Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 02:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exe
-
Size
85KB
-
MD5
6b0732638f6c82f6f3936b0ddb333a48
-
SHA1
0723883dfb71e0fad6fb803dd4508bee6508b2f5
-
SHA256
b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c
-
SHA512
a7f7d9c6572bae874bcf1cd50203424c01713d3e912a385d4ed4c111538cc598bc25fc53a51ea31ca0f229c42d92588edabeb9d05f3172a658c33de94d485b76
-
SSDEEP
1536:K0d29jP1v4VTzRXlO7uXcNvvm5yw/Lb0OUrrQ35wNBh:K08v4RzRY7usluTXp6h
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fchijone.exeCjjkpe32.exeNeiaeiii.exePqkobqhd.exeAjnpecbj.exeGqdefddb.exeNabopjmj.exeNledoj32.exeGnmifk32.exeIdadnd32.exeLonpma32.exeLfoojj32.exeAlqnah32.exeFfkoai32.exeHakkgc32.exeMjaddn32.exeBchfhfeh.exeDmhdkdlg.exeFgadda32.exeDicnkdnf.exeCbppnbhm.exePkljdj32.exeLqejbiim.exeOpfbngfb.exeAjqljc32.exeGgnmbn32.exeGmgpbf32.exeLipecm32.exePoklngnf.exeLgchgb32.exeBgaebe32.exeJpiedieo.exeEpbpbnan.exeJeafjiop.exeJhbold32.exeNnafnopi.exeAennba32.exePafbadcm.exeBcgdom32.exeIegjqk32.exeMmadbjkk.exeNpdfhhhe.exeLcofio32.exeObmnna32.exeJkebjf32.exePljlbf32.exeNncbdomg.exeOococb32.exeAkabgebj.exeGifclb32.exeLflplbpi.exeAfjjed32.exeCbiiog32.exeIfgpnmom.exeIbehla32.exeFpmbfbgo.exeGncldi32.exeQjklenpa.exeCebeem32.exeOhhmcinf.exeAcfdnihk.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fchijone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjkpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqkobqhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnpecbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabopjmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nledoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmifk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfoojj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkoai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchfhfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhdkdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgadda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dicnkdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkljdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfbngfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajqljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnmbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lipecm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poklngnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgchgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgaebe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpiedieo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbpbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajnpecbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeafjiop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbold32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafnopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aennba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafbadcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcgdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iegjqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmadbjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcofio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obmnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkebjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncbdomg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akabgebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifclb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflplbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjjed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgpnmom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibehla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmbfbgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cebeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhmcinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfdnihk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Gpkpedmh.exeGicdnj32.exeGpnmjd32.exeGaafhloq.exeGnefapmj.exeGdboig32.exeGmjcblbb.exeHhpgpebh.exeHpkldg32.exeHjqqap32.exeHdiejfej.exeHfgafadm.exeHppfog32.exeHmcfhkjg.exeHeokmmgb.exeIhmgiiff.exeIimcclni.exeIbehla32.exeIkpmpc32.exeIajemnia.exeIggned32.exeInafbooe.exeIhfjognl.exeIihfgp32.exeIaonhm32.exeJglgpdcc.exeJkgcab32.exeJdpgjhbm.exeJcedkd32.exeJpiedieo.exeJolepe32.exeJlpeij32.exeJkebjf32.exeKncofa32.exeKnekla32.exeKkileele.exeKjllab32.exeKceqjhiq.exeKmmebm32.exeKfeikcfa.exeKmobhmnn.exeKcijeg32.exeLqmjnk32.exeLfjcfb32.exeLflplbpi.exeLkihdioa.exeLbcpac32.exeLiminmmk.exeLahmbo32.exeLipecm32.exeMbhjlbbh.exeMeffhnal.exeMgebdipp.exeMnojacgm.exeMmakmp32.exeMjekfd32.exeMmdgbp32.exeMhilph32.exeMikhgqbi.exeMabphn32.exeMbcmpfhi.exeMimemp32.exeMlkail32.exeMbeiefff.exepid