Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 02:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe
-
Size
2.7MB
-
MD5
bb3322a66227ac00e9b89cd3f90400c7
-
SHA1
b304c20436e81c695c3f8a558898e69bb6b1b349
-
SHA256
b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4
-
SHA512
ad7071239c7ba3be8b9c4496d1c2e15070e0c63cfb8ad8e68cbf9a1eb8e7f788df8a05d6974105372fbd703d15c3147cd8ca1e2a4bdc442356d5b2d14f786527
-
SSDEEP
12288:7joyXpqvQqpCtRwKA5p8Wgx+gWVBmLnWrOxNuxC7:v35hqEfAL8WJm8MoC7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ogbgbn32.exeBehinlkh.exeIfniaeqk.exeHggeeo32.exeHiclkp32.exeOngckp32.exeIcbipe32.exeLpbhmiji.exeCilfka32.exePdbmfb32.exeBpfebmia.exeMjbiac32.exeBlgfml32.exeKindeddf.exeHecebm32.exeDgkiih32.exeAfnfcl32.exeBkhjcing.exePeedka32.exeBgllgedi.exeAjdcofop.exeGqodqodl.exeOhdfqbio.exePhobjp32.exeOohlaj32.exeBkjdndjo.exeGqlhkofn.exeJdogldmo.exeDbidof32.exeKekkiq32.exeFakglf32.exeGbeaip32.exeFgffck32.exeIocdmccp.exeDdaemh32.exeGgbjag32.exeAdqbml32.exeDbabho32.exeCodeih32.exePcpbik32.exeCiepkajj.exeJfjjkhhg.exeHibidc32.exeOpjlkc32.exeIpdaek32.exeOjomdoof.exeGhoijebj.exeOpfdim32.exeLfkhch32.exeAdlcfjgh.exeEbnabb32.exeIcgdcm32.exeHmheol32.exeIoefdpne.exePdpcep32.exePiliii32.exeLpaehl32.exeLodoefed.exeAcemeo32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbgbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behinlkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifniaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hggeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiclkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbipe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbhmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfebmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjbiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgfml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kindeddf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hecebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgkiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkhjcing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peedka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgllgedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdcofop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqodqodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohdfqbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phobjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohlaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdndjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqlhkofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdogldmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogbgbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbidof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbeaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgffck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocdmccp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddaemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggbjag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adqbml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbabho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcpbik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciepkajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfjjkhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibidc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opjlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghoijebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfdim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkhch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adlcfjgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icgdcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmheol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpbik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioefdpne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfebmia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piliii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpaehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lodoefed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmheol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acemeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lodoefed.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Hllmcc32.exeHbfepmmn.exeHipmmg32.exeLnpgeopa.exeMpmcielb.exeNpaich32.exePljcllqe.exePeedka32.exeBjbeofpp.exeBjebdfnn.exeEppcmncq.exeEgikjh32.exeHnheohcl.exeHnjbeh32.exeJialfgcc.exeKoaqcn32.exeMcnbhb32.exeMjkgjl32.exeNidmfh32.exeNnafnopi.exeOpglafab.exeOjomdoof.exePiicpk32.exePepcelel.exePmpbdm32.exePdjjag32.exePkcbnanl.exeAccqnc32.exeAnbkipok.exeAdlcfjgh.exeBgllgedi.exeBkjdndjo.exeBffbdadk.exeCinafkkd.exeCbffoabe.exeCgcnghpl.exeDdaemh32.exeDinneo32.exeElcpbigl.exeEaphjp32.exeEmifeqid.exeFpjofl32.exeFcmdnfad.exeFelajbpg.exeGqlhkofn.exeGqodqodl.exeGodaakic.exeGfnjne32.exeHiclkp32.exeHbkqdepm.exeIaegpaao.exeIahceq32.exeIpomlm32.exeJlfnangf.exeJdflqo32.exeJjpdmi32.exeKpafapbk.exeKenoifpb.exeKindeddf.exeKlmqapci.exeLgingm32.exeLnecigcp.exeLjnqdhga.exeMcfemmna.exepid Process 2276 Hllmcc32.exe 2288 Hbfepmmn.exe 3016 Hipmmg32.exe 2464 Lnpgeopa.exe 1236 Mpmcielb.exe 2788 Npaich32.exe 2808 Pljcllqe.exe 2660 Peedka32.exe 2540 Bjbeofpp.exe 1648 Bjebdfnn.exe 1224 Eppcmncq.exe 1076 Egikjh32.exe 1676 Hnheohcl.exe 2016 Hnjbeh32.exe 2764 Jialfgcc.exe 816 Koaqcn32.exe 2760 Mcnbhb32.exe 2132 Mjkgjl32.exe 936 Nidmfh32.exe 856 Nnafnopi.exe 2928 Opglafab.exe 2196 Ojomdoof.exe 1792 Piicpk32.exe 2108 Pepcelel.exe 2480 Pmpbdm32.exe 1184 Pdjjag32.exe 2312 Pkcbnanl.exe 1828 Accqnc32.exe 2412 Anbkipok.exe 2680 Adlcfjgh.exe 2688 Bgllgedi.exe 2704 Bkjdndjo.exe 2804 Bffbdadk.exe 2732 Cinafkkd.exe 2724 Cbffoabe.exe 2424 Cgcnghpl.exe 2492 Ddaemh32.exe 1252 Dinneo32.exe 1308 Elcpbigl.exe 308 Eaphjp32.exe 2012 Emifeqid.exe 2868 Fpjofl32.exe 612 Fcmdnfad.exe 2768 Felajbpg.exe 960 Gqlhkofn.exe 1516 Gqodqodl.exe 2372 Godaakic.exe 2148 Gfnjne32.exe 1868 Hiclkp32.exe 2284 Hbkqdepm.exe 2472 Iaegpaao.exe 1816 Iahceq32.exe 2200 Ipomlm32.exe 2340 Jlfnangf.exe 2656 Jdflqo32.exe 2908 Jjpdmi32.exe 2616 Kpafapbk.exe 304 Kenoifpb.exe 1952 Kindeddf.exe 1944 Klmqapci.exe 2556 Lgingm32.exe 2740 Lnecigcp.exe 2536 Ljnqdhga.exe 2348 Mcfemmna.exe -
Loads dropped DLL 64 IoCs
Processes:
b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exeHllmcc32.exeHbfepmmn.exeHipmmg32.exeLnpgeopa.exeMpmcielb.exeNpaich32.exePljcllqe.exePeedka32.exeBjbeofpp.exeBjebdfnn.exeEppcmncq.exeEgikjh32.exeHnheohcl.exeHnjbeh32.exeJialfgcc.exeKoaqcn32.exeMcnbhb32.exeMjkgjl32.exeNidmfh32.exeNnafnopi.exeOpglafab.exeOjomdoof.exePiicpk32.exePepcelel.exePmpbdm32.exePdjjag32.exePkcbnanl.exeAccqnc32.exeAnbkipok.exeAdlcfjgh.exeBgllgedi.exepid Process 2136 b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe 2136 b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe 2276 Hllmcc32.exe 2276 Hllmcc32.exe 2288 Hbfepmmn.exe 2288 Hbfepmmn.exe 3016 Hipmmg32.exe 3016 Hipmmg32.exe 2464 Lnpgeopa.exe 2464 Lnpgeopa.exe 1236 Mpmcielb.exe 1236 Mpmcielb.exe 2788 Npaich32.exe 2788 Npaich32.exe 2808 Pljcllqe.exe 2808 Pljcllqe.exe 2660 Peedka32.exe 2660 Peedka32.exe 2540 Bjbeofpp.exe 2540 Bjbeofpp.exe 1648 Bjebdfnn.exe 1648 Bjebdfnn.exe 1224 Eppcmncq.exe 1224 Eppcmncq.exe 1076 Egikjh32.exe 1076 Egikjh32.exe 1676 Hnheohcl.exe 1676 Hnheohcl.exe 2016 Hnjbeh32.exe 2016 Hnjbeh32.exe 2764 Jialfgcc.exe 2764 Jialfgcc.exe 816 Koaqcn32.exe 816 Koaqcn32.exe 2760 Mcnbhb32.exe 2760 Mcnbhb32.exe 2132 Mjkgjl32.exe 2132 Mjkgjl32.exe 936 Nidmfh32.exe 936 Nidmfh32.exe 856 Nnafnopi.exe 856 Nnafnopi.exe 2928 Opglafab.exe 2928 Opglafab.exe 2196 Ojomdoof.exe 2196 Ojomdoof.exe 1792 Piicpk32.exe 1792 Piicpk32.exe 2108 Pepcelel.exe 2108 Pepcelel.exe 2480 Pmpbdm32.exe 2480 Pmpbdm32.exe 1184 Pdjjag32.exe 1184 Pdjjag32.exe 2312 Pkcbnanl.exe 2312 Pkcbnanl.exe 1828 Accqnc32.exe 1828 Accqnc32.exe 2412 Anbkipok.exe 2412 Anbkipok.exe 2680 Adlcfjgh.exe 2680 Adlcfjgh.exe 2688 Bgllgedi.exe 2688 Bgllgedi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jipaip32.exeBplijcle.exeNgpcohbm.exeIecohl32.exeKkdnke32.exeCfghagio.exeNndhpqma.exeBgllgedi.exeFpjofl32.exeKaggbihl.exeJdogldmo.exeDijgnm32.exeIeelnkpd.exeDdaemh32.exePhobjp32.exePcpbik32.exeHoniikpa.exeOojfnakl.exeFclbgj32.exeAokdga32.exeMgmdapml.exeBhonjg32.exeIgceej32.exeNcgcdi32.exeGngfjicn.exeIlceog32.exeNbgakd32.exeEhgmiq32.exeAdlcfjgh.exeAnnpaq32.exeMhbflj32.exeKjmoeo32.exePnfpjc32.exeFmodaadg.exeHhopgkin.exeDdkbqfcp.exeIlnqhddd.exeEjpipf32.exeFcichb32.exeHbkqdepm.exeFkhbgbkc.exeHkmaed32.exeObnbpb32.exeIjelgemi.exeDidgig32.exeAokfpjai.exeCinafkkd.exeJpjifjdg.exeKocpbfei.exeEmggflfc.exeIoheci32.exeBocckoom.exeIpomlm32.exeJkcmjpma.exeFijnabef.exeBebfpm32.exeGgdfff32.exePlaoim32.exeJialfgcc.exeNqmnjd32.exeAfqhjj32.exeHibidc32.exeHggeeo32.exedescription ioc Process File created C:\Windows\SysWOW64\Jpjifjdg.exe Jipaip32.exe File created C:\Windows\SysWOW64\Ogomoj32.dll Bplijcle.exe File created C:\Windows\SysWOW64\Ncgcdi32.exe Ngpcohbm.exe File opened for modification C:\Windows\SysWOW64\Ieelnkpd.exe Iecohl32.exe File created C:\Windows\SysWOW64\Kanfgofa.exe Kkdnke32.exe File opened for modification C:\Windows\SysWOW64\Copljmpo.exe Cfghagio.exe File created C:\Windows\SysWOW64\Nmjkbjpm.dll Nndhpqma.exe File created C:\Windows\SysWOW64\Bkjdndjo.exe Bgllgedi.exe File created C:\Windows\SysWOW64\Fcmdnfad.exe Fpjofl32.exe File created C:\Windows\SysWOW64\Lfdpjp32.exe Kaggbihl.exe File opened for modification C:\Windows\SysWOW64\Jqhdfe32.exe Jdogldmo.exe File created C:\Windows\SysWOW64\Eonfgbhc.exe Dijgnm32.exe File created C:\Windows\SysWOW64\Jbpfpd32.exe Ieelnkpd.exe File created C:\Windows\SysWOW64\Dinneo32.exe Ddaemh32.exe File opened for modification C:\Windows\SysWOW64\Pllkpn32.exe Phobjp32.exe File created C:\Windows\SysWOW64\Pbjifgcd.exe Pcpbik32.exe File created C:\Windows\SysWOW64\Akfbdoha.dll Honiikpa.exe File created C:\Windows\SysWOW64\Onocon32.exe Oojfnakl.exe File created C:\Windows\SysWOW64\Fqpbpo32.exe Fclbgj32.exe File created C:\Windows\SysWOW64\Bemfjgdg.exe Aokdga32.exe File created C:\Windows\SysWOW64\Blfmgmin.dll Cfghagio.exe File opened for modification C:\Windows\SysWOW64\Modlbmmn.exe Mgmdapml.exe File created C:\Windows\SysWOW64\Bkbdabog.exe Bhonjg32.exe File created C:\Windows\SysWOW64\Ekhnnojb.dll Igceej32.exe File created C:\Windows\SysWOW64\Adjgmhgl.dll Ncgcdi32.exe File opened for modification C:\Windows\SysWOW64\Gamifcmi.exe Gngfjicn.exe File created C:\Windows\SysWOW64\Knngob32.dll Ilceog32.exe File created C:\Windows\SysWOW64\Canbdfch.dll Nbgakd32.exe File opened for modification C:\Windows\SysWOW64\Egljjmkp.exe Ehgmiq32.exe File created C:\Windows\SysWOW64\Bgllgedi.exe Adlcfjgh.exe File created C:\Windows\SysWOW64\Apllml32.exe Annpaq32.exe File opened for modification C:\Windows\SysWOW64\Nndhpqma.exe Mhbflj32.exe File opened for modification C:\Windows\SysWOW64\Kaggbihl.exe Kjmoeo32.exe File created C:\Windows\SysWOW64\Peqhgmdd.exe Pnfpjc32.exe File created C:\Windows\SysWOW64\Mgmhmkfc.dll Fmodaadg.exe File created C:\Windows\SysWOW64\Hibidc32.exe Hhopgkin.exe File created C:\Windows\SysWOW64\Pficpanm.dll Ddkbqfcp.exe File created C:\Windows\SysWOW64\Pgihlk32.dll Ilnqhddd.exe File created C:\Windows\SysWOW64\Apeoom32.dll Ejpipf32.exe File created C:\Windows\SysWOW64\Najnhfnn.dll Fcichb32.exe File opened for modification C:\Windows\SysWOW64\Iaegpaao.exe Hbkqdepm.exe File opened for modification C:\Windows\SysWOW64\Gmhkin32.exe Fkhbgbkc.exe File created C:\Windows\SysWOW64\Hecebm32.exe Hkmaed32.exe File created C:\Windows\SysWOW64\Egikbd32.dll Obnbpb32.exe File opened