Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 02:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe
-
Size
2.7MB
-
MD5
bb3322a66227ac00e9b89cd3f90400c7
-
SHA1
b304c20436e81c695c3f8a558898e69bb6b1b349
-
SHA256
b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4
-
SHA512
ad7071239c7ba3be8b9c4496d1c2e15070e0c63cfb8ad8e68cbf9a1eb8e7f788df8a05d6974105372fbd703d15c3147cd8ca1e2a4bdc442356d5b2d14f786527
-
SSDEEP
12288:7joyXpqvQqpCtRwKA5p8Wgx+gWVBmLnWrOxNuxC7:v35hqEfAL8WJm8MoC7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gnhnaf32.exeLalnmiia.exeDlkbjqgm.exeDflfac32.exeHifcgion.exeOgcnmc32.exeNobdbkhf.exeOkedcjcm.exeCimmggfl.exeCkebcg32.exeDoccpcja.exeAkhcfe32.exeIgdnabjh.exeJgkdbacp.exeNghekkmn.exeAednci32.exeFngcmcfe.exeOjdgnn32.exeLhenai32.exeMniallpq.exeLjfhqh32.exeFeoodn32.exeGehbjm32.exeAmcehdod.exeOoejohhq.exeNmdgikhi.exeOmjpeo32.exeJeapcq32.exeJbepme32.exeMhanngbl.exeJbaojpgb.exeLbngllob.exeJgnqgqan.exeLnohlgep.exeDheibpje.exeEkaapi32.exeAhdpjn32.exeEkajec32.exeLakfeodm.exeLmdnbn32.exeNfohgqlg.exeMapppn32.exePlagcbdn.exeDmfeidbe.exeIliinc32.exeFgoakc32.exeMhckcgpj.exeHkeaqi32.exeGjfnedho.exeHgdejd32.exeIgfclkdj.exeLcdciiec.exeAphnnafb.exeKibeoo32.exeCjnffjkl.exeOabhfg32.exeNemmoe32.exeOafcqcea.exeEgaejeej.exeJbccge32.exeGpcmga32.exeMbbagk32.exeEjalcgkg.exeLobjni32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnhnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lalnmiia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkbjqgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogcnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nobdbkhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okedcjcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cimmggfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckebcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doccpcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhcfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdnabjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aednci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojdgnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhenai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mniallpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljfhqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gehbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooejohhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbepme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhanngbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbaojpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbngllob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnqgqan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnohlgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekaapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahdpjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekajec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdnbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfohgqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mapppn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plagcbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmfeidbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iliinc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhckcgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjfnedho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdejd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdciiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kibeoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnffjkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nemmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oafcqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egaejeej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbccge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbagk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejalcgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobjni32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Mfaqhp32.exeMpieqeko.exeMekgdl32.exeNiipjj32.exeNbadcpbh.exeNhnlkfpp.exeOigllh32.exeOljaccjf.exePgdokkfg.exePlagcbdn.exePleaoa32.exeAokcklid.exeAfelhf32.exeAfnnnd32.exeBqfoamfj.exeBjodjb32.exeBifmqo32.exeBppfmigl.exeCgjjdf32.exeCcqkigkp.exeCjmpkqqj.exeDfjgaq32.exeEmlenj32.exeEdhjqc32.exeEjflhm32.exeFmgejhgn.exeFkpool32.exeFielph32.exeGpcmga32.exeGnhnaf32.exeGddbcp32.exeHnaqgd32.exeHdkidohn.exeHkeaqi32.exeIqipio32.exeIhbdplfi.exeIakiia32.exeIkcmbfcj.exeIhgnkkbd.exeIqbbpm32.exeJbaojpgb.exeJgogbgei.exeJgadgf32.exeJgcamf32.exeJdgafjpn.exeKiejmi32.exeKnbbep32.exeKgjgne32.exeKijchhbo.exeKnflpoqf.exeKeqdmihc.exeKinmcg32.exeKjpijpdg.exeLeenhhdn.exeLkofdbkj.exeLalnmiia.exeLgffic32.exeLankbigo.exeLldopb32.exeLbngllob.exeLelchgne.exeLjilqnlm.exeLeopnglc.exeMbbagk32.exepid