Process 2308 Gpkpedmh.exe 2732 Gicdnj32.exe 1708 Gpnmjd32.exe 2752 Gaafhloq.exe 2644 Gnefapmj.exe 1988 Gdboig32.exe 1692 Gmjcblbb.exe 2488 Hhpgpebh.exe 1336 Hpkldg32.exe 1532 Hjqqap32.exe 2920 Hdiejfej.exe 2120 Hfgafadm.exe 2108 Hppfog32.exe 832 Hmcfhkjg.exe 824 Heokmmgb.exe 1884 Ihmgiiff.exe 2060 Iimcclni.exe 1352 Ibehla32.exe 2476 Ikpmpc32.exe 1648 Iajemnia.exe 1728 Iggned32.exe 1748 Inafbooe.exe 1804 Ihfjognl.exe 1508 Iihfgp32.exe 3052 Iaonhm32.exe 2836 Jglgpdcc.exe 1596 Jkgcab32.exe 2808 Jdpgjhbm.exe 2828 Jcedkd32.exe 2616 Jpiedieo.exe 2608 Jolepe32.exe 640 Jlpeij32.exe 376 Jkebjf32.exe 332 Kncofa32.exe 2788 Knekla32.exe 1640 Kkileele.exe 2976 Kjllab32.exe 1956 Kceqjhiq.exe 680 Kmmebm32.exe 2428 Kfeikcfa.exe 876 Kmobhmnn.exe 2172 Kcijeg32.exe 2004 Lqmjnk32.exe 1624 Lfjcfb32.exe 1204 Lflplbpi.exe 864 Lkihdioa.exe 2484 Lbcpac32.exe 2140 Liminmmk.exe 1828 Lahmbo32.exe 2380 Lipecm32.exe 1856 Mbhjlbbh.exe 2792 Meffhnal.exe 2632 Mgebdipp.exe 2700 Mnojacgm.exe 2228 Mmakmp32.exe 2760 Mjekfd32.exe 2924 Mmdgbp32.exe 2764 Mhilph32.exe 1160 Mikhgqbi.exe 1860 Mabphn32.exe 1344 Mbcmpfhi.exe 2296 Mimemp32.exe 2552 Mlkail32.exe 2136 Mbeiefff.exe -
Loads dropped DLL 64 IoCs
Processes:
b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exeGpkpedmh.exeGicdnj32.exeGpnmjd32.exeGaafhloq.exeGnefapmj.exeGdboig32.exeGmjcblbb.exeHhpgpebh.exeHpkldg32.exeHjqqap32.exeHdiejfej.exeHfgafadm.exeHppfog32.exeHmcfhkjg.exeHeokmmgb.exeIhmgiiff.exeIimcclni.exeIbehla32.exeIkpmpc32.exeIajemnia.exeIggned32.exeInafbooe.exeIhfjognl.exeIihfgp32.exeIaonhm32.exeJglgpdcc.exeJkgcab32.exeJdpgjhbm.exeJcedkd32.exeJpiedieo.exeJolepe32.exepid Process 2984 b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exe 2984 b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exe 2308 Gpkpedmh.exe 2308 Gpkpedmh.exe 2732 Gicdnj32.exe 2732 Gicdnj32.exe 1708 Gpnmjd32.exe 1708 Gpnmjd32.exe 2752 Gaafhloq.exe 2752 Gaafhloq.exe 2644 Gnefapmj.exe 2644 Gnefapmj.exe 1988 Gdboig32.exe 1988 Gdboig32.exe 1692 Gmjcblbb.exe 1692 Gmjcblbb.exe 2488 Hhpgpebh.exe 2488 Hhpgpebh.exe 1336 Hpkldg32.exe 1336 Hpkldg32.exe 1532 Hjqqap32.exe 1532 Hjqqap32.exe 2920 Hdiejfej.exe 2920 Hdiejfej.exe 2120 Hfgafadm.exe 2120 Hfgafadm.exe 2108 Hppfog32.exe 2108 Hppfog32.exe 832 Hmcfhkjg.exe 832 Hmcfhkjg.exe 824 Heokmmgb.exe 824 Heokmmgb.exe 1884 Ihmgiiff.exe 1884 Ihmgiiff.exe 2060 Iimcclni.exe 2060 Iimcclni.exe 1352 Ibehla32.exe 1352 Ibehla32.exe 2476 Ikpmpc32.exe 2476 Ikpmpc32.exe 1648 Iajemnia.exe 1648 Iajemnia.exe 1728 Iggned32.exe 1728 Iggned32.exe 1748 Inafbooe.exe 1748 Inafbooe.exe 1804 Ihfjognl.exe 1804 Ihfjognl.exe 1508 Iihfgp32.exe 1508 Iihfgp32.exe 3052 Iaonhm32.exe 3052 Iaonhm32.exe 2836 Jglgpdcc.exe 2836 Jglgpdcc.exe 1596 Jkgcab32.exe 1596 Jkgcab32.exe 2808 Jdpgjhbm.exe 2808 Jdpgjhbm.exe 2828 Jcedkd32.exe 2828 Jcedkd32.exe 2616 Jpiedieo.exe 2616 Jpiedieo.exe 2608 Jolepe32.exe 2608 Jolepe32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bmhkmm32.exeQjkjle32.exeDchmkkkj.exeEijdkcgn.exeGolbnm32.exeLfjcfb32.exeIigpli32.exeDbifnj32.exeOibmpl32.exeKjllab32.exeHcgjmo32.exeKjokokha.exeBniajoic.exeAobnniji.exeJenpajfb.exeNdhlhg32.exeNenakoho.exePidfdofi.exeKcijeg32.exeLgmeid32.exeHllmcc32.exePnmcfeia.exeHanogipc.exeIphecepe.exeFgnadkic.exeMpebmc32.exeDmdnbecj.exeHloiib32.exeEkjgpm32.exeMqpflg32.exeBqgmfkhg.exeCenljmgq.exeGfejjgli.exeAficjnpm.exePnjofo32.exeJkebjf32.exeEoajel32.exeJpdnbbah.exeJondnnbk.exeMqbbagjo.exeIhmgiiff.exeEdclib32.exeQackpado.exeNehomq32.exeJfliim32.exeMbcmpfhi.exeOdhhgkib.exeObmnna32.exeCfhkhd32.exeAjnpecbj.exeKcopdb32.exeAjmfad32.exeMeffhnal.exeHjofdi32.exePbagipfi.exeHfmddp32.exeLgqkbb32.exeBjpaop32.exeBepjha32.exeLngnfnji.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Bofgii32.exe Bmhkmm32.exe File created C:\Windows\SysWOW64\Lmlhjg32.dll Qjkjle32.exe File opened for modification C:\Windows\SysWOW64\Ddiibc32.exe Dchmkkkj.exe File created C:\Windows\SysWOW64\Elipgofb.exe Eijdkcgn.exe File created C:\Windows\SysWOW64\Gfejjgli.exe Golbnm32.exe File opened for modification C:\Windows\SysWOW64\Lflplbpi.exe Lfjcfb32.exe File created C:\Windows\SysWOW64\Jodhdp32.exe Iigpli32.exe File created C:\Windows\SysWOW64\Gafalh32.dll Dbifnj32.exe File created C:\Windows\SysWOW64\Fqliblhd.dll Oibmpl32.exe File created C:\Windows\SysWOW64\Kceqjhiq.exe Kjllab32.exe File created C:\Windows\SysWOW64\Dicnkdnf.exe Dbifnj32.exe File created C:\Windows\SysWOW64\Hidcef32.exe Hcgjmo32.exe File created C:\Windows\SysWOW64\Knkgpi32.exe Kjokokha.exe File created C:\Windows\SysWOW64\Bqgmfkhg.exe Bniajoic.exe File opened for modification C:\Windows\SysWOW64\Abpjjeim.exe Aobnniji.exe File opened for modification C:\Windows\SysWOW64\Jhlmmfef.exe Jenpajfb.exe File opened for modification C:\Windows\SysWOW64\Nfghdcfj.exe Ndhlhg32.exe File created C:\Windows\SysWOW64\Npdfhhhe.exe Nenakoho.exe File created C:\Windows\SysWOW64\Kqcjjk32.dll Pidfdofi.exe File created C:\Windows\SysWOW64\Edaimkbc.dll Kcijeg32.exe File created C:\Windows\SysWOW64\Clmoej32.dll Lgmeid32.exe File created C:\Windows\SysWOW64\Bmlgia32.dll Hllmcc32.exe File created C:\Windows\SysWOW64\Achdqg32.dll Pnmcfeia.exe File opened for modification C:\Windows\SysWOW64\Hjfcpo32.exe Hanogipc.exe File created C:\Windows\SysWOW64\Jmiajbpa.dll Iphecepe.exe File created C:\Windows\SysWOW64\Fjlmpfhg.exe Fgnadkic.exe File created C:\Windows\SysWOW64\Knqcbd32.dll Mpebmc32.exe File opened for modification C:\Windows\SysWOW64\Ddnfop32.exe Dmdnbecj.exe File opened for modification C:\Windows\SysWOW64\Hnmeen32.exe Hloiib32.exe File created C:\Windows\SysWOW64\Eniclh32.exe Ekjgpm32.exe File opened for modification C:\Windows\SysWOW64\Mgjnhaco.exe Mqpflg32.exe File created C:\Windows\SysWOW64\Oabhggjd.dll Bqgmfkhg.exe File created C:\Windows\SysWOW64\Aqpmpahd.dll Cenljmgq.exe File created C:\Windows\SysWOW64\Cefkjiak.dll Gfejjgli.exe File opened for modification C:\Windows\SysWOW64\Ahgofi32.exe Aficjnpm.exe File opened for modification C:\Windows\SysWOW64\Poklngnf.exe Pnjofo32.exe File created C:\Windows\SysWOW64\Kncofa32.exe Jkebjf32.exe File created C:\Windows\SysWOW64\Oldkgjni.dll Kjllab32.exe File opened for modification C:\Windows\SysWOW64\Ednbncmb.exe Eoajel32.exe File created C:\Windows\SysWOW64\Jdpjba32.exe Jpdnbbah.exe File created C:\Windows\SysWOW64\Qkdhopfa.dll Jondnnbk.exe File opened for modification C:\Windows\SysWOW64\Mpebmc32.exe Mqbbagjo.exe File created C:\Windows\SysWOW64\Akaneplm.dll Ihmgiiff.exe File opened for modification C:\Windows\SysWOW64\Efdhpjok.exe Edclib32.exe File created C:\Windows\SysWOW64\Ckboie32.dll Qackpado.exe File created C:\Windows\SysWOW64\Dqnlqf32.dll Nehomq32.exe File created C:\Windows\SysWOW64\Olfcfe32.dll Jfliim32.exe File opened for modification C:\Windows\SysWOW64\Mimemp32.exe Mbcmpfhi.exe File created C:\Windows\SysWOW64\Olophhjd.exe Odhhgkib.exe File opened for modification C:\Windows\SysWOW64\Ofhjopbg.exe Obmnna32.exe File created C:\Windows\SysWOW64\Dmbcen32.exe Cfhkhd32.exe File opened for modification C:\Windows\SysWOW64\Ifampo32.exe Iphecepe.exe File created C:\Windows\SysWOW64\Palkkl32.dll Ajnpecbj.exe File opened for modification C:\Windows\SysWOW64\Kfnmpn32.exe Kcopdb32.exe File created C:\Windows\SysWOW64\Akncimmh.exe Ajmfad32.exe File opened for modification C:\Windows\SysWOW64\Mgebdipp.exe Meffhnal.exe File created C:\Windows\SysWOW64\Fijbkbjk.dll Hjofdi32.exe File opened for modification C:\Windows\SysWOW64\Pdbdqh32.exe Pbagipfi.exe File opened for modification C:\Windows\SysWOW64\Akncimmh.exe Ajmfad32.exe File created C:\Windows\SysWOW64\Iconoi32.dll Hfmddp32.exe File created C:\Windows\SysWOW64\Lohccp32.exe Lgqkbb32.exe File created C:\Windows\SysWOW64\Dgnenf32.dll Bjpaop32.exe File opened for modification C:\Windows\SysWOW64\Bjmbqhif.exe Bepjha32.exe File created C:\Windows\SysWOW64\Lqejbiim.exe Lngnfnji.exe -
Drops file in Windows directory 2 IoCs
Processes:
Dpapaj32.exedescription ioc Process File created C:\Windows\system32†Dfkhndca.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dfkhndca.¿xe Dpapaj32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 6984 6844 WerFault.exe 687 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hebnlb32.exeCjakccop.exeLipecm32.exeMnojacgm.exeDlndnacm.exeFchijone.exeLqncaj32.exeDoecog32.exeAncefgfd.exeBepjha32.exeFbmfkkbm.exeEiekpd32.exeNameek32.exeBncaekhp.exeAchjibcl.exeNadimacd.exeJpgjgboe.exeLboiol32.exeQjklenpa.exeLfoojj32.exeMgedmb32.exeMkqqnq32.exeObjaha32.exeOfhjopbg.exeKmobhmnn.exeMhilph32.exeIigpli32.exeAobnniji.exeOibmpl32.exeOhiffh32.exeMimemp32.exeQqdbiopj.exeGnpflj32.exeHfmddp32.exeKfnmpn32.exeMmadbjkk.exePbagipfi.exeIihfgp32.exeEfdhpjok.exeGqnbhf32.exeMijamjnm.exeFqfemqod.exeKaajei32.exeLkihdioa.exeOihqgbhd.exeFoccjood.exeOdgodl32.exeBmphhc32.exePegqpacp.exeHmkeke32.exeNpaich32.exeIllbhp32.exeJdpgjhbm.exeNoljjglk.exeNledoj32.exeBcegin32.exeHloiib32.exeJnkakl32.exeJioopgef.exeKlehgh32.exeLdllgiek.exeHgpjhn32.exePgcmbcih.exeCbblda32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lipecm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnojacgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlndnacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchijone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqncaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doecog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancefgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepjha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbmfkkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiekpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nameek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncaekhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadimacd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgjgboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lboiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjklenpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfoojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgedmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqqnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhjopbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmobhmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhilph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigpli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqdbiopj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmddp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnmpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmadbjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbagipfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihfgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdhpjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqnbhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mijamjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqfemqod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaajei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkihdioa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihqgbhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foccjood.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgodl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmphhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegqpacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npaich32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpgjhbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noljjglk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nledoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcegin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hloiib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkakl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jioopgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klehgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldllgiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmbcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe -
Modifies registry class 64 IoCs
Processes:
Ajjfkh32.exeDlndnacm.exeGcahoqhf.exeLngnfnji.exeAjqljc32.exeAjgbkbjp.exePhpjnnki.exeDljkcb32.exeMbcmpfhi.exeNhiholof.exeGqiimfam.exeMbbfep32.exeIkpmpc32.exeOoclji32.exeQgjqjjll.exeIlofhffj.exeFqalaa32.exeGaafhloq.exeJdpgjhbm.exeKfnmpn32.exeOlbfagca.exeBnfddp32.exeBgoime32.exeLjghjpfe.exeKglehp32.exePlolgk32.exeElipgofb.exeBqijljfd.exeEihgfd32.exeHboddk32.exeIfgpnmom.exeMgedmb32.exeKcijeg32.exeBepjha32.exeHeealhla.exeCpdgbm32.exeCcbphk32.exeDifnaqih.exePqphnp32.exeEnkpahon.exeKlhemhpk.exeOplelf32.exeAdifpk32.exeQcqaok32.exeGbhbdi32.exeHjofdi32.exeMclebc32.exeNeknki32.exeCbblda32.exeComdkipe.exeJioopgef.exeNameek32.exeAficjnpm.exeEiekpd32.exeFgldnkkf.exeJlphbbbg.exeNbflno32.exePiicpk32.exePkaehb32.exeOijjka32.exeJkgcab32.exeMhilph32.exeBffpki32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmjbki32.dll" Ajjfkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlndnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcahoqhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lngnfnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddjiql.dll" Ajqljc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajgbkbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicoaj32.dll" Phpjnnki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dljkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbcmpfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhiholof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqiimfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnoge32.dll" Mbbfep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajqljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbkgbeme.dll" Ikpmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhcmc32.dll" Ooclji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgjqjjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilofhffj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqalaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaafhloq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdpgjhbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfnmpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljghjpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbqahmoc.dll" Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elipgofb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjaickl.dll" Eihgfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hboddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifgpnmom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edaimkbc.dll" Kcijeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgflbcg.dll" Bepjha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heealhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeeeakip.dll" Cpdgbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccbphk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgokokhf.dll" Pqphnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadafg32.dll" Enkpahon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klhemhpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlhoigp.dll" Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll" Adifpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcqaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmqhd32.dll" Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjofdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mclebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Comdkipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifppipg.dll" Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qojieb32.dll" Eiekpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfeei32.dll" Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlfgce32.dll" Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhapci32.dll" Piicpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphcfh32.dll" Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgeajlgp.dll" Jkgcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcaci32.dll" Mhilph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bffpki32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exeGpkpedmh.exeGicdnj32.exeGpnmjd32.exeGaafhloq.exeGnefapmj.exeGdboig32.exeGmjcblbb.exeHhpgpebh.exeHpkldg32.exeHjqqap32.exeHdiejfej.exeHfgafadm.exeHppfog32.exeHmcfhkjg.exeHeokmmgb.exedescription pid Process procid_target PID 2984 wrote to memory