for modification C:\Windows\SysWOW64\Imchcplm.exe Ijelgemi.exe File created C:\Windows\SysWOW64\Dkfcqo32.exe Didgig32.exe File opened for modification C:\Windows\SysWOW64\Bgkeol32.exe Aokfpjai.exe File opened for modification C:\Windows\SysWOW64\Cbffoabe.exe Cinafkkd.exe File created C:\Windows\SysWOW64\Agioom32.dll Jpjifjdg.exe File created C:\Windows\SysWOW64\Kmfpmc32.exe Kocpbfei.exe File created C:\Windows\SysWOW64\Elnoff32.dll Emggflfc.exe File opened for modification C:\Windows\SysWOW64\Iagaod32.exe Ioheci32.exe File opened for modification C:\Windows\SysWOW64\Baiingae.exe Bocckoom.exe File created C:\Windows\SysWOW64\Fmihbe32.dll Ipomlm32.exe File opened for modification C:\Windows\SysWOW64\Jinfli32.exe Jkcmjpma.exe File created C:\Windows\SysWOW64\Gngfjicn.exe Fijnabef.exe File created C:\Windows\SysWOW64\Bhpclica.exe Bebfpm32.exe File created C:\Windows\SysWOW64\Gmaoomld.exe Ggdfff32.exe File created C:\Windows\SysWOW64\Ichlpm32.dll Plaoim32.exe File created C:\Windows\SysWOW64\Doempm32.dll Jialfgcc.exe File opened for modification C:\Windows\SysWOW64\Obgnhkkh.exe Nqmnjd32.exe File opened for modification C:\Windows\SysWOW64\Aaflgb32.exe Afqhjj32.exe File opened for modification C:\Windows\SysWOW64\Heijidbn.exe Hibidc32.exe File created C:\Windows\SysWOW64\Omnmmc32.dll Hggeeo32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2516 1680 WerFault.exe 577 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ddaemh32.exeMcfemmna.exeNfmahkhh.exeIimenapo.exeLfedlb32.exeJblbpnhk.exeEmpomd32.exeMflgih32.exeBpbmqe32.exeCiagojda.exeFcingdbh.exeJialfgcc.exeAfqhjj32.exeDdkbqfcp.exeDmopge32.exeEonfgbhc.exeHbkqdepm.exeOdmckcmq.exeOqkpmaif.exeOdnobj32.exeHlmphp32.exeJopbnn32.exeKckjmpko.exeEppcmncq.exeHcepqh32.exeDilchhgg.exeEhjbaooe.exeHnheohcl.exeAjhddk32.exeKocpbfei.exeFlabdecn.exeCpohhk32.exeIhilqi32.exeEhgmiq32.exeMjkgjl32.exeDinneo32.exeJjpdmi32.exeGamifcmi.exeAkjfhdka.exeObamebfc.exeOikapk32.exeGqlhkofn.exeJnagmc32.exeGpogiglp.exeIoheci32.exeAegkfpah.exeAnnpaq32.exeHhopgkin.exeBmhkojab.exeCbffoabe.exeIoefdpne.exeFijnabef.exePlffkc32.exeAokfpjai.exeNbaafocg.exeDbabho32.exeQpamoa32.exeBdaojbjf.exeQoqhncgp.exeMfkebkjk.exeFicehj32.exeGbkdgn32.exeJepoao32.exeMjbiac32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddaemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfemmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfmahkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimenapo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfedlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblbpnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflgih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbmqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciagojda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcingdbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jialfgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkbqfcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmopge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eonfgbhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbkqdepm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmckcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqkpmaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlmphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jopbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckjmpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppcmncq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcepqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilchhgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjbaooe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flabdecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpohhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihilqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgmiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkgjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinneo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpdmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamifcmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjfhdka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obamebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikapk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlhkofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnagmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpogiglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioheci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aegkfpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Annpaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhopgkin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhkojab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbffoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioefdpne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijnabef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plffkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokfpjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaafocg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbabho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpamoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdaojbjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoqhncgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkebkjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkdgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjbiac32.exe -
Modifies registry class 64 IoCs
Processes:
Higiih32.exeIeelnkpd.exeLnlmmo32.exePmehdh32.exeAognbnkm.exeEclfhgaf.exeFakglf32.exeGlpgibbn.exeDifplf32.exeLkoidcaj.exeMpmcielb.exeCbffoabe.exeBmhkojab.exeGmobin32.exeHbengc32.exeEpmahmcm.exeNnafnopi.exeHecebm32.exeManljd32.exeFicilgai.exeNcgcdi32.exeAmglgn32.exePqgbah32.exeHbgjmcba.exeCinahhff.exeNjaoeq32.exeKindeddf.exeMbginomj.exeMbopon32.exeHpicbe32.exeNkaane32.exeDdkbqfcp.exePlfhdlfb.exePepcelel.exeElcpbigl.exeEfffpjmk.exeGbffjmmp.exeIjelgemi.exeHjplao32.exeNbgakd32.exeQamleagn.exeGmhkin32.exeBaneak32.exeIbejfffo.exePlaoim32.exeNndhpqma.exeMejmmqpd.exeDpjfjalp.exeFkdlaplh.exeMqjehngm.exeEmifeqid.exeFpjofl32.exeNbpqmfmd.exeAagfffbo.exeKlbfbg32.exePebbeq32.exeMganfp32.exeLjnqdhga.exeLepclldc.exeOhjkcile.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegenopb.dll" Higiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieelnkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndagjbio.dll" Lnlmmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlfik32.dll" Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aognbnkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eclfhgaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fakglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljppckof.dll" Glpgibbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmpgcd32.dll" Difplf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkoidcaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpmcielb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdbje32.dll" Aognbnkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhkojab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmobin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbdplmai.dll" Hbengc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epmahmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeihnam.dll" Hecebm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ficilgai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncgcdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kopnjkfp.dll" Pqgbah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbengc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbgjmcba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cinahhff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njaoeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kindeddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbginomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbopon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpicbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkaane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddkbqfcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgbbec32.dll" Plfhdlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pepcelel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elcpbigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efffpjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbffjmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnqhd32.dll" Ijelgemi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjplao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbgakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpicg32.dll" Qamleagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmehdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nckpfbjj.dll" Baneak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibejfffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichlpm32.dll" Plaoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nndhpqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlijkoid.dll" Mejmmqpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjaaedaj.dll" Mbginomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpjfjalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkdlaplh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfbchek.dll" Mqjehngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfpeln32.dll" Emifeqid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbnach32.dll" Nbpqmfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbginggd.dll" Aagfffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klbfbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pebbeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mganfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljnqdhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lepclldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjeji32.dll" Ohjkcile.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exeHllmcc32.exeHbfepmmn.exeHipmmg32.exeLnpgeopa.exeMpmcielb.exeNpaich32.exePljcllqe.exePeedka32.exeBjbeofpp.exeBjebdfnn.exeEppcmncq.exeEgikjh32.exeHnheohcl.exeHnjbeh32.exeJialfgcc.exedescription pid Process procid_target PID 2136 wrote to memory of 2276 2136 b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe 28 PID 2136 wrote to memory of 2276 2136 b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe 28 PID 2136 wrote to memory of 2276 2136 b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe 28 PID 2136 wrote to memory of 2276 2136 b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe 28 PID 2276 wrote to memory of 2288 2276 Hllmcc32.exe 29 PID 2276 wrote to memory of 2288 2276 Hllmcc32.exe 29 PID 2276 wrote to memory of 2288 2276 Hllmcc32.exe 29 PID 2276 wrote to memory of 2288 2276 Hllmcc32.exe 29 PID 2288 wrote to memory of 3016 2288 Hbfepmmn.exe 30 PID 2288 wrote to memory of 3016 2288 Hbfepmmn.exe 30 PID 2288 wrote to memory of 3016 2288 Hbfepmmn.exe 30 PID 2288 wrote to memory of 3016 2288 Hbfepmmn.exe 30 PID 3016 wrote to memory of 2464 3016 Hipmmg32.exe 31 PID 3016 wrote to memory of 2464 3016 Hipmmg32.exe 31 PID 3016 wrote to memory of 2464 3016 Hipmmg32.exe 31 PID 3016 wrote to memory of 2464 3016 Hipmmg32.exe 31 PID 2464 wrote to memory of 1236 2464 Lnpgeopa.exe 32 PID 2464 wrote to memory of 1236 2464 Lnpgeopa.exe 32 PID 2464 wrote to memory of 1236 2464 Lnpgeopa.exe 32 PID 2464 wrote to memory of 1236 2464 Lnpgeopa.exe 32 PID 1236 wrote to memory of 2788 1236 Mpmcielb.exe 33 PID 1236 wrote to memory of 2788 1236 Mpmcielb.exe 33 PID 1236 wrote to memory of 2788 1236 Mpmcielb.exe 33 PID 1236 wrote to memory of 2788 1236 Mpmcielb.exe 33 PID 2788 wrote to memory of 2808 2788 Npaich32.exe 34 PID 2788 wrote to memory of 2808 2788 Npaich32.exe 34 PID 2788 wrote to memory of 2808 2788 Npaich32.exe 34 PID 2788 wrote to memory of 2808 2788 Npaich32.exe 34 PID 2808 wrote to memory of 2660 2808 Pljcllqe.exe 35 PID 2808 wrote to memory of 2660 2808 Pljcllqe.exe 35 PID 2808 wrote to memory of 2660 2808 Pljcllqe.exe 35 PID 2808 wrote to memory of 2660 2808 Pljcllqe.exe 35 PID 2660 wrote to memory of 2540 2660 Peedka32.exe 36 PID 2660 wrote to memory of 2540 2660 Peedka32.exe 36 PID 2660 wrote to memory of 2540 2660 Peedka32.exe 36 PID 2660 wrote to memory of 2540 2660 Peedka32.exe 36 PID 2540 wrote to memory of 1648 2540 Bjbeofpp.exe 37 PID 2540 wrote to memory of 1648 2540 Bjbeofpp.exe 37 PID 2540 wrote to memory of 1648 2540 Bjbeofpp.exe 37 PID 2540 wrote to memory of 1648 2540 Bjbeofpp.exe 37 PID 1648 wrote to memory of 1224 1648 Bjebdfnn.exe 38 PID 1648 wrote to memory of 1224 1648 Bjebdfnn.exe 38 PID 1648 wrote to memory of 1224 1648 Bjebdfnn.exe 38 PID 1648 wrote to memory of 1224 1648 Bjebdfnn.exe 38 PID 1224 wrote to memory of 1076 1224 Eppcmncq.exe 39 PID 1224 wrote to memory of 1076 1224 Eppcmncq.exe 39 PID 1224 wrote to memory of 1076 1224 Eppcmncq.exe 39 PID 1224 wrote to memory of 1076 1224 Eppcmncq.exe 39 PID 1076 wrote to memory of 1676 1076 Egikjh32.exe 40 PID 1076 wrote to memory of 1676 1076 Egikjh32.exe 40 PID 1076 wrote to memory of 1676 1076 Egikjh32.exe 40 PID 1076 wrote to memory of 1676 1076 Egikjh32.exe 40 PID 1676 wrote to memory of 2016 1676 Hnheohcl.exe 41 PID 1676 wrote to memory of 2016 1676 Hnheohcl.exe 41 PID 1676 wrote to memory of 2016 1676 Hnheohcl.exe 41 PID 1676 wrote to memory of 2016 1676 Hnheohcl.exe 41 PID 2016 wrote to memory of 2764 2016 Hnjbeh32.exe 42 PID 2016 wrote to memory of 2764 2016 Hnjbeh32.exe 42 PID 2016 wrote to memory of 2764 2016 Hnjbeh32.exe 42 PID 2016 wrote to memory of 2764 2016 Hnjbeh32.exe 42 PID 2764 wrote to memory of 816 2764 Jialfgcc.exe 43 PID 2764 wrote to memory of 816 2764 Jialfgcc.exe 43 PID 2764 wrote to memory of 816 2764 Jialfgcc.exe 43 PID 2764 wrote to memory of 816 2764 Jialfgcc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe"C:\Users\Admin\AppData\Local\Temp\b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Pmpbdm32.exeC:\Windows\system32\Pmpbdm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe34⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe37⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe41⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe44⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe45⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:960 -
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe48⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe49⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe52⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe53⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe55⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe56⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe58⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe59⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe61⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe62⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe63⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ljnqdhga.exeC:\Windows\system32\Ljnqdhga.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe67⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe68⤵PID:320
-
C:\Windows\SysWOW64\Ndfnecgp.exeC:\Windows\system32\Ndfnecgp.exe69⤵PID:2216
-
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe70⤵PID:2292
-
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe71⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe72⤵PID:3020
-