Process 4560 Mfaqhp32.exe 916 Mpieqeko.exe 1524 Mekgdl32.exe 3048 Niipjj32.exe 4420 Nbadcpbh.exe 4664 Nhnlkfpp.exe 1492 Oigllh32.exe 1512 Oljaccjf.exe 2324 Pgdokkfg.exe 3244 Plagcbdn.exe 3100 Pleaoa32.exe 2504 Aokcklid.exe 2620 Afelhf32.exe 1792 Afnnnd32.exe 3260 Bqfoamfj.exe 776 Bjodjb32.exe 3528 Bifmqo32.exe 4504 Bppfmigl.exe 2012 Cgjjdf32.exe 1508 Ccqkigkp.exe 964 Cjmpkqqj.exe 3588 Dfjgaq32.exe 2072 Emlenj32.exe 404 Edhjqc32.exe 1840 Ejflhm32.exe 4972 Fmgejhgn.exe 2276 Fkpool32.exe 3136 Fielph32.exe 4084 Gpcmga32.exe 1664 Gnhnaf32.exe 1688 Gddbcp32.exe 1624 Hnaqgd32.exe 60 Hdkidohn.exe 4480 Hkeaqi32.exe 1000 Iqipio32.exe 2832 Ihbdplfi.exe 748 Iakiia32.exe 2288 Ikcmbfcj.exe 3052 Ihgnkkbd.exe 4956 Iqbbpm32.exe 32 Jbaojpgb.exe 3752 Jgogbgei.exe 1860 Jgadgf32.exe 3248 Jgcamf32.exe 2436 Jdgafjpn.exe 3004 Kiejmi32.exe 2728 Knbbep32.exe 2908 Kgjgne32.exe 3660 Kijchhbo.exe 4424 Knflpoqf.exe 4444 Keqdmihc.exe 4808 Kinmcg32.exe 412 Kjpijpdg.exe 1748 Leenhhdn.exe 1948 Lkofdbkj.exe 2844 Lalnmiia.exe 528 Lgffic32.exe 4952 Lankbigo.exe 2724 Lldopb32.exe 1244 Lbngllob.exe 3280 Lelchgne.exe 4748 Ljilqnlm.exe 4796 Leopnglc.exe 952 Mbbagk32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Igpdfb32.exeLklbdm32.exeMchppmij.exeCdpjlb32.exeFlmqlg32.exeJpcapp32.exeLeenhhdn.exeDfoiaj32.exeJbepme32.exeNoblkqca.exeChnlgjlb.exeDnajppda.exeEppjfgcp.exeFpgpgfmh.exeKlhnfo32.exeOkgaijaj.exeFdqfll32.exePkenjh32.exeEiobceef.exeJlobkg32.exeLcggio32.exeNopfpgip.exeHnphoj32.exeOigllh32.exeEmlenj32.exeIepaaico.exeFkmjaa32.exeNbbeml32.exeHdkidohn.exeJjafok32.exeBpdnjple.exeHioflcbj.exeHajkqfoe.exeLmdemd32.exeLgdidgjg.exeEnpfan32.exeBkdcbd32.exeOjomcopk.exeNpgmpf32.exeEgaejeej.exeBadanigc.exeBheplb32.exeJpaleglc.exeMcjmel32.exeDfnbgc32.exeEbgpad32.exeDpiplm32.exePbhgoh32.exeBqfoamfj.exeAcmobchj.exeKpanan32.exeOabhfg32.exeHlblcn32.exeIafkld32.exeNobdbkhf.exeKckqbj32.exeOjdgnn32.exePpahmb32.exeOcdnln32.exeOflmnh32.exePakdbp32.exedescription ioc Process File created C:\Windows\SysWOW64\Ilmmni32.exe Igpdfb32.exe File opened for modification C:\Windows\SysWOW64\Lqikmc32.exe Lklbdm32.exe File created C:\Windows\SysWOW64\Bfkegm32.dll Mchppmij.exe File opened for modification C:\Windows\SysWOW64\Ckmonl32.exe Cdpjlb32.exe File created C:\Windows\SysWOW64\Fbgihaji.exe Flmqlg32.exe File created C:\Windows\SysWOW64\Jilfifme.exe Jpcapp32.exe File created C:\Windows\SysWOW64\Lkofdbkj.exe Leenhhdn.exe File created C:\Windows\SysWOW64\Dlkbjqgm.exe Dfoiaj32.exe File opened for modification C:\Windows\SysWOW64\Khbiello.exe Jbepme32.exe File created C:\Windows\SysWOW64\Njgqhicg.exe Noblkqca.exe File opened for modification C:\Windows\SysWOW64\Cklhcfle.exe Chnlgjlb.exe File created C:\Windows\SysWOW64\Lacaea32.dll Dnajppda.exe File opened for modification C:\Windows\SysWOW64\Efjbcakl.exe Eppjfgcp.exe File created C:\Windows\SysWOW64\Ldklgegb.dll Fpgpgfmh.exe File created C:\Windows\SysWOW64\Eeccjdie.dll Klhnfo32.exe File opened for modification C:\Windows\SysWOW64\Ooejohhq.exe Okgaijaj.exe File created C:\Windows\SysWOW64\Gajaoo32.dll Fdqfll32.exe File opened for modification C:\Windows\SysWOW64\Phincl32.exe Pkenjh32.exe File opened for modification C:\Windows\SysWOW64\Epikpo32.exe Eiobceef.exe File created C:\Windows\SysWOW64\Ememkjeq.dll Jlobkg32.exe File created C:\Windows\SysWOW64\Ahiiai32.dll Lcggio32.exe File created C:\Windows\SysWOW64\Nmdgikhi.exe Nopfpgip.exe File created C:\Windows\SysWOW64\Oefgjq32.dll Hnphoj32.exe File created C:\Windows\SysWOW64\Oljaccjf.exe Oigllh32.exe File created C:\Windows\SysWOW64\Lkhimi32.dll Emlenj32.exe File created C:\Windows\SysWOW64\Gmophg32.dll Iepaaico.exe File created C:\Windows\SysWOW64\Dnbjkgmg.dll Jpcapp32.exe File opened for modification C:\Windows\SysWOW64\Fbgbnkfm.exe Fkmjaa32.exe File created C:\Windows\SysWOW64\Khbiello.exe