Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 16:55
Static task
static1
Behavioral task
behavioral1
Sample
4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exe
Resource
win10v2004-20241007-en
General
-
Target
4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exe
-
Size
1.1MB
-
MD5
41e1c824a09c33fc2b601ebbfa559ab8
-
SHA1
a5ec169c087b535a4472b87d4536cd255676601d
-
SHA256
4de656b5b3b10e39c97729bb134d8bac994a2faf2f29c3b4923198143db77468
-
SHA512
355a5090fbb22cb284545e77cea38b44493094ba67faed7839fdfa074afe41640aaa263031cc611cb7884008a714c3d36f90a02b0f7e65453fca6febf02bda42
-
SSDEEP
24576:xYlFiWVPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZH1:xYlFiWNbazR0vKLXZ1
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hjfnnajl.exeGnbejb32.exeKbmfgk32.exeLgingm32.exeEeojcmfi.exeAphcppmo.exeFbngfo32.exeDkjhjm32.exeMkofaj32.exeAeghng32.exeIoiidfon.exeNjpihk32.exeCbgobp32.exeGmhkin32.exeKekkiq32.exePdgmlhha.exeHcajhi32.exePmpdmfff.exeCpgecq32.exeAanibhoh.exeOdacbpee.exeNfgjml32.exeOjbbmnhc.exeCbjnqh32.exeIfgicg32.exeHhoeii32.exeLdbjdj32.exeDdppmclb.exeObgnhkkh.exePbigmn32.exeApefjqob.exeOjeakfnd.exeKajiigba.exeDdhaie32.exeEopphehb.exePfbfhm32.exeJedehaea.exeMonhjgkj.exeBahelebm.exeEbockkal.exeLoclai32.exeMndhnd32.exeBogljj32.exeQbafalph.exeGglbfg32.exeJbpfnh32.exeJnofgg32.exeLidgcclp.exeBimphc32.exeAnbkipok.exeGkmbmh32.exeKpdcfoph.exeIakino32.exeCnejim32.exeEloipb32.exeHlhddh32.exeNbeedh32.exeBedhgj32.exeFbpclofe.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjfnnajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbejb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeojcmfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphcppmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbngfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkofaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeghng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioiidfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcajhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmpdmfff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aanibhoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odacbpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgjml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbbmnhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbjnqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgicg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldbjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddppmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbigmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apefjqob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojeakfnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajiigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddhaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eopphehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbfhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedehaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhjgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahelebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebockkal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loclai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mndhnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpdmfff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogljj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbafalph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglbfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojeakfnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnofgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lidgcclp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anbkipok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmbmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdcfoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnejim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apefjqob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loclai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eloipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhddh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbeedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedhgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbpclofe.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Oococb32.exeOabkom32.exePdgmlhha.exePghfnc32.exeAllefimb.exeAnbkipok.exeAqbdkk32.exeBkhhhd32.exeBigkel32.exeCoacbfii.exeCchbgi32.exeCgfkmgnj.exeDebadpeg.exeDphfbiem.exeEopphehb.exeEeiheo32.exeFiepea32.exeFigmjq32.exeFleifl32.exeFcpacf32.exeGhofam32.exeGkmbmh32.exeGjbpne32.exeGckdgjeb.exeGfkmie32.exeGnbejb32.exeHcajhi32.exeHfpfdeon.exeHiqoeplo.exeHnnhngjf.exeHegpjaac.exeHjgehgnh.exeIndnnfdn.exeIeofkp32.exeIjkocg32.exeIphgln32.exeIladfn32.exeIfgicg32.exeJlfnangf.exeJbpfnh32.exeJijokbfp.exeJaecod32.exeJdcpkp32.exeJagpdd32.exeJeclebja.exeJdflqo32.exeKpojkp32.exeKbmfgk32.exeKigndekn.exeKpdcfoph.exeKbbobkol.exeKpfplo32.exeKechdf32.exeKkpqlm32.exeKajiigba.exeLkbmbl32.exeLgingm32.exeLanbdf32.exeLpabpcdf.exeLaqojfli.exeLdokfakl.exeLdahkaij.exeLgpdglhn.exeMokilo32.exepid Process 2336 Oococb32.exe 2020 Oabkom32.exe 2412 Pdgmlhha.exe 2832 Pghfnc32.exe 2704 Allefimb.exe 2584 Anbkipok.exe 1636 Aqbdkk32.exe 1764 Bkhhhd32.exe 2016 Bigkel32.exe 1952 Coacbfii.exe 2888 Cchbgi32.exe 1456 Cgfkmgnj.exe 2952 Debadpeg.exe 2108 Dphfbiem.exe 2248 Eopphehb.exe 2972 Eeiheo32.exe 1004 Fiepea32.exe 1752 Figmjq32.exe 744 Fleifl32.exe 1692 Fcpacf32.exe 2200 Ghofam32.exe 2428 Gkmbmh32.exe 2160 Gjbpne32.exe 1848 Gckdgjeb.exe 2388 Gfkmie32.exe 2868 Gnbejb32.exe 1580 Hcajhi32.exe 2536 Hfpfdeon.exe 2788 Hiqoeplo.exe 2716 Hnnhngjf.exe 2588 Hegpjaac.exe 2136 Hjgehgnh.exe 2112 Indnnfdn.exe 2896 Ieofkp32.exe 2620 Ijkocg32.exe 2548 Iphgln32.exe 1992 Iladfn32.exe 2920 Ifgicg32.exe 1312 Jlfnangf.exe 2244 Jbpfnh32.exe 776 Jijokbfp.exe 1604 Jaecod32.exe 2448 Jdcpkp32.exe 892 Jagpdd32.exe 2152 Jeclebja.exe 908 Jdflqo32.exe 2256 Kpojkp32.exe 2072 Kbmfgk32.exe 1500 Kigndekn.exe 1632 Kpdcfoph.exe 2216 Kbbobkol.exe 2568 Kpfplo32.exe 2760 Kechdf32.exe 2616 Kkpqlm32.exe 2820 Kajiigba.exe 1948 Lkbmbl32.exe 1748 Lgingm32.exe 2024 Lanbdf32.exe 2948 Lpabpcdf.exe 2928 Laqojfli.exe 1396 Ldokfakl.exe 1648 Ldahkaij.exe 688 Lgpdglhn.exe 1700 Mokilo32.exe -
Loads dropped DLL 64 IoCs
Processes:
4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exeOococb32.exeOabkom32.exePdgmlhha.exePghfnc32.exeAllefimb.exeAnbkipok.exeAqbdkk32.exeBkhhhd32.exeBigkel32.exeCoacbfii.exeCchbgi32.exeCgfkmgnj.exeDebadpeg.exeDphfbiem.exeEopphehb.exeEeiheo32.exeFiepea32.exeFigmjq32.exeFleifl32.exeFcpacf32.exeGhofam32.exeGkmbmh32.exeGjbpne32.exeGckdgjeb.exeGfkmie32.exeGnbejb32.exeHcajhi32.exeHfpfdeon.exeHiqoeplo.exeHnnhngjf.exeHegpjaac.exepid Process 2644 4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exe 2644 4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exe 2336 Oococb32.exe 2336 Oococb32.exe 2020 Oabkom32.exe 2020 Oabkom32.exe 2412 Pdgmlhha.exe 2412 Pdgmlhha.exe 2832 Pghfnc32.exe 2832 Pghfnc32.exe 2704 Allefimb.exe 2704 Allefimb.exe 2584 Anbkipok.exe 2584 Anbkipok.exe 1636 Aqbdkk32.exe 1636 Aqbdkk32.exe 1764 Bkhhhd32.exe 1764 Bkhhhd32.exe 2016 Bigkel32.exe 2016 Bigkel32.exe 1952 Coacbfii.exe 1952 Coacbfii.exe 2888 Cchbgi32.exe 2888 Cchbgi32.exe 1456 Cgfkmgnj.exe 1456 Cgfkmgnj.exe 2952 Debadpeg.exe 2952 Debadpeg.exe 2108 Dphfbiem.exe 2108 Dphfbiem.exe 2248 Eopphehb.exe 2248 Eopphehb.exe 2972 Eeiheo32.exe 2972 Eeiheo32.exe 1004 Fiepea32.exe 1004 Fiepea32.exe 1752 Figmjq32.exe 1752 Figmjq32.exe 744 Fleifl32.exe 744 Fleifl32.exe 1692 Fcpacf32.exe 1692 Fcpacf32.exe 2200 Ghofam32.exe 2200 Ghofam32.exe 2428 Gkmbmh32.exe 2428 Gkmbmh32.exe 2160 Gjbpne32.exe 2160 Gjbpne32.exe 1848 Gckdgjeb.exe 1848 Gckdgjeb.exe 2388 Gfkmie32.exe 2388 Gfkmie32.exe 2868 Gnbejb32.exe 2868 Gnbejb32.exe 1580 Hcajhi32.exe 1580 Hcajhi32.exe 2536 Hfpfdeon.exe 2536 Hfpfdeon.exe 2788 Hiqoeplo.exe 2788 Hiqoeplo.exe 2716 Hnnhngjf.exe 2716 Hnnhngjf.exe 2588 Hegpjaac.exe 2588 Hegpjaac.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mopbgn32.exeBoemlbpk.exeBllcnega.exeLdkdckff.exeOckinl32.exeCbjnqh32.exeKbbobkol.exeAphcppmo.exeCchdpbog.exeJjnjqb32.exeGckdgjeb.exeKbmfgk32.exeLafahdcc.exeFbngfo32.exeJbphgpfg.exeKlfmijae.exeMobomnoq.exeBaefnmml.exeOiahnnji.exeFopnpaba.exeEpnhpglg.exeGpjmnh32.exeHjfnnajl.exeNnahgh32.exePebbcdkn.exeEcmjid32.exeObgnhkkh.exeGpogiglp.exeJcdadhjb.exeLdhgnk32.exeAdgein32.exeDgnjqe32.exeMfpmbf32.exeQifnhaho.exeOpialpld.exeFbpclofe.exeLolofd32.exeMhkfnlme.exeEcgjdong.exeJdcpkp32.exePbigmn32.exeGhbljk32.exeIinhdmma.exeKpgionie.exeBedhgj32.exeKechdf32.exeElgfkhpi.exeEpkepakn.exeMejmmqpd.exeNdafcmci.exeEeiheo32.exeJagpdd32.exeNkehql32.exeOnoqfehp.exeAphjjf32.exeBolcma32.exeCiokijfd.exeDjlfma32.exeHoqjqhjf.exeJnmiag32.exeLdahkaij.exeFppaej32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Mobomnoq.exe Mopbgn32.exe File created C:\Windows\SysWOW64\Bacihmoo.exe Boemlbpk.exe File created C:\Windows\SysWOW64\Gjkaenpg.dll Bllcnega.exe File created C:\Windows\SysWOW64\Idfibfeh.dll Ldkdckff.exe File created C:\Windows\SysWOW64\Bamoho32.dll Ockinl32.exe File created C:\Windows\SysWOW64\Lbogaf32.dll Cbjnqh32.exe File opened for modification C:\Windows\SysWOW64\Kpfplo32.exe Kbbobkol.exe File created C:\Windows\SysWOW64\Aaipghcn.exe Aphcppmo.exe File created C:\Windows\SysWOW64\Cnnimkom.exe Cchdpbog.exe File opened for modification C:\Windows\SysWOW64\Jfekec32.exe Jjnjqb32.exe File opened for modification C:\Windows\SysWOW64\Gfkmie32.exe Gckdgjeb.exe File created C:\Windows\SysWOW64\Kigndekn.exe Kbmfgk32.exe File created C:\Windows\SysWOW64\Mkofaj32.exe Lafahdcc.exe File created C:\Windows\SysWOW64\Fjejch32.dll Fbngfo32.exe File opened for modification C:\Windows\SysWOW64\Jeoeclek.exe Jbphgpfg.exe File created C:\Windows\SysWOW64\Cedhlopf.dll Klfmijae.exe File created C:\Windows\SysWOW64\Poibnekg.dll Mobomnoq.exe File opened for modification C:\Windows\SysWOW64\Blkjkflb.exe Baefnmml.exe File created C:\Windows\SysWOW64\Nfbgoj32.dll Oiahnnji.exe File created C:\Windows\SysWOW64\Fobkfqpo.exe Fopnpaba.exe File created C:\Windows\SysWOW64\Efhqmadd.exe Epnhpglg.exe File created C:\Windows\SysWOW64\Gdfiofhn.exe Gpjmnh32.exe File created C:\Windows\SysWOW64\Hmdkjmip.exe Hjfnnajl.exe File created C:\Windows\SysWOW64\Nnahgh32.exe Nnahgh32.exe File opened for modification C:\Windows\SysWOW64\Pnkglj32.exe Pebbcdkn.exe File created C:\Windows\SysWOW64\Emeobj32.exe Ecmjid32.exe File created C:\Windows\SysWOW64\Onoqfehp.exe Oiahnnji.exe File created C:\Windows\SysWOW64\Ohdfqbio.exe Obgnhkkh.exe File created C:\Windows\SysWOW64\Fpflghlp.dll Gpogiglp.exe File opened for modification C:\Windows\SysWOW64\Jjnjqb32.exe Jcdadhjb.exe File created C:\Windows\SysWOW64\Ahcbfd32.dll Ldhgnk32.exe File opened for modification C:\Windows\SysWOW64\Afeaei32.exe Adgein32.exe File created C:\Windows\SysWOW64\Djlfma32.exe Dgnjqe32.exe File opened for modification C:\Windows\SysWOW64\Mlieoqgg.exe Mfpmbf32.exe File created C:\Windows\SysWOW64\Bknida32.dll Qifnhaho.exe File created C:\Windows\SysWOW64\Obgnhkkh.exe Opialpld.exe File created C:\Windows\SysWOW64\Aqgpml32.dll Hjfnnajl.exe File created C:\Windows\SysWOW64\Facdgl32.exe Fbpclofe.exe File created C:\Windows\SysWOW64\Ldhgnk32.exe Lolofd32.exe File created C:\Windows\SysWOW64\Bdedod32.dll Mhkfnlme.exe File created C:\Windows\SysWOW64\Ejabqi32.exe Ecgjdong.exe File created C:\Windows\SysWOW64\Dcibhnqq.dll Jdcpkp32.exe File created C:\Windows\SysWOW64\Cjedgmpi.dll Pbigmn32.exe File created C:\Windows\SysWOW64\Glpepj32.exe Ghbljk32.exe File created C:\Windows\SysWOW64\Iogpag32.exe Iinhdmma.exe File opened for modification C:\Windows\SysWOW64\Kfaalh32.exe Kpgionie.exe File created C:\Windows\SysWOW64\Blnpddeo.exe Bedhgj32.exe File created C:\Windows\SysWOW64\Lpkclikh.dll Kechdf32.exe File opened for modification C:\Windows\SysWOW64\Eoebgcol.exe Elgfkhpi.exe File created C:\Windows\SysWOW64\Ficfbkij.dll Epkepakn.exe File created C:\Windows\SysWOW64\Mdmmhn32.exe Mejmmqpd.exe File created C:\Windows\SysWOW64\Moiihmhq.dll Ndafcmci.exe File created C:\Windows\SysWOW64\Jagkpl32.dll Eeiheo32.exe File opened for modification C:\Windows\SysWOW64\Jeclebja.exe Jagpdd32.exe File opened for modification C:\Windows\SysWOW64\Nbpqmfmd.exe Nkehql32.exe File opened for modification C:\Windows\SysWOW64\Ockinl32.exe Onoqfehp.exe File created C:\Windows\SysWOW64\Aiaoclgl.exe Aphjjf32.exe File created C:\Windows\SysWOW64\Bbjpil32.exe Bolcma32.exe File opened for modification C:\Windows\SysWOW64\Cbgobp32.exe Ciokijfd.exe File opened for modification C:\Windows\SysWOW64\Dfcgbb32.exe Djlfma32.exe File created C:\Windows\SysWOW64\Daadna32.dll Hoqjqhjf.exe File opened for modification C:\Windows\SysWOW64\Jefbnacn.exe Jnmiag32.exe File opened for modification C:\Windows\SysWOW64\Lgpdglhn.exe Ldahkaij.exe File opened for modification C:\Windows\SysWOW64\Fmdbnnlj.exe Fppaej32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5860 5836 WerFault.exe 495 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fggmldfp.exeImogcj32.exePfnoegaf.exePidaba32.exeKlfmijae.exeMdmmhn32.exeAoomflpd.exeGibbgmfe.exeMonhjgkj.exePehcij32.exeCjljnn32.exeGkgoff32.exeInjqmdki.exeQlgndbil.exeDocopbaf.exeQldjdlgb.exeDifqji32.exeOgofkm32.exePhgannal.exeOabkom32.exeJlfnangf.exeJnmiag32.exePhobjp32.exeDmebcgbb.exeLklikj32.exeOnfabgch.exeHhoeii32.exeGhoijebj.exeLpfnckhe.exeEfmlqigc.exeGfkmie32.exeHiqoeplo.exeHoqjqhjf.exeOjpomh32.exeCbpbgk32.exeEcjgio32.exeJbclgf32.exeJedehaea.exeKekkiq32.exeHkbkpcpd.exeJeoeclek.exeCgfkmgnj.exePiieicgl.exeGdfiofhn.exeBceeqi32.exeAnbkipok.exeMbqkiind.exeOaogognm.exePbigmn32.exeJcciqi32.exeEppefg32.exePbdfgilj.exeGpjmnh32.exeNmflee32.exeApefjqob.exeHokjkbkp.exeIgmepdbc.exeDoabjbci.exeOococb32.exeCnejim32.exeMejmmqpd.exeBolcma32.exeQdlipplq.exeMdldeo32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggmldfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imogcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnoegaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidaba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfmijae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmmhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoomflpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibbgmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monhjgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehcij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgoff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injqmdki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgndbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docopbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldjdlgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogofkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgannal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfnangf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phobjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmebcgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklikj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfabgch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhoeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghoijebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfnckhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmlqigc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkmie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiqoeplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojpomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjgio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbclgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedehaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbkpcpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeoeclek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piieicgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfiofhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceeqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbkipok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqkiind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaogognm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcciqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdfgilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmflee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apefjqob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokjkbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmepdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doabjbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oococb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnejim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejmmqpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bolcma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlipplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdldeo32.exe -
Modifies registry class 64 IoCs
Processes:
Nqokpd32.exeDilchhgg.exeFogdap32.exeGmlablaa.exeIbibfa32.exePgibdjln.exeHiqoeplo.exeMkipao32.exeOpialpld.exeCpbkhabp.exeHegpjaac.exeMhfjjdjf.exeDfcgbb32.exeEldiehbk.exeCqjhcfpc.exeAnbkipok.exeBkhhhd32.exeKigndekn.exeBknjfb32.exeKkjpggkn.exeCnabffeo.exeNmflee32.exePmehdh32.exeCfehhn32.exeOnfabgch.exeDmebcgbb.exeGdfiofhn.exeLdkdckff.exeJpbcek32.exePepfnd32.exeLpfnckhe.exeBnofaf32.exeQkielpdf.exeEogolc32.exeLibjncnc.exeFpmned32.exeImhqbkbm.exeMaanab32.exeFiepea32.exeEphdjeol.exeGhoijebj.exeDlboca32.exeIladfn32.exeHfjbmb32.exeHjfnnajl.exeNcgcdi32.exeOnjgkf32.exeDcjjkkji.exeBllcnega.exeDnpebj32.exeEmeobj32.exeHjggap32.exePaocnkph.exeFkhbgbkc.exeLgfjggll.exeNnahgh32.exeOabkom32.exePebbcdkn.exeIgmepdbc.exeKeango32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dilchhgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fogdap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmlablaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibibfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgibdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiqoeplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkipao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dociji32.dll" Opialpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpbkhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcqejkep.dll" Hegpjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipalg32.dll" Mhfjjdjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodcmd32.dll" Eldiehbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqjhcfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anbkipok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkhhhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kigndekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bknjfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjpggkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkqcb32.dll" Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmflee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfehhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onfabgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbmdeh32.dll" Dmebcgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdkfk32.dll" Gdfiofhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldkdckff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbbdb.dll" Jpbcek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pepfnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpfnckhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alakfjbc.dll" Bnofaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkielpdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eogolc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpmned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imhqbkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdphkml.dll" Maanab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjkhi32.dll" Fiepea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ephdjeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepbmk32.dll" Ghoijebj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdfiofhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlboca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iladfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfjbmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjfnnajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkiio32.dll" Ncgcdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onjgkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcjjkkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjkaenpg.dll" Bllcnega.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnpebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefmnm32.dll" Emeobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbolo32.dll" Paocnkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkhbgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dneoankp.dll" Lgfjggll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnahgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhpmg32.dll" Oabkom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pebbcdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdhdajp.dll" Igmepdbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emeobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keango32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjgkf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exeOococb32.exeOabkom32.exePdgmlhha.exePghfnc32.exeAllefimb.exeAnbkipok.exeAqbdkk32.exeBkhhhd32.exeBigkel32.exeCoacbfii.exeCchbgi32.exeCgfkmgnj.exeDebadpeg.exeDphfbiem.exeEopphehb.exedescription pid Process procid_target PID 2644 wrote to memory of 2336 2644 4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exe 31 PID 2644 wrote to memory of 2336 2644 4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exe 31 PID 2644 wrote to memory of 2336 2644 4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exe 31 PID 2644 wrote to memory of 2336 2644 4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exe 31 PID 2336 wrote to memory of 2020 2336 Oococb32.exe 32 PID 2336 wrote to memory of 2020 2336 Oococb32.exe 32 PID 2336 wrote to memory of 2020 2336 Oococb32.exe 32 PID 2336 wrote to memory of 2020 2336 Oococb32.exe 32 PID 2020 wrote to memory of 2412 2020 Oabkom32.exe 33 PID 2020 wrote to memory of 2412 2020 Oabkom32.exe 33 PID 2020 wrote to memory of 2412 2020 Oabkom32.exe 33 PID 2020 wrote to memory of 2412 2020 Oabkom32.exe 33 PID 2412 wrote to memory of 2832 2412 Pdgmlhha.exe 34 PID 2412 wrote to memory of 2832 2412 Pdgmlhha.exe 34 PID 2412 wrote to memory of 2832 2412 Pdgmlhha.exe 34 PID 2412 wrote to memory of 2832 2412 Pdgmlhha.exe 34 PID 2832 wrote to memory of 2704 2832 Pghfnc32.exe 35 PID 2832 wrote to memory of 2704 2832 Pghfnc32.exe 35 PID 2832 wrote to memory of 2704 2832 Pghfnc32.exe 35 PID 2832 wrote to memory of 2704 2832 Pghfnc32.exe 35 PID 2704 wrote to memory of 2584 2704 Allefimb.exe 36 PID 2704 wrote to memory of 2584 2704 Allefimb.exe 36 PID 2704 wrote to memory of 2584 2704 Allefimb.exe 36 PID 2704 wrote to memory of 2584 2704 Allefimb.exe 36 PID 2584 wrote to memory of 1636 2584 Anbkipok.exe 37 PID 2584 wrote to memory of 1636 2584 Anbkipok.exe 37 PID 2584 wrote to memory of 1636 2584 Anbkipok.exe 37 PID 2584 wrote to memory of 1636 2584 Anbkipok.exe 37 PID 1636 wrote to memory of 1764 1636 Aqbdkk32.exe 38 PID 1636 wrote to memory of 1764 1636 Aqbdkk32.exe 38 PID 1636 wrote to memory of 1764 1636 Aqbdkk32.exe 38 PID 1636 wrote to memory of 1764 1636 Aqbdkk32.exe 38 PID 1764 wrote to memory of 2016 1764 Bkhhhd32.exe 39 PID 1764 wrote to memory of 2016 1764 Bkhhhd32.exe 39 PID 1764 wrote to memory of 2016 1764 Bkhhhd32.exe 39 PID 1764 wrote to memory of 2016 1764 Bkhhhd32.exe 39 PID 2016 wrote to memory of 1952 2016 Bigkel32.exe 40 PID 2016 wrote to memory of 1952 2016 Bigkel32.exe 40 PID 2016 wrote to memory of 1952 2016 Bigkel32.exe 40 PID 2016 wrote to memory of 1952 2016 Bigkel32.exe 40 PID 1952 wrote to memory of 2888 1952 Coacbfii.exe 41 PID 1952 wrote to memory of 2888 1952 Coacbfii.exe 41 PID 1952 wrote to memory of 2888 1952 Coacbfii.exe 41 PID 1952 wrote to memory of 2888 1952 Coacbfii.exe 41 PID 2888 wrote to memory of 1456 2888 Cchbgi32.exe 42 PID 2888 wrote to memory of 1456 2888 Cchbgi32.exe 42 PID 2888 wrote to memory of 1456 2888 Cchbgi32.exe 42 PID 2888 wrote to memory of 1456 2888 Cchbgi32.exe 42 PID 1456 wrote to memory of 2952 1456 Cgfkmgnj.exe 43 PID 1456 wrote to memory of 2952 1456 Cgfkmgnj.exe 43 PID 1456 wrote to memory of 2952 1456 Cgfkmgnj.exe 43 PID 1456 wrote to memory of 2952 1456 Cgfkmgnj.exe 43 PID 2952 wrote to memory of 2108 2952 Debadpeg.exe 44 PID 2952 wrote to memory of 2108 2952 Debadpeg.exe 44 PID 2952 wrote to memory of 2108 2952 Debadpeg.exe 44 PID 2952 wrote to memory of 2108 2952 Debadpeg.exe 44 PID 2108 wrote to memory of 2248 2108 Dphfbiem.exe 45 PID 2108 wrote to memory of 2248 2108 Dphfbiem.exe 45 PID 2108 wrote to memory of 2248 2108 Dphfbiem.exe 45 PID 2108 wrote to memory of 2248 2108 Dphfbiem.exe 45 PID 2248 wrote to memory of 2972 2248 Eopphehb.exe 46 PID 2248 wrote to memory of 2972 2248 Eopphehb.exe 46 PID 2248 wrote to memory of 2972 2248 Eopphehb.exe 46 PID 2248 wrote to memory of 2972 2248 Eopphehb.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exe"C:\Users\Admin\AppData\Local\Temp\4064514ef933656a4e797d528733c785c1f49ee05861691fab1100f89124841dN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:744 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe33⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe34⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe35⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe36⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe37⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe42⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe43⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Jeclebja.exeC:\Windows\system32\Jeclebja.exe46⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe47⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe48⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe53⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe55⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe57⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Lanbdf32.exeC:\Windows\system32\Lanbdf32.exe59⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe60⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe61⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe62⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe64⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Mokilo32.exeC:\Windows\system32\Mokilo32.exe65⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe66⤵PID:1436
-
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe67⤵PID:2532
-
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe68⤵PID:1484
-
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe69⤵
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Mopbgn32.exeC:\Windows\system32\Mopbgn32.exe70⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe71⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe72⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Mkipao32.exeC:\Windows\system32\Mkipao32.exe73⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe74⤵PID:2728
-
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe76⤵PID:1564
-
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe79⤵PID:1736
-
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe80⤵PID:2172
-
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe81⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe82⤵PID:692
-
C:\Windows\SysWOW64\Nmflee32.exeC:\Windows\system32\Nmflee32.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Oniebmda.exeC:\Windows\system32\Oniebmda.exe84⤵PID:1856
-
C:\Windows\SysWOW64\Opialpld.exeC:\Windows\system32\Opialpld.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Ohdfqbio.exeC:\Windows\system32\Ohdfqbio.exe87⤵PID:2712
-
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Ohfcfb32.exeC:\Windows\system32\Ohfcfb32.exe89⤵PID:2676
-
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe90⤵
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe91⤵PID:2880
-
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe92⤵
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe93⤵PID:2932
-
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe94⤵PID:2656
-
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:968 -
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe96⤵PID:2188
-
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe98⤵
- System Location Discovery: System Language Discovery
PID:632 -
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe99⤵PID:2268
-
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe100⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe101⤵PID:2280
-
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe102⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe103⤵PID:2964
-
C:\Windows\SysWOW64\Adaiee32.exeC:\Windows\system32\Adaiee32.exe104⤵PID:1728
-
C:\Windows\SysWOW64\Aognbnkm.exeC:\Windows\system32\Aognbnkm.exe105⤵PID:2372
-
C:\Windows\SysWOW64\Aphjjf32.exeC:\Windows\system32\Aphjjf32.exe106⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Aiaoclgl.exeC:\Windows\system32\Aiaoclgl.exe107⤵PID:2044
-
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe108⤵PID:1088
-
C:\Windows\SysWOW64\Akpkmo32.exeC:\Windows\system32\Akpkmo32.exe109⤵PID:408
-
C:\Windows\SysWOW64\Anogijnb.exeC:\Windows\system32\Anogijnb.exe110⤵PID:2960
-
C:\Windows\SysWOW64\Ajehnk32.exeC:\Windows\system32\Ajehnk32.exe111⤵PID:1240
-
C:\Windows\SysWOW64\Aobpfb32.exeC:\Windows\system32\Aobpfb32.exe112⤵PID:1528
-
C:\Windows\SysWOW64\Blfapfpg.exeC:\Windows\system32\Blfapfpg.exe113⤵PID:2312
-
C:\Windows\SysWOW64\Boemlbpk.exeC:\Windows\system32\Boemlbpk.exe114⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Bacihmoo.exeC:\Windows\system32\Bacihmoo.exe115⤵PID:2408
-
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe116⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe117⤵PID:1852
-
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe118⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Bolcma32.exeC:\Windows\system32\Bolcma32.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Bbjpil32.exeC:\Windows\system32\Bbjpil32.exe120⤵PID:1476
-
C:\Windows\SysWOW64\Bhdhefpc.exeC:\Windows\system32\Bhdhefpc.exe121⤵PID:2416
-
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe122⤵PID:1860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-