C:\Windows\SysWOW64\Ohdfqbio.exeC:\Windows\system32\Ohdfqbio.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Odmckcmq.exeC:\Windows\system32\Odmckcmq.exe74⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe75⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe76⤵PID:2524
-
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:852 -
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296 -
C:\Windows\SysWOW64\Qmhahkdj.exeC:\Windows\system32\Qmhahkdj.exe79⤵PID:2044
-
C:\Windows\SysWOW64\Aognbnkm.exeC:\Windows\system32\Aognbnkm.exe80⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe81⤵PID:2036
-
C:\Windows\SysWOW64\Aclpaali.exeC:\Windows\system32\Aclpaali.exe82⤵PID:2088
-
C:\Windows\SysWOW64\Ajhddk32.exeC:\Windows\system32\Ajhddk32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Bpbmqe32.exeC:\Windows\system32\Bpbmqe32.exe84⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Bhonjg32.exeC:\Windows\system32\Bhonjg32.exe85⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe86⤵PID:892
-
C:\Windows\SysWOW64\Cqaiph32.exeC:\Windows\system32\Cqaiph32.exe87⤵PID:1968
-
C:\Windows\SysWOW64\Ciagojda.exeC:\Windows\system32\Ciagojda.exe88⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe89⤵PID:1748
-
C:\Windows\SysWOW64\Dbabho32.exeC:\Windows\system32\Dbabho32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Dgnjqe32.exeC:\Windows\system32\Dgnjqe32.exe91⤵PID:2996
-
C:\Windows\SysWOW64\Efhqmadd.exeC:\Windows\system32\Efhqmadd.exe92⤵PID:2508
-
C:\Windows\SysWOW64\Ebnabb32.exeC:\Windows\system32\Ebnabb32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764 -
C:\Windows\SysWOW64\Elkofg32.exeC:\Windows\system32\Elkofg32.exe94⤵PID:2320
-
C:\Windows\SysWOW64\Fbegbacp.exeC:\Windows\system32\Fbegbacp.exe95⤵PID:2520
-
C:\Windows\SysWOW64\Fdgdji32.exeC:\Windows\system32\Fdgdji32.exe96⤵PID:2780
-
C:\Windows\SysWOW64\Fhgifgnb.exeC:\Windows\system32\Fhgifgnb.exe97⤵PID:2744
-
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe98⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe99⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe100⤵PID:908
-
C:\Windows\SysWOW64\Glbaei32.exeC:\Windows\system32\Glbaei32.exe101⤵PID:1556
-
C:\Windows\SysWOW64\Hkjkle32.exeC:\Windows\system32\Hkjkle32.exe102⤵PID:1980
-
C:\Windows\SysWOW64\Hcepqh32.exeC:\Windows\system32\Hcepqh32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Hqnjek32.exeC:\Windows\system32\Hqnjek32.exe104⤵PID:3032
-
C:\Windows\SysWOW64\Hbofmcij.exeC:\Windows\system32\Hbofmcij.exe105⤵PID:2504
-
C:\Windows\SysWOW64\Inhdgdmk.exeC:\Windows\system32\Inhdgdmk.exe106⤵PID:2528
-
C:\Windows\SysWOW64\Ibfmmb32.exeC:\Windows\system32\Ibfmmb32.exe107⤵PID:1316
-
C:\Windows\SysWOW64\Igceej32.exeC:\Windows\system32\Igceej32.exe108⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Jnagmc32.exeC:\Windows\system32\Jnagmc32.exe109⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Jipaip32.exeC:\Windows\system32\Jipaip32.exe110⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Jpjifjdg.exeC:\Windows\system32\Jpjifjdg.exe111⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Kekkiq32.exeC:\Windows\system32\Kekkiq32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Kocpbfei.exeC:\Windows\system32\Kocpbfei.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1888 -
C:\Windows\SysWOW64\Kmfpmc32.exeC:\Windows\system32\Kmfpmc32.exe114⤵PID:2220
-
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe115⤵PID:1652
-
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe116⤵PID:2136
-
C:\Windows\SysWOW64\Lhnmoo32.exeC:\Windows\system32\Lhnmoo32.exe117⤵PID:2624
-
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe118⤵PID:2692
-
C:\Windows\SysWOW64\Mdigoo32.exeC:\Windows\system32\Mdigoo32.exe119⤵PID:2720
-
C:\Windows\SysWOW64\Mjilmejf.exeC:\Windows\system32\Mjilmejf.exe120⤵PID:1760
-
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe121⤵PID:1436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-