of 2308 2984 b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exe 30 PID 2984 wrote to memory of 2308 2984 b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exe 30 PID 2984 wrote to memory of 2308 2984 b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exe 30 PID 2984 wrote to memory of 2308 2984 b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exe 30 PID 2308 wrote to memory of 2732 2308 Gpkpedmh.exe 31 PID 2308 wrote to memory of 2732 2308 Gpkpedmh.exe 31 PID 2308 wrote to memory of 2732 2308 Gpkpedmh.exe 31 PID 2308 wrote to memory of 2732 2308 Gpkpedmh.exe 31 PID 2732 wrote to memory of 1708 2732 Gicdnj32.exe 32 PID 2732 wrote to memory of 1708 2732 Gicdnj32.exe 32 PID 2732 wrote to memory of 1708 2732 Gicdnj32.exe 32 PID 2732 wrote to memory of 1708 2732 Gicdnj32.exe 32 PID 1708 wrote to memory of 2752 1708 Gpnmjd32.exe 33 PID 1708 wrote to memory of 2752 1708 Gpnmjd32.exe 33 PID 1708 wrote to memory of 2752 1708 Gpnmjd32.exe 33 PID 1708 wrote to memory of 2752 1708 Gpnmjd32.exe 33 PID 2752 wrote to memory of 2644 2752 Gaafhloq.exe 34 PID 2752 wrote to memory of 2644 2752 Gaafhloq.exe 34 PID 2752 wrote to memory of 2644 2752 Gaafhloq.exe 34 PID 2752 wrote to memory of 2644 2752 Gaafhloq.exe 34 PID 2644 wrote to memory of 1988 2644 Gnefapmj.exe 35 PID 2644 wrote to memory of 1988 2644 Gnefapmj.exe 35 PID 2644 wrote to memory of 1988 2644 Gnefapmj.exe 35 PID 2644 wrote to memory of 1988 2644 Gnefapmj.exe 35 PID 1988 wrote to memory of 1692 1988 Gdboig32.exe 36 PID 1988 wrote to memory of 1692 1988 Gdboig32.exe 36 PID 1988 wrote to memory of 1692 1988 Gdboig32.exe 36 PID 1988 wrote to memory of 1692 1988 Gdboig32.exe 36 PID 1692 wrote to memory of 2488 1692 Gmjcblbb.exe 37 PID 1692 wrote to memory of 2488 1692 Gmjcblbb.exe 37 PID 1692 wrote to memory of 2488 1692 Gmjcblbb.exe 37 PID 1692 wrote to memory of 2488 1692 Gmjcblbb.exe 37 PID 2488 wrote to memory of 1336 2488 Hhpgpebh.exe 38 PID 2488 wrote to memory of 1336 2488 Hhpgpebh.exe 38 PID 2488 wrote to memory of 1336 2488 Hhpgpebh.exe 38 PID 2488 wrote to memory of 1336 2488 Hhpgpebh.exe 38 PID 1336 wrote to memory of 1532 1336 Hpkldg32.exe 39 PID 1336 wrote to memory of 1532 1336 Hpkldg32.exe 39 PID 1336 wrote to memory of 1532 1336 Hpkldg32.exe 39 PID 1336 wrote to memory of 1532 1336 Hpkldg32.exe 39 PID 1532 wrote to memory of 2920 1532 Hjqqap32.exe 40 PID 1532 wrote to memory of 2920 1532 Hjqqap32.exe 40 PID 1532 wrote to memory of 2920 1532 Hjqqap32.exe 40 PID 1532 wrote to memory of 2920 1532 Hjqqap32.exe 40 PID 2920 wrote to memory of 2120 2920 Hdiejfej.exe 41 PID 2920 wrote to memory of 2120 2920 Hdiejfej.exe 41 PID 2920 wrote to memory of 2120 2920 Hdiejfej.exe 41 PID 2920 wrote to memory of 2120 2920 Hdiejfej.exe 41 PID 2120 wrote to memory of 2108 2120 Hfgafadm.exe 42 PID 2120 wrote to memory of 2108 2120 Hfgafadm.exe 42 PID 2120 wrote to memory of 2108 2120 Hfgafadm.exe 42 PID 2120 wrote to memory of 2108 2120 Hfgafadm.exe 42 PID 2108 wrote to memory of 832 2108 Hppfog32.exe 43 PID 2108 wrote to memory of 832 2108 Hppfog32.exe 43 PID 2108 wrote to memory of 832 2108 Hppfog32.exe 43 PID 2108 wrote to memory of 832 2108 Hppfog32.exe 43 PID 832 wrote to memory of 824 832 Hmcfhkjg.exe 44 PID 832 wrote to memory of 824 832 Hmcfhkjg.exe 44 PID 832 wrote to memory of 824 832 Hmcfhkjg.exe 44 PID 832 wrote to memory of 824 832 Hmcfhkjg.exe 44 PID 824 wrote to memory of 1884 824 Heokmmgb.exe 45 PID 824 wrote to memory of 1884 824 Heokmmgb.exe 45 PID 824 wrote to memory of 1884 824 Heokmmgb.exe 45 PID 824 wrote to memory of 1884 824 Heokmmgb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exe"C:\Users\Admin\AppData\Local\Temp\b6fee806f85f61a8ae875c854f1f68b75234393fb0db197d58f46b4fbb819b2c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe33⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:376 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe35⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe36⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe37⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe39⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe40⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe41⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe44⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:864 -
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe48⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe49⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe50⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe52⤵PID:2672
-
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe53⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe55⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe57⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe58⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe59⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe61⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe62⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe65⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe66⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe67⤵PID:740
-
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe68⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe69⤵PID:1040
-
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe70⤵PID:2492
-
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe71⤵PID:2064
-
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe72⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe73⤵PID:2824
-
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe74⤵PID:2076
-
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe75⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe77⤵PID:2912
-
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe78⤵PID:2972
-
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe79⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe80⤵PID:3028
-
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe81⤵PID:624
-
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe82⤵PID:2520
-
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe83⤵PID:828
-
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe84⤵PID:1260
-
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe86⤵PID:272
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe87⤵PID:2880
-
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe88⤵PID:2856
-
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe89⤵PID:2864
-
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe90⤵PID:776
-
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe91⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe92⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe93⤵PID:2100
-
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe94⤵PID:2248
-
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe95⤵PID:348
-
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe98⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe99⤵PID:2444
-
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe100⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe102⤵PID:2716
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe103⤵PID:2572
-
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe104⤵PID:2944
-
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe105⤵PID:1656
-
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe106⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe107⤵
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe108⤵PID:1676
-
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe109⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe110⤵
- Drops file in System32 directory
PID:748 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe111⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe112⤵PID:2024
-
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe113⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe114⤵PID:2624
-
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe115⤵PID:1896
-
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe116⤵PID:2676
-
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe117⤵PID:2256
-
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe118⤵PID:2448
-
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe119⤵PID:1484
-
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe120⤵PID:1092
-
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe121⤵PID:2412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-