Jbepme32.exe File created C:\Windows\SysWOW64\Nimmifgo.exe Nbbeml32.exe File opened for modification C:\Windows\SysWOW64\Hkeaqi32.exe Hdkidohn.exe File created C:\Windows\SysWOW64\Jlobkg32.exe Jjafok32.exe File created C:\Windows\SysWOW64\Bhkfkmmg.exe Bpdnjple.exe File opened for modification C:\Windows\SysWOW64\Hpioin32.exe Hioflcbj.exe File opened for modification C:\Windows\SysWOW64\Hhdcmp32.exe Hajkqfoe.exe File created C:\Windows\SysWOW64\Lcnmin32.exe Lmdemd32.exe File created C:\Windows\SysWOW64\Lggejg32.exe Lgdidgjg.exe File opened for modification C:\Windows\SysWOW64\Edionhpn.exe Enpfan32.exe File created C:\Windows\SysWOW64\Cmcolgbj.exe Bkdcbd32.exe File created C:\Windows\SysWOW64\Jhpicj32.dll Ojomcopk.exe File created C:\Windows\SysWOW64\Ckkpjkai.dll Npgmpf32.exe File created C:\Windows\SysWOW64\Enkmfolf.exe Egaejeej.exe File created C:\Windows\SysWOW64\Blielbfi.exe Badanigc.exe File opened for modification C:\Windows\SysWOW64\Camddhoi.exe Bheplb32.exe File created C:\Windows\SysWOW64\Jgkdbacp.exe Jpaleglc.exe File created C:\Windows\SysWOW64\Bafehe32.dll Mcjmel32.exe File created C:\Windows\SysWOW64\Bcbbjj32.dll Dfnbgc32.exe File created C:\Windows\SysWOW64\Kfbdfl32.dll Ebgpad32.exe File created C:\Windows\SysWOW64\Ekppjn32.dll Dpiplm32.exe File created C:\Windows\SysWOW64\Pcgdhkem.exe Pbhgoh32.exe File created C:\Windows\SysWOW64\Bjodjb32.exe Bqfoamfj.exe File created C:\Windows\SysWOW64\Negcig32.dll Acmobchj.exe File created C:\Windows\SysWOW64\Klhnfo32.exe Kpanan32.exe File created C:\Windows\SysWOW64\Ocaebc32.exe Oabhfg32.exe File opened for modification C:\Windows\SysWOW64\Hnphoj32.exe Hlblcn32.exe File opened for modification C:\Windows\SysWOW64\Iimcma32.exe Iafkld32.exe File opened for modification C:\Windows\SysWOW64\Nemmoe32.exe Nobdbkhf.exe File opened for modification C:\Windows\SysWOW64\Fdccbl32.exe Fdqfll32.exe File created C:\Windows\SysWOW64\Kdmpmdpj.dll Kckqbj32.exe File opened for modification C:\Windows\SysWOW64\Ofkgcobj.exe Ojdgnn32.exe File opened for modification C:\Windows\SysWOW64\Qobhkjdi.exe Ppahmb32.exe File created C:\Windows\SysWOW64\Cjkhnd32.dll Ocdnln32.exe File opened for modification C:\Windows\SysWOW64\Omfekbdh.exe Oflmnh32.exe File created C:\Windows\SysWOW64\Mpiedk32.dll Pakdbp32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4936 1748 WerFault.exe 629 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bifmqo32.exeGpcmga32.exeHmmfmhll.exeNiipjj32.exeEbhglj32.exeEbgpad32.exeLpochfji.exeMcfbkpab.exeMbbagk32.exeKcmfnd32.exeAlnmjjdb.exeBcfahbpo.exeCioilg32.exeJoqafgni.exeOhcegi32.exeJokkgl32.exeBhhiemoj.exeEblimcdf.exeEfjbcakl.exeHbohpn32.exeFmgejhgn.exeOiknlagg.exeAhqddk32.exeGdlfhj32.exeDfnbgc32.exeAhaceo32.exePjjfdfbb.exeEjflhm32.exeLelchgne.exeHifcgion.exeKidben32.exePcjiff32.exeKdbjhbbd.exeChnlgjlb.exeBkgeainn.exeDfjgaq32.exeAkhcfe32.exeEiobceef.exeKglmio32.exeLobjni32.exeAokkahlo.exeNbbeml32.exeGddbcp32.exeCfkmkf32.exeGgkqgaol.exeHnaqgd32.exeIbcaknbi.exeFdnhih32.exeOjigdcll.exeQklmpalf.exeHhdcmp32.exeOiagde32.exeKlahfp32.exePjmjdm32.exeOfkgcobj.exeNqmojd32.exeIqipio32.exeLldopb32.exeDkekjdck.exeGgfglb32.exeGejhef32.exeAchegd32.exeNjinmf32.exeLfeljd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bifmqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcmga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmfmhll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niipjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhglj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebgpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpochfji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbkpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbagk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmfnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnmjjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcfahbpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cioilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joqafgni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhiemoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblimcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmgejhgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiknlagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahqddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlfhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnbgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahaceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjfdfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejflhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelchgne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifcgion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcjiff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbjhbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnlgjlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgeainn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjgaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiobceef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglmio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbeml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddbcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkqgaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnaqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcaknbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojigdcll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklmpalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdcmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiagde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klahfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkgcobj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqipio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkekjdck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejhef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njinmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeljd32.exe -
Modifies registry class 64 IoCs
Processes:
Iggjga32.exeIliinc32.exeBhkfkmmg.exeCkebcg32.exeEhlhih32.exeCbbdjm32.exeIloidijb.exeLjfhqh32.exeAojefobm.exeJhkbdmbg.exeMhckcgpj.exeMfchlbfd.exeEnkmfolf.exeLpochfji.exeGnhnaf32.exeAeddnp32.exeNjmhhefi.exeDflfac32.exeDfnbgc32.exeDdkbmj32.exeIojkeh32.exeAlnmjjdb.exeDfoiaj32.exeLnohlgep.exeOhhnbhok.exeMcaipa32.exeNfohgqlg.exeEgaejeej.exeLjpaqmgb.exeLakfeodm.exePibdmp32.exeBadanigc.exeHmdlmg32.exeJebfng32.exeNoblkqca.exeOmjpeo32.exeAhfmpnql.exeBhblllfo.exeGejhef32.exeNbadcpbh.exeIakiia32.exeDbjkkl32.exeJjafok32.exeOflmnh32.exeMpieqeko.exeLbngllob.exeMalgcg32.exeCleegp32.exeKnflpoqf.exeQklmpalf.exeBkjiao32.exeBomkcm32.exeJpaekqhh.exeLgdidgjg.exePjmjdm32.exeEjflhm32.exeBjpjel32.exeDjcoai32.exeIafkld32.exeNbbeml32.exeFpgpgfmh.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iggjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkfkmmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckebcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfjipgp.dll" Cbbdjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqobhgmh.dll" Mhckcgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbeojmh.dll" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enkmfolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpochfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbhlgio.dll" Gnhnaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeddnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboeai32.dll" Dflfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbbjj32.dll" Dfnbgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkfkmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjbdk32.dll" Ddkbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iojkeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnmjjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfoiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfglbe32.dll" Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohhnbhok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcaipa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfohgqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekellcop.dll" Egaejeej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elckbhbj.dll" Ljpaqmgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pibdmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Badanigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmdlmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jebfng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noblkqca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omjpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll" Ahfmpnql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll" Bhblllfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlgah32.dll" Nbadcpbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndigcej.dll" Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll" Oflmnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpieqeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhmmpnk.dll" Malgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cleegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qklmpalf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbmemif.dll" Bomkcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejflhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljibbol.dll" Bjpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djcoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omjpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgckb32.dll" Iafkld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbbeml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldklgegb.dll" Fpgpgfmh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exeMfaqhp32.exeMpieqeko.exeMekgdl32.exeNiipjj32.exeNbadcpbh.exeNhnlkfpp.exeOigllh32.exeOljaccjf.exePgdokkfg.exePlagcbdn.exePleaoa32.exeAokcklid.exeAfelhf32.exeAfnnnd32.exeBqfoamfj.exeBjodjb32.exeBifmqo32.exeBppfmigl.exeCgjjdf32.exeCcqkigkp.exeCjmpkqqj.exedescription pid Process procid_target PID 4368 wrote to memory of 4560 4368 b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe 82 PID 4368 wrote to memory of 4560 4368 b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe 82 PID 4368 wrote to memory of 4560 4368 b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe 82 PID 4560 wrote to memory of 916 4560 Mfaqhp32.exe 83 PID 4560 wrote to memory of 916 4560 Mfaqhp32.exe 83 PID 4560 wrote to memory of 916 4560 Mfaqhp32.exe 83 PID 916 wrote to memory of 1524 916 Mpieqeko.exe 84 PID 916 wrote to memory of 1524 916 Mpieqeko.exe 84 PID 916 wrote to memory of 1524 916 Mpieqeko.exe 84 PID 1524 wrote to memory of 3048 1524 Mekgdl32.exe 85 PID 1524 wrote to memory of 3048 1524 Mekgdl32.exe 85 PID 1524 wrote to memory of 3048 1524 Mekgdl32.exe 85 PID 3048 wrote to memory of 4420 3048 Niipjj32.exe 86 PID 3048 wrote to memory of 4420 3048 Niipjj32.exe 86 PID 3048 wrote to memory of 4420 3048 Niipjj32.exe 86 PID 4420 wrote to memory of 4664 4420 Nbadcpbh.exe 87 PID 4420 wrote to memory of 4664 4420 Nbadcpbh.exe 87 PID 4420 wrote to memory of 4664 4420 Nbadcpbh.exe 87 PID 4664 wrote to memory of 1492 4664 Nhnlkfpp.exe 88 PID 4664 wrote to memory of 1492 4664 Nhnlkfpp.exe 88 PID 4664 wrote to memory of 1492 4664 Nhnlkfpp.exe 88 PID 1492 wrote to memory of 1512 1492 Oigllh32.exe 89 PID 1492 wrote to memory of 1512 1492 Oigllh32.exe 89 PID 1492 wrote to memory of 1512 1492 Oigllh32.exe 89 PID 1512 wrote to memory of 2324 1512 Oljaccjf.exe 90 PID 1512 wrote to memory of 2324 1512 Oljaccjf.exe 90 PID 1512 wrote to memory of 2324 1512 Oljaccjf.exe 90 PID 2324 wrote to memory of 3244 2324 Pgdokkfg.exe 91 PID 2324 wrote to memory of 3244 2324 Pgdokkfg.exe 91 PID 2324 wrote to memory of 3244 2324 Pgdokkfg.exe 91 PID 3244 wrote to memory of 3100 3244 Plagcbdn.exe 92 PID 3244 wrote to memory of 3100 3244 Plagcbdn.exe 92 PID 3244 wrote to memory of 3100 3244 Plagcbdn.exe 92 PID 3100 wrote to memory of 2504 3100 Pleaoa32.exe 95 PID 3100 wrote to memory of 2504 3100 Pleaoa32.exe 95 PID 3100 wrote to memory of 2504 3100 Pleaoa32.exe 95 PID 2504 wrote to memory of 2620 2504 Aokcklid.exe 96 PID 2504 wrote to memory of 2620 2504 Aokcklid.exe 96 PID 2504 wrote to memory of 2620 2504 Aokcklid.exe 96 PID 2620 wrote to memory of 1792 2620 Afelhf32.exe 97 PID 2620 wrote to memory of 1792 2620 Afelhf32.exe 97 PID 2620 wrote to memory of 1792 2620 Afelhf32.exe 97 PID 1792 wrote to memory of 3260 1792 Afnnnd32.exe 98 PID 1792 wrote to memory of 3260 1792 Afnnnd32.exe 98 PID 1792 wrote to memory of 3260 1792 Afnnnd32.exe 98 PID 3260 wrote to memory of 776 3260 Bqfoamfj.exe 99 PID 3260 wrote to memory of 776 3260 Bqfoamfj.exe 99 PID 3260 wrote to memory of 776 3260 Bqfoamfj.exe 99 PID 776 wrote to memory of 3528 776 Bjodjb32.exe 100 PID 776 wrote to memory of 3528 776 Bjodjb32.exe 100 PID 776 wrote to memory of 3528 776 Bjodjb32.exe 100 PID 3528 wrