Analysis
-
max time kernel
93s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 23:35
Behavioral task
behavioral1
Sample
6d265d06258cf42e6043dcafc72142a8490bff59110496fc5f4eb5c89b3538ff.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
6d265d06258cf42e6043dcafc72142a8490bff59110496fc5f4eb5c89b3538ff.exe
-
Size
93KB
-
MD5
e2ac425fd720050155a8dd115189ef02
-
SHA1
fb2bc9525e218477a731fd0e077d13a5c26ae18c
-
SHA256
6d265d06258cf42e6043dcafc72142a8490bff59110496fc5f4eb5c89b3538ff
-
SHA512
d6d2fca73e097108ab615dda135f938b04ff30d3576f1aedf0c73ccd52c04d2aa5909df94948133e497ab853aa8cd9ffeac4cd236a021500b9e7a162f0c1cb06
-
SSDEEP
1536:Q+3gYxrEcHdv0axAWnUxMw1L/Wj8PH4EGOky1DaYfMZRWuLsV+1J:93gYpEcxy/Wj8AMgYfc0DV+1J
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Afbgkl32.exeAbbkcpma.exeFjhacf32.exeKjepjkhf.exeCfkmkf32.exeEiahnnph.exeJbaojpgb.exeIkbfgppo.exeJlolpq32.exeBlhpqhlh.exeCoknoaic.exeNjfagf32.exeDkahilkl.exeOcgkan32.exeKiejmi32.exeNjmhhefi.exeChiblk32.exeGiecfejd.exeIogopi32.exeJjgchm32.exeNbnlaldg.exeIakiia32.exeIpoopgnf.exeConanfli.exeKqbkfkal.exePkegpb32.exeJhgiim32.exeKhiofk32.exeKjhcjq32.exeNihipdhl.exeFjohde32.exeLnldla32.exeIhmfco32.exeEcgcfm32.exeApodoq32.exeFkhpfbce.exeGihpkd32.exeJhkbdmbg.exeKabcopmg.exeBajqda32.exeHhfpbpdo.exeKmaopfjm.exeLgqfdnah.exeHifcgion.exeImiehfao.exeOalipoiq.exeIajdgcab.exePimfpc32.exeFgbfhmll.exeFpmggb32.exeEjchhgid.exeIjcjmmil.exeJgbjbp32.exeDmfeidbe.exeKcndbp32.exeJeocna32.exeNfgklkoc.exeJkgpbp32.exeJklinohd.exeFiaael32.exeGmafajfi.exeHbnaeh32.exeEpagkd32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbgkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbkcpma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhacf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiahnnph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbaojpgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbfgppo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coknoaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfagf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgkan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chiblk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giecfejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjgchm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnlaldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipoopgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Conanfli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhgiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khiofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhcjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nihipdhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnldla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihmfco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apodoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhpfbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihpkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhkbdmbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabcopmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfpbpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaopfjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqfdnah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfagf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imiehfao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalipoiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajdgcab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimfpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgbfhmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejchhgid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijcjmmil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmfeidbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcndbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgklkoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgpbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklinohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmafajfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epagkd32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
Efhcbodf.exeEpagkd32.exeEjflhm32.exeEaqdegaj.exeEfmmmn32.exeFkihnmhj.exeFdamgb32.exeFmjaphek.exeFgbfhmll.exeFmlneg32.exeFgdbnmji.exeFpmggb32.exeFielph32.exeGgilil32.exeGaopfe32.exeGgkiol32.exeGmeakf32.exeGgnedlao.exeGnhnaf32.exeGpfjma32.exeGgpbjkpl.exeGinnfgop.exeGddbcp32.exeGgbook32.exeHkpheidp.exeHgghjjid.exeHjhalefe.exeHglaej32.exeHdpbon32.exeHnhghcki.exeInjcmc32.exeIjadbdoj.exeIgedlh32.exeIakiia32.exeIhdafkdg.exeIkejgf32.exeIbobdqid.exeJnfcia32.exeJbaojpgb.exeJklphekp.exeJgcamf32.exeJjamia32.exeKiejmi32.exeKjhcjq32.exeKqbkfkal.exeKjmmepfj.exeKniieo32.exeKinmcg32.exeKjpijpdg.exeLgcjdd32.exeLbinam32.exeLalnmiia.exeLicfngjd.exeLjdceo32.exeLejgch32.exeLieccf32.exeLldopb32.exeLbngllob.exeLelchgne.exeLjilqnlm.exeLacdmh32.exeLeopnglc.exeMbbagk32.exeMlkepaam.exepid Process 1696 Efhcbodf.exe 4160 Epagkd32.exe 3624 Ejflhm32.exe 4936 Eaqdegaj.exe 4916 Efmmmn32.exe 2000 Fkihnmhj.exe 5000 Fdamgb32.exe 1428 Fmjaphek.exe 2096 Fgbfhmll.exe 2328 Fmlneg32.exe 2668 Fgdbnmji.exe 3912 Fpmggb32.exe 1712 Fielph32.exe 1248 Ggilil32.exe 3776 Gaopfe32.exe 4568 Ggkiol32.exe 3832 Gmeakf32.exe 2800 Ggnedlao.exe 3496 Gnhnaf32.exe 2892 Gpfjma32.exe 2664 Ggpbjkpl.exe 3664 Ginnfgop.exe 4120 Gddbcp32.exe 4424 Ggbook32.exe 3992 Hkpheidp.exe 380 Hgghjjid.exe 4000 Hjhalefe.exe 4080 Hglaej32.exe 1704 Hdpbon32.exe 60 Hnhghcki.exe 4316 Injcmc32.exe 4960 Ijadbdoj.exe 2580 Igedlh32.exe 528 Iakiia32.exe 1892 Ihdafkdg.exe 2900 Ikejgf32.exe 2940 Ibobdqid.exe 1504 Jnfcia32.exe 4032 Jbaojpgb.exe 4504 Jklphekp.exe 4284 Jgcamf32.exe 2348 Jjamia32.exe 3064 Kiejmi32.exe 4904 Kjhcjq32.exe 2224 Kqbkfkal.exe 1896 Kjmmepfj.exe 4844 Kniieo32.exe 2860 Kinmcg32.exe 4092 Kjpijpdg.exe 2192 Lgcjdd32.exe 1380 Lbinam32.exe 1904 Lalnmiia.exe 748 Licfngjd.exe 2596 Ljdceo32.exe 3356 Lejgch32.exe 1232 Lieccf32.exe 3360 Lldopb32.exe 964 Lbngllob.exe 3200 Lelchgne.exe 4616 Ljilqnlm.exe 4528 Lacdmh32.exe 4900 Leopnglc.exe 4656 Mbbagk32.exe 452 Mlkepaam.exe -
Drops file in System32 directory 64 IoCs
Processes:
Apmhiq32.exeFbgihaji.exeDoagjc32.exeEqlfhjig.exeIhdafkdg.exeLbinam32.exePimfpc32.exeIbegfglj.exeHkpheidp.exeDkdliame.exeHiiggoaf.exeOpbean32.exeBdpaeehj.exeEkdnei32.exeHmdlmg32.exeKdigadjo.exeFqeioiam.exeDpnkdq32.exeLgqfdnah.exePidlqb32.exeIkbfgppo.exeCfkmkf32.exeFmhdkknd.exeFgbfhmll.exeKgdpni32.exePfoann32.exeInjcmc32.exeLmbhgd32.exePmnbfhal.exeLhenai32.exeEmmkiclm.exeGbdoof32.exeIjqmhnko.exeNqoloc32.exeKjhcjq32.exeEqgmmk32.exePfdjinjo.exeOondnini.exeEjchhgid.exeGpfjma32.exeNihipdhl.exeOhhnbhok.exeGnhnaf32.exeEkajec32.exeJinboekc.exeFkmjaa32.exeIpgkjlmg.exeCmflbf32.exeJkimho32.exeJlkipgpe.exeIbaeen32.exeCoqncejg.exeNmhijd32.exeAkglloai.exeKniieo32.exeBkdcbd32.exeJhkbdmbg.exePcgdhkem.exeFmjaphek.exeGgilil32.exeBjnmpl32.exeJcbdgb32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Aggpfkjj.exe Apmhiq32.exe File created C:\Windows\SysWOW64\Fiaael32.exe Fbgihaji.exe File created C:\Windows\SysWOW64\Acankf32.dll Doagjc32.exe File opened for modification C:\Windows\SysWOW64\Ehbnigjj.exe Eqlfhjig.exe File opened for modification C:\Windows\SysWOW64\Ikejgf32.exe Ihdafkdg.exe File created C:\Windows\SysWOW64\Mnggge32.dll Lbinam32.exe File created C:\Windows\SysWOW64\Anlkecaj.dll Pimfpc32.exe File opened for modification C:\Windows\SysWOW64\Iiopca32.exe Ibegfglj.exe File opened for modification C:\Windows\SysWOW64\Hgghjjid.exe Hkpheidp.exe File created C:\Windows\SysWOW64\Binnimfj.dll Dkdliame.exe File created C:\Windows\SysWOW64\Ljeffhcd.dll Hiiggoaf.exe File created C:\Windows\SysWOW64\Oflmnh32.exe Opbean32.exe File created C:\Windows\SysWOW64\Bkjiao32.exe Bdpaeehj.exe File created C:\Windows\SysWOW64\Hojncj32.dll Ekdnei32.exe File created C:\Windows\SysWOW64\Lciibdmj.dll Hmdlmg32.exe File created C:\Windows\SysWOW64\Iophkojl.dll Kdigadjo.exe File created C:\Windows\SysWOW64\Paoinm32.dll Fqeioiam.exe File created C:\Windows\SysWOW64\Difpmfna.exe Dpnkdq32.exe File opened for modification C:\Windows\SysWOW64\Lklbdm32.exe Lgqfdnah.exe File opened for modification C:\Windows\SysWOW64\Pblajhje.exe Pidlqb32.exe File created C:\Windows\SysWOW64\Inqbclob.exe Ikbfgppo.exe File opened for modification C:\Windows\SysWOW64\Kclgmq32.exe Kdigadjo.exe File opened for modification C:\Windows\SysWOW64\Cbbnpg32.exe Cfkmkf32.exe File opened for modification C:\Windows\SysWOW64\Fechomko.exe Fmhdkknd.exe File created C:\Windows\SysWOW64\Jgnboabc.dll Fgbfhmll.exe File created C:\Windows\SysWOW64\Kckqbj32.exe Kgdpni32.exe File created C:\Windows\SysWOW64\Cedckdaj.dll Pfoann32.exe File opened for modification C:\Windows\SysWOW64\Ijadbdoj.exe Injcmc32.exe File created C:\Windows\SysWOW64\Lmdemd32.exe Lmbhgd32.exe File created C:\Windows\SysWOW64\Pjajmpkj.dll Ikbfgppo.exe File opened for modification C:\Windows\SysWOW64\Pplobcpp.exe Pmnbfhal.exe File opened for modification C:\Windows\SysWOW64\Ljdkll32.exe Lhenai32.exe File opened for modification C:\Windows\SysWOW64\Ecgcfm32.exe Emmkiclm.exe File created C:\Windows\SysWOW64\Gmiclo32.exe Gbdoof32.exe File created C:\Windows\SysWOW64\Mociom32.dll Ijqmhnko.exe File opened for modification C:\Windows\SysWOW64\Nijqcf32.exe Nqoloc32.exe File opened for modification C:\Windows\SysWOW64\Kqbkfkal.exe Kjhcjq32.exe File created C:\Windows\SysWOW64\Oncelonn.dll Eqgmmk32.exe File created C:\Windows\SysWOW64\Pmnbfhal.exe Pfdjinjo.exe File created C:\Windows\SysWOW64\Mgekdpbp.dll Oondnini.exe File created C:\Windows\SysWOW64\Blickdlj.dll Ejchhgid.exe File created C:\Windows\SysWOW64\Nlcagc32.dll Gpfjma32.exe File created C:\Windows\SysWOW64\Neafjdkn.exe Nihipdhl.exe File created C:\Windows\SysWOW64\Ohkkhhmh.exe Ohhnbhok.exe File opened for modification C:\Windows\SysWOW64\Gpfjma32.exe Gnhnaf32.exe File created C:\Windows\SysWOW64\Fpmfmgnc.dll Ekajec32.exe File opened for modification C:\Windows\SysWOW64\Jcfggkac.exe Jinboekc.exe File created C:\Windows\SysWOW64\Bpfljc32.dll Fkmjaa32.exe File created C:\Windows\SysWOW64\Aglmllpq.dll Ipgkjlmg.exe File created C:\Windows\SysWOW64\Acpklg32.dll Cmflbf32.exe File opened for modification C:\Windows\SysWOW64\Jlkipgpe.exe Jkimho32.exe File created C:\Windows\SysWOW64\Nfamlc32.dll Jlkipgpe.exe File created C:\Windows\SysWOW64\Iepaaico.exe Ibaeen32.exe File opened for modification C:\Windows\SysWOW64\Chiblk32.exe Coqncejg.exe File opened for modification C:\Windows\SysWOW64\Niojoeel.exe Nmhijd32.exe File created C:\Windows\SysWOW64\Eglmfnhm.dll Akglloai.exe File created C:\Windows\SysWOW64\Kinmcg32.exe Kniieo32.exe File created C:\Windows\SysWOW64\Cfigpm32.exe Bkdcbd32.exe File created C:\Windows\SysWOW64\Jeocna32.exe Jhkbdmbg.exe File created C:\Windows\SysWOW64\Gbhibfek.dll Pcgdhkem.exe File created C:\Windows\SysWOW64\Kjcejfha.dll Fmjaphek.exe File created C:\Windows\SysWOW64\Gaopfe32.exe Ggilil32.exe File created C:\Windows\SysWOW64\Cfapoa32.dll Bjnmpl32.exe File created C:\Windows\SysWOW64\Inngdb32.dll Jcbdgb32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 11420 11112 WerFault.exe 654 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hbnaeh32.exeJcphab32.exeJlolpq32.exeMmfkhmdi.exeGbpedjnb.exeKqbkfkal.exeOalipoiq.exeAagkhd32.exePjcikejg.exeIhdafkdg.exeKcmmhj32.exeIeojgc32.exeMlljnf32.exeFllkqn32.exeJjjpnlbd.exePahilmoc.exeGegkpf32.exeBgpcliao.exeHglaej32.exeCkkiccep.exeEclmamod.exeKeimof32.exeEoideh32.exeGbeejp32.exeDbocfo32.exeOcgkan32.exeEcgcfm32.exeDngjff32.exeLikhem32.exeLlnnmhfe.exeLbinam32.exeGmiclo32.exeOhhnbhok.exeHifcgion.exeLegben32.exeLldopb32.exeJkimho32.exeQhmqdemc.exeAnmfbl32.exeDifpmfna.exeHiiggoaf.exeEokqkh32.exeJoqafgni.exeEpagkd32.exeLgcjdd32.exeElgaeolp.exeIjcjmmil.exeChiblk32.exeEhbnigjj.exeGgkiol32.exeAlnmjjdb.exeDlkbjqgm.exeIgdnabjh.exeIgedlh32.exeIggjga32.exeMglfplgk.exeNmhijd32.exeLacdmh32.exeDmfeidbe.exeDdifgk32.exeMcoljagj.exePmblagmf.exeAkpoaj32.exeLhenai32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnaeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmfkhmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpedjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbkfkal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcikejg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdafkdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieojgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlljnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllkqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjpnlbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahilmoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpcliao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkiccep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclmamod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keimof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoideh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeejp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbocfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgkan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgcfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngjff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likhem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llnnmhfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbinam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmiclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhnbhok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifcgion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhmqdemc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmfbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difpmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiiggoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokqkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joqafgni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgcjdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgaeolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcjmmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbnigjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnmjjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkbjqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdnabjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igedlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mglfplgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhijd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lacdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmfeidbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddifgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcoljagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenai32.exe -
Modifies registry class 64 IoCs
Processes:
Ohcegi32.exeOalipoiq.exeIogopi32.exeAllpejfe.exeCoknoaic.exeIiopca32.exeJghpbk32.exeAfbgkl32.exeChnlgjlb.exeFmlneg32.exeEmmkiclm.exeInqbclob.exeAknifq32.exeHmdlmg32.exeKgdpni32.exePagbaglh.exeOfgdcipq.exeOmgmeigd.exeJohggfha.exeOlbdhn32.exeLjilqnlm.exeHbenoi32.exeKjpijpdg.exeLklbdm32.exeJbepme32.exeKhiofk32.exeObgohklm.exeQkmdkgob.exeFbgihaji.exeDoagjc32.exeDhikci32.exeKabcopmg.exeAhenokjf.exePmnbfhal.exeFbdehlip.exeDpbdopck.exeJklinohd.exeKjhloj32.exeAamknj32.exeJekjcaef.exeGgpbjkpl.exeBkibgh32.exePidlqb32.exeCcpdoqgd.exePmblagmf.exeGphphj32.exeMglfplgk.exeLgdidgjg.exeIkejgf32.exeKniieo32.exeKnenkbio.exeLmdnbn32.exeAanbhp32.exeIcdheded.exeCofnik32.exeDahmfpap.exeGbdoof32.exeQmeigg32.exeIajdgcab.exeGlgjlm32.exeCfkmkf32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oalipoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acigfpbp.dll" Allpejfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coknoaic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiopca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll" Afbgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnlgjlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlneg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emmkiclm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aknifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciibdmj.dll" Hmdlmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pagbaglh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekaacddn.dll" Omgmeigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnmig32.dll" Johggfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaedkn32.dll" Ljilqnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coppbe32.dll" Hbenoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjpijpdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khnhommq.dll" Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khiofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obgohklm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmdlmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkmdkgob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konidd32.dll" Fbgihaji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kabcopmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahenokjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjceejee.dll" Pmnbfhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnckgmik.dll" Fbdehlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpbdopck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jklinohd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamknj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jekjcaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcqcp32.dll" Ggpbjkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqppgj32.dll" Bkibgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pidlqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccpdoqgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gphphj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikejgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blhdmebn.dll" Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knenkbio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdnbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobbbd32.dll" Icdheded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbmhabha.dll" Ccpdoqgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkemhh.dll" Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iajdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhahnbj.dll" Glgjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfkmkf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6d265d06258cf42e6043dcafc72142a8490bff59110496fc5f4eb5c89b3538ff.exeEfhcbodf.exeEpagkd32.exeEjflhm32.exeEaqdegaj.exeEfmmmn32.exeFkihnmhj.exeFdamgb32.exeFmjaphek.exeFgbfhmll.exeFmlneg32.exeFgdbnmji.exeFpmggb32.exeFielph32.exeGgilil32.exeGaopfe32.exeGgkiol32.exeGmeakf32.exeGgnedlao.exeGnhnaf32.exeGpfjma32.exeGgpbjkpl.exedescription pid Process procid_target PID 2296 wrote to memory of 1696 2296 6d265d06258cf42e6043dcafc72142a8490bff59110496fc5f4eb5c89b3538ff.exe 82 PID 2296 wrote to memory of 1696 2296 6d265d06258cf42e6043dcafc72142a8490bff59110496fc5f4eb5c89b3538ff.exe 82 PID 2296 wrote to memory of 1696 2296 6d265d06258cf42e6043dcafc72142a8490bff59110496fc5f4eb5c89b3538ff.exe 82 PID 1696 wrote to memory of 4160 1696 Efhcbodf.exe 83 PID 1696 wrote to memory of 4160 1696 Efhcbodf.exe 83 PID 1696 wrote to memory of 4160 1696 Efhcbodf.exe 83 PID 4160 wrote to memory of 3624 4160 Epagkd32.exe 84 PID 4160 wrote to memory of 3624 4160 Epagkd32.exe 84 PID 4160 wrote to memory of 3624 4160 Epagkd32.exe 84 PID 3624 wrote to memory of 4936 3624 Ejflhm32.exe 85 PID 3624 wrote to memory of 4936 3624 Ejflhm32.exe 85 PID 3624 wrote to memory of 4936 3624 Ejflhm32.exe 85 PID 4936 wrote to memory of 4916 4936 Eaqdegaj.exe 86 PID 4936 wrote to memory of 4916 4936 Eaqdegaj.exe 86 PID 4936 wrote to memory of 4916 4936 Eaqdegaj.exe 86 PID 4916 wrote to memory of 2000 4916 Efmmmn32.exe 87 PID 4916 wrote to memory of 2000 4916 Efmmmn32.exe 87 PID 4916 wrote to memory of 2000 4916 Efmmmn32.exe 87 PID 2000 wrote to memory of 5000 2000 Fkihnmhj.exe 88 PID 2000 wrote to memory of 5000 2000 Fkihnmhj.exe 88 PID 2000 wrote to memory of 5000 2000 Fkihnmhj.exe 88 PID 5000 wrote to memory of 1428 5000 Fdamgb32.exe 89 PID 5000 wrote to memory of 1428 5000 Fdamgb32.exe 89 PID 5000 wrote to memory of 1428 5000 Fdamgb32.exe 89 PID 1428 wrote to memory of 2096 1428 Fmjaphek.exe 90 PID 1428 wrote to memory of 2096 1428 Fmjaphek.exe 90 PID 1428 wrote to memory of 2096 1428 Fmjaphek.exe 90 PID 2096 wrote to memory of 2328 2096 Fgbfhmll.exe 91 PID 2096 wrote to memory of 2328 2096 Fgbfhmll.exe 91 PID 2096 wrote to memory of 2328 2096 Fgbfhmll.exe 91 PID 2328 wrote to memory of 2668 2328 Fmlneg32.exe 92 PID 2328 wrote to memory of 2668 2328 Fmlneg32.exe 92 PID 2328 wrote to memory of 2668 2328 Fmlneg32.exe 92 PID 2668 wrote to memory of 3912 2668 Fgdbnmji.exe 93 PID 2668 wrote to memory of 3912 2668 Fgdbnmji.exe 93 PID 2668 wrote to memory of 3912 2668 Fgdbnmji.exe 93 PID 3912 wrote to memory of 1712 3912 Fpmggb32.exe 94 PID 3912 wrote to memory of 1712 3912 Fpmggb32.exe 94 PID 3912 wrote to memory of 1712 3912 Fpmggb32.exe 94 PID 1712 wrote to memory of 1248 1712 Fielph32.exe 95 PID 1712 wrote to memory of 1248 1712 Fielph32.exe 95 PID 1712 wrote to memory of 1248 1712 Fielph32.exe 95 PID 1248 wrote to memory of 3776 1248 Ggilil32.exe 96 PID 1248 wrote to memory of 3776 1248 Ggilil32.exe 96 PID 1248 wrote to memory of 3776 1248 Ggilil32.exe 96 PID 3776 wrote to memory of 4568 3776 Gaopfe32.exe 97 PID 3776 wrote to memory of 4568 3776 Gaopfe32.exe 97 PID 3776 wrote to memory of 4568 3776 Gaopfe32.exe 97 PID 4568 wrote to memory of 3832 4568 Ggkiol32.exe 98 PID 4568 wrote to memory of 3832 4568 Ggkiol32.exe 98 PID 4568 wrote to memory of 3832 4568 Ggkiol32.exe 98 PID 3832 wrote to memory of 2800 3832 Gmeakf32.exe 99 PID 3832 wrote to memory of 2800 3832 Gmeakf32.exe 99 PID 3832 wrote to memory of 2800 3832 Gmeakf32.exe 99 PID 2800 wrote to memory of 3496 2800 Ggnedlao.exe 100 PID 2800 wrote to memory of 3496 2800 Ggnedlao.exe 100 PID 2800 wrote to memory of 3496 2800 Ggnedlao.exe 100 PID 3496 wrote to memory of 2892 3496 Gnhnaf32.exe 101 PID 3496 wrote to memory of 2892 3496 Gnhnaf32.exe 101 PID 3496 wrote to memory of 2892 3496 Gnhnaf32.exe 101 PID 2892 wrote to memory of 2664 2892 Gpfjma32.exe 102 PID 2892 wrote to memory of 2664 2892 Gpfjma32.exe 102 PID 2892 wrote to memory of 2664 2892 Gpfjma32.exe 102 PID 2664 wrote to memory of 3664 2664 Ggpbjkpl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d265d06258cf42e6043dcafc72142a8490bff59110496fc5f4eb5c89b3538ff.exe"C:\Users\Admin\AppData\Local\Temp\6d265d06258cf42e6043dcafc72142a8490bff59110496fc5f4eb5c89b3538ff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe23⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe24⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe25⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3992 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe27⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe28⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4080 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe30⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe31⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4316 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe33⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe38⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe39⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe41⤵PID:4588
-
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe42⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe43⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe44⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4904 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe48⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4844 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe50⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe54⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe55⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe56⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe57⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe58⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe60⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe61⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4528 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe64⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe65⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe66⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe67⤵PID:444
-
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe68⤵PID:4464
-
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe69⤵PID:1568
-
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe70⤵PID:804
-
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4612 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe72⤵PID:760
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe73⤵PID:2728
-
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe74⤵PID:3204
-
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe75⤵
- Drops file in System32 directory
PID:4416 -
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe76⤵PID:2676
-
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe77⤵
- Modifies registry class
PID:3672 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe78⤵PID:4576
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe79⤵PID:3020
-
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe80⤵PID:828
-
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe81⤵PID:1736
-
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe82⤵PID:1404
-
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe83⤵PID:2324
-
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe84⤵PID:4448
-
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe85⤵PID:2184
-
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe86⤵PID:4312
-
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe87⤵PID:3668
-
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe88⤵PID:4932
-
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe89⤵PID:4488
-
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe90⤵PID:2896
-
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe91⤵PID:4052
-
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe92⤵PID:3796
-
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe93⤵
- Modifies registry class
PID:4540 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe94⤵PID:1064
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe95⤵
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe96⤵PID:4140
-
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe97⤵
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe98⤵PID:3908
-
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe99⤵
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe100⤵PID:5044
-
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe101⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe102⤵PID:4952
-
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe103⤵PID:3964
-
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe104⤵PID:2272
-
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4832 -
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe107⤵PID:5140
-
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe108⤵PID:5184
-
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe109⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe110⤵PID:5272
-
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe111⤵PID:5320
-
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe112⤵PID:5364
-
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe113⤵PID:5408
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe114⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe115⤵PID:5496
-
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe116⤵PID:5540
-
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe117⤵PID:5584
-
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe118⤵
- Drops file in System32 directory
PID:5628 -
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe119⤵
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe120⤵
- System Location Discovery: System Language Discovery
PID:5716 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe121⤵PID:5760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-