanlf.exe Ibobhgno.exe File created C:\Windows\SysWOW64\Alemjfpc.exe Aclhap32.exe File opened for modification C:\Windows\SysWOW64\Kepjbneo.exe Jmdenl32.exe File opened for modification C:\Windows\SysWOW64\Mgcheg32.exe Mdelik32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4172 3848 WerFault.exe 913 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ggekhhle.exeEhkgnpbe.exeNdlanf32.exeHahbam32.exeLghigl32.exeJokccnci.exePlbdfc32.exePabidiko.exeHhnpih32.exePnfkjb32.exeMdpbnlbe.exePdqhin32.exeIfecen32.exeMloigc32.exeJhbaam32.exeCdadie32.exePdjcaf32.exeMqkked32.exeImokbhjf.exeLmbmbi32.exeDglmmf32.exeBoboknnf.exeHdlkpd32.exeNhjcgccc.exeFkdbmblb.exePajlidnk.exeCdnicemo.exeHfioha32.exeAhdqdahc.exeDblgbk32.exeGddbfm32.exeCihqdoaa.exeBiecoj32.exeGefjlg32.exeFdafkm32.exeEoefea32.exeLeilnllb.exeJkfncn32.exeAbnpjnem.exeGknhlj32.exeApheke32.exeMogqlgbi.exeJdfche32.exeHljnbo32.exeAdjoqjfc.exeFlgdod32.exeIqhhin32.exePaojeafn.exeCpoeac32.exePhgjnm32.exeOgcddjpo.exeAhnmno32.exePqlfjfni.exeFniikj32.exeDbbacdfo.exeOdlpfblm.exeFmmjbk32.exeCbmoeeod.exeOnkmhl32.exeMegkgpaq.exeBlkgdmbp.exeMeonlkcm.exeNjeikpij.exeMkqnghfk.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggekhhle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkgnpbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndlanf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahbam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghigl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokccnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbdfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabidiko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhnpih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdpbnlbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdqhin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifecen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mloigc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbaam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdadie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjcaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqkked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imokbhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbmbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boboknnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdlkpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjcgccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdbmblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajlidnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnicemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfioha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdqdahc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblgbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddbfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihqdoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biecoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefjlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdafkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoefea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leilnllb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnpjnem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknhlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apheke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogqlgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfche32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljnbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adjoqjfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flgdod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhhin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paojeafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpoeac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgjnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcddjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahnmno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqlfjfni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fniikj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbacdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odlpfblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmjbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbmoeeod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkmhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megkgpaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkgdmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meonlkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeikpij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqnghfk.exe -
Modifies registry class 64 IoCs
Processes:
Minpeh32.exeAopcnbfj.exeDoibhekc.exeHhgdig32.exeNlpmjdce.exeAeikohgk.exeJfkphnmj.exeDekgpdqc.exeHjjmgo32.exeJmdenl32.exeGdiode32.exeBlkgdmbp.exePaojeafn.exeAhnjefcd.exeBoboknnf.exeIianjl32.exeKoifob32.exeNjklioqd.exeGmdapoil.exeQbiamm32.exeHcghffen.exeNoffadai.exeGlmecbbj.exeNqjmec32.exePonadfim.exeBdlakf32.exeGibadm32.exeEklicjkf.exeHqmmja32.exePabidiko.exeMljnoo32.exeOnkmhl32.exeBmahbhei.exeAihenoef.exeFjpipkgi.exeIfckaodd.exeNcjijhch.exeNfpkgblc.exeDfdpbaeb.exeDigfil32.exeGcceqa32.exeHqbini32.exeJjbbmmih.exeHdpqhc32.exeMeonlkcm.exeNmdhpd32.exeGdimlllq.exeMqkked32.exeEomaha32.exeNihedodm.exeNgcebnen.exePoplqm32.exePnfkjb32.exeMfkjnmje.exeMokgqjaa.exeLgaoqdmk.exeNldgdpjf.exeOpbnbj32.exePjmnck32.exeCcckabef.exeGoohckob.exeMlndfa32.exeApjbpemb.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Minpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aopcnbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doibhekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oloelaao.dll" Hhgdig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlpmjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adeido32.dll" Aeikohgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjabhq32.dll" Jfkphnmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dekgpdqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjmgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdenl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdiode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhihnldi.dll" Blkgdmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paojeafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmnaapo.dll" Ahnjefcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boboknnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iianjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgbek32.dll" Koifob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njklioqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmdapoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbiamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcghffen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcide32.dll" Noffadai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glmecbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqjmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ponadfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njeijc32.dll" Bdlakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iomeip32.dll" Gibadm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhdigjp.dll" Eklicjkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqmmja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnikd32.dll" Pabidiko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mljnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbhip32.dll" Onkmhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqliakm.dll" Bmahbhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meobib32.dll" Aihenoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekkago32.dll" Fjpipkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkccjcbp.dll" Ifckaodd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjijhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfpkgblc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfdbmmc.dll" Dfdpbaeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Digfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcceqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onelkh32.dll" Hqbini32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbaboaj.dll" Jjbbmmih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdpqhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meonlkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaagob32.dll" Nmdhpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdimlllq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqkked32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eomaha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nihedodm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngcebnen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poplqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfkjnmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gibadm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohqejchc.dll" Mokgqjaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lddffk32.dll" Lgaoqdmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nldgdpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opbnbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmnck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccckabef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goohckob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlndfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhpbobba.dll" Apjbpemb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exeElnagijk.exeEheblj32.exeEmdgjpkd.exeFncddc32.exeFpgmak32.exeFmknko32.exeFhgkqmph.exeGaamobdf.exeGepeep32.exeGddbfm32.exeGgekhhle.exeHifdjcif.exeHjkneb32.exeHohfmi32.exeHahoodqi.exedescription pid Process procid_target PID 2580 wrote to memory of 2160 2580 8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exe 29 PID 2580 wrote to memory of 2160 2580 8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exe 29 PID 2580 wrote to memory of 2160 2580 8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exe 29 PID 2580 wrote to memory of 2160 2580 8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exe 29 PID 2160 wrote to memory of 2392 2160 Elnagijk.exe 30 PID 2160 wrote to memory of 2392 2160 Elnagijk.exe 30 PID 2160 wrote to memory of 2392 2160 Elnagijk.exe 30 PID 2160 wrote to memory of 2392 2160 Elnagijk.exe 30 PID 2392 wrote to memory of 2916 2392 Eheblj32.exe 31 PID 2392 wrote to memory of 2916 2392 Eheblj32.exe 31 PID 2392 wrote to memory of 2916 2392 Eheblj32.exe 31 PID 2392 wrote to memory of 2916 2392 Eheblj32.exe 31 PID 2916 wrote to memory of 2800 2916 Emdgjpkd.exe 32 PID 2916 wrote to memory of 2800 2916 Emdgjpkd.exe 32 PID 2916 wrote to memory of 2800 2916 Emdgjpkd.exe 32 PID 2916 wrote to memory of 2800 2916 Emdgjpkd.exe 32 PID 2800 wrote to memory of 2864 2800 Fncddc32.exe 33 PID 2800 wrote to memory of 2864 2800 Fncddc32.exe 33 PID 2800 wrote to memory of 2864 2800 Fncddc32.exe 33 PID 2800 wrote to memory of 2864 2800 Fncddc32.exe 33 PID 2864 wrote to memory of 1968 2864 Fpgmak32.exe 34 PID 2864 wrote to memory of 1968 2864 Fpgmak32.exe 34 PID 2864 wrote to memory of 1968 2864 Fpgmak32.exe 34 PID 2864 wrote to memory of 1968 2864 Fpgmak32.exe 34 PID 1968 wrote to memory of 564 1968 Fmknko32.exe 35 PID 1968 wrote to memory of 564 1968 Fmknko32.exe 35 PID 1968 wrote to memory of 564 1968 Fmknko32.exe 35 PID 1968 wrote to memory of 564 1968 Fmknko32.exe 35 PID 564 wrote to memory of 980 564 Fhgkqmph.exe 36 PID 564 wrote to memory of 980 564 Fhgkqmph.exe 36 PID 564 wrote to memory of 980 564 Fhgkqmph.exe 36 PID 564 wrote to memory of 980 564 Fhgkqmph.exe 36 PID 980 wrote to memory of 2984 980 Gaamobdf.exe 37 PID 980 wrote to memory of 2984 980 Gaamobdf.exe 37 PID 980 wrote to memory of 2984 980 Gaamobdf.exe 37 PID 980 wrote to memory of 2984 980 Gaamobdf.exe 37 PID 2984 wrote to memory of 2988 2984 Gepeep32.exe 38 PID 2984 wrote to memory of 2988 2984 Gepeep32.exe 38 PID 2984 wrote to memory of 2988 2984 Gepeep32.exe 38 PID 2984 wrote to memory of 2988 2984 Gepeep32.exe 38 PID 2988 wrote to memory of 2992 2988 Gddbfm32.exe 39 PID 2988 wrote to memory of 2992 2988 Gddbfm32.exe 39 PID 2988 wrote to memory of 2992 2988 Gddbfm32.exe 39 PID 2988 wrote to memory of 2992 2988 Gddbfm32.exe 39 PID 2992 wrote to memory of 1652 2992 Ggekhhle.exe 40 PID 2992 wrote to memory of 1652 2992 Ggekhhle.exe 40 PID 2992 wrote to memory of 1652 2992 Ggekhhle.exe 40 PID 2992 wrote to memory of 1652 2992 Ggekhhle.exe 40 PID 1652 wrote to memory of 2200 1652 Hifdjcif.exe 41 PID 1652 wrote to memory of 2200 1652 Hifdjcif.exe 41 PID 1652 wrote to memory of 2200 1652 Hifdjcif.exe 41 PID 1652 wrote to memory of 2200 1652 Hifdjcif.exe 41 PID 2200 wrote to memory of 2364 2200 Hjkneb32.exe 42 PID 2200 wrote to memory of 2364 2200 Hjkneb32.exe 42 PID 2200 wrote to memory of 2364 2200 Hjkneb32.exe 42 PID 2200 wrote to memory of 2364 2200 Hjkneb32.exe 42 PID 2364 wrote to memory of 2556 2364 Hohfmi32.exe 43 PID 2364 wrote to memory of 2556 2364 Hohfmi32.exe 43 PID 2364 wrote to memory of 2556 2364 Hohfmi32.exe 43 PID 2364 wrote to memory of 2556 2364 Hohfmi32.exe 43 PID 2556 wrote to memory of 2092 2556 Hahoodqi.exe 44 PID 2556 wrote to memory of 2092 2556 Hahoodqi.exe 44 PID 2556 wrote to memory of 2092 2556 Hahoodqi.exe 44 PID 2556 wrote to memory of 2092 2556 Hahoodqi.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exe"C:\Users\Admin\AppData\Local\Temp\8e1bc089aa555ba8098986db69cabd26d91185f474a9cd5ae52b8f46d01e2424N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Elnagijk.exeC:\Windows\system32\Elnagijk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Eheblj32.exeC:\Windows\system32\Eheblj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Emdgjpkd.exeC:\Windows\system32\Emdgjpkd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Fncddc32.exeC:\Windows\system32\Fncddc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Fpgmak32.exeC:\Windows\system32\Fpgmak32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Fmknko32.exeC:\Windows\system32\Fmknko32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Fhgkqmph.exeC:\Windows\system32\Fhgkqmph.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Gaamobdf.exeC:\Windows\system32\Gaamobdf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Gepeep32.exeC:\Windows\system32\Gepeep32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Gddbfm32.exeC:\Windows\system32\Gddbfm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Ggekhhle.exeC:\Windows\system32\Ggekhhle.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Hifdjcif.exeC:\Windows\system32\Hifdjcif.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Hjkneb32.exeC:\Windows\system32\Hjkneb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Hohfmi32.exeC:\Windows\system32\Hohfmi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Hahoodqi.exeC:\Windows\system32\Hahoodqi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Ibklddof.exeC:\Windows\system32\Ibklddof.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Iqbekpal.exeC:\Windows\system32\Iqbekpal.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Iogbllfc.exeC:\Windows\system32\Iogbllfc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Jfdgnf32.exeC:\Windows\system32\Jfdgnf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Jabajc32.exeC:\Windows\system32\Jabajc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Jgnflmia.exeC:\Windows\system32\Jgnflmia.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Kcgdgnmc.exeC:\Windows\system32\Kcgdgnmc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Kbmahjbk.exeC:\Windows\system32\Kbmahjbk.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Kpcngnob.exeC:\Windows\system32\Kpcngnob.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Lljolodf.exeC:\Windows\system32\Lljolodf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Lomdcj32.exeC:\Windows\system32\Lomdcj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Lghigl32.exeC:\Windows\system32\Lghigl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Mlndfa32.exeC:\Windows\system32\Mlndfa32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Mamjchoa.exeC:\Windows\system32\Mamjchoa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Napfihmn.exeC:\Windows\system32\Napfihmn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Nabcog32.exeC:\Windows\system32\Nabcog32.exe33⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Ncellpog.exeC:\Windows\system32\Ncellpog.exe34⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Ngcebnen.exeC:\Windows\system32\Ngcebnen.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe38⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe39⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Omeged32.exeC:\Windows\system32\Omeged32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Obbonk32.exeC:\Windows\system32\Obbonk32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Oofpgolq.exeC:\Windows\system32\Oofpgolq.exe42⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe43⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Onkmhl32.exeC:\Windows\system32\Onkmhl32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Oeeeeehe.exeC:\Windows\system32\Oeeeeehe.exe45⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Pqlfjfni.exeC:\Windows\system32\Pqlfjfni.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe47⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe48⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Pnbcij32.exeC:\Windows\system32\Pnbcij32.exe49⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Pgjgapaa.exeC:\Windows\system32\Pgjgapaa.exe50⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Pmgpjgph.exeC:\Windows\system32\Pmgpjgph.exe51⤵PID:2964
-
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe52⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Pllmkcdp.exeC:\Windows\system32\Pllmkcdp.exe53⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe54⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Qlaffbqk.exeC:\Windows\system32\Qlaffbqk.exe56⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Aeikohgk.exeC:\Windows\system32\Aeikohgk.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Anbohn32.exeC:\Windows\system32\Anbohn32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Andlmnki.exeC:\Windows\system32\Andlmnki.exe59⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Afoqbpid.exeC:\Windows\system32\Afoqbpid.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Apheke32.exeC:\Windows\system32\Apheke32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Ahomlb32.exeC:\Windows\system32\Ahomlb32.exe62⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Apjbpemb.exeC:\Windows\system32\Apjbpemb.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Bplofekp.exeC:\Windows\system32\Bplofekp.exe64⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Biecoj32.exeC:\Windows\system32\Biecoj32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Bgichoqj.exeC:\Windows\system32\Bgichoqj.exe66⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Blelpeoa.exeC:\Windows\system32\Blelpeoa.exe67⤵PID:2424
-
C:\Windows\SysWOW64\Blhifemo.exeC:\Windows\system32\Blhifemo.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016 -
C:\Windows\SysWOW64\Baeanl32.exeC:\Windows\system32\Baeanl32.exe69⤵PID:1956
-
C:\Windows\SysWOW64\Bkmegaaf.exeC:\Windows\system32\Bkmegaaf.exe70⤵PID:1952
-
C:\Windows\SysWOW64\Bagncl32.exeC:\Windows\system32\Bagncl32.exe71⤵PID:1592
-
C:\Windows\SysWOW64\Caijik32.exeC:\Windows\system32\Caijik32.exe72⤵PID:1880
-
C:\Windows\SysWOW64\Ckboba32.exeC:\Windows\system32\Ckboba32.exe73⤵PID:2600
-
C:\Windows\SysWOW64\Cdjckfda.exeC:\Windows\system32\Cdjckfda.exe74⤵PID:2528
-
C:\Windows\SysWOW64\Cpadpg32.exeC:\Windows\system32\Cpadpg32.exe75⤵PID:2884
-
C:\Windows\SysWOW64\Clheeh32.exeC:\Windows\system32\Clheeh32.exe76⤵PID:2716
-
C:\Windows\SysWOW64\Cfpinnfj.exeC:\Windows\system32\Cfpinnfj.exe77⤵PID:2700
-
C:\Windows\SysWOW64\Dbgjbo32.exeC:\Windows\system32\Dbgjbo32.exe78⤵PID:2872
-
C:\Windows\SysWOW64\Dllnphkd.exeC:\Windows\system32\Dllnphkd.exe79⤵PID:2348
-
C:\Windows\SysWOW64\Dfecim32.exeC:\Windows\system32\Dfecim32.exe80⤵PID:2044
-
C:\Windows\SysWOW64\Dnpgmp32.exeC:\Windows\system32\Dnpgmp32.exe81⤵PID:1732
-
C:\Windows\SysWOW64\Dheljhof.exeC:\Windows\system32\Dheljhof.exe82⤵PID:1516
-
C:\Windows\SysWOW64\Dbnpcn32.exeC:\Windows\system32\Dbnpcn32.exe83⤵PID:1012
-
C:\Windows\SysWOW64\Dndahokk.exeC:\Windows\system32\Dndahokk.exe84⤵PID:764
-
C:\Windows\SysWOW64\Eqejjj32.exeC:\Windows\system32\Eqejjj32.exe85⤵PID:1900
-
C:\Windows\SysWOW64\Ejnnbpol.exeC:\Windows\system32\Ejnnbpol.exe86⤵PID:1664
-
C:\Windows\SysWOW64\Epkgkfmd.exeC:\Windows\system32\Epkgkfmd.exe87⤵PID:2376
-
C:\Windows\SysWOW64\Emogdk32.exeC:\Windows\system32\Emogdk32.exe88⤵PID:1744
-
C:\Windows\SysWOW64\Echpaecj.exeC:\Windows\system32\Echpaecj.exe89⤵PID:776
-
C:\Windows\SysWOW64\Ecklgdag.exeC:\Windows\system32\Ecklgdag.exe90⤵PID:2124
-
C:\Windows\SysWOW64\Fflehp32.exeC:\Windows\system32\Fflehp32.exe91⤵PID:2340
-
C:\Windows\SysWOW64\Fhonegbd.exeC:\Windows\system32\Fhonegbd.exe92⤵PID:2640
-
C:\Windows\SysWOW64\Fcfojhhh.exeC:\Windows\system32\Fcfojhhh.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Fnkchahn.exeC:\Windows\system32\Fnkchahn.exe94⤵PID:2876
-
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe95⤵PID:2768
-
C:\Windows\SysWOW64\Fjbdmbmb.exeC:\Windows\system32\Fjbdmbmb.exe96⤵PID:2680
-
C:\Windows\SysWOW64\Fhfdffll.exeC:\Windows\system32\Fhfdffll.exe97⤵PID:1876
-
C:\Windows\SysWOW64\Gmcmomjc.exeC:\Windows\system32\Gmcmomjc.exe98⤵PID:2748
-
C:\Windows\SysWOW64\Gijncn32.exeC:\Windows\system32\Gijncn32.exe99⤵PID:900
-
C:\Windows\SysWOW64\Geqnho32.exeC:\Windows\system32\Geqnho32.exe100⤵PID:2784
-
C:\Windows\SysWOW64\Gljfeimi.exeC:\Windows\system32\Gljfeimi.exe101⤵
- Drops file in System32 directory
PID:1380 -
C:\Windows\SysWOW64\Gbdobc32.exeC:\Windows\system32\Gbdobc32.exe102⤵PID:2296
-
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe103⤵
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Geehcoaf.exeC:\Windows\system32\Geehcoaf.exe104⤵PID:1704
-
C:\Windows\SysWOW64\Gloppi32.exeC:\Windows\system32\Gloppi32.exe105⤵PID:1036
-
C:\Windows\SysWOW64\Hegdinpd.exeC:\Windows\system32\Hegdinpd.exe106⤵PID:236
-
C:\Windows\SysWOW64\Hkdmaenk.exeC:\Windows\system32\Hkdmaenk.exe107⤵PID:1308
-
C:\Windows\SysWOW64\Hejaon32.exeC:\Windows\system32\Hejaon32.exe108⤵PID:2652
-
C:\Windows\SysWOW64\Hpcbol32.exeC:\Windows\system32\Hpcbol32.exe109⤵PID:2792
-
C:\Windows\SysWOW64\Hkifld32.exeC:\Windows\system32\Hkifld32.exe110⤵PID:2880
-
C:\Windows\SysWOW64\Hdakej32.exeC:\Windows\system32\Hdakej32.exe111⤵PID:1184
-
C:\Windows\SysWOW64\Hnjonpgg.exeC:\Windows\system32\Hnjonpgg.exe112⤵PID:672
-
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe113⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe114⤵PID:1708
-
C:\Windows\SysWOW64\Iopeagip.exeC:\Windows\system32\Iopeagip.exe115⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Iejnna32.exeC:\Windows\system32\Iejnna32.exe116⤵PID:2244
-
C:\Windows\SysWOW64\Iobbfggm.exeC:\Windows\system32\Iobbfggm.exe117⤵PID:2260
-
C:\Windows\SysWOW64\Iodolf32.exeC:\Windows\system32\Iodolf32.exe118⤵PID:2520
-
C:\Windows\SysWOW64\Idagdm32.exeC:\Windows\system32\Idagdm32.exe119⤵PID:288
-
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe120⤵
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\Jqjdon32.exeC:\Windows\system32\Jqjdon32.exe121⤵PID:3012
-
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe122⤵PID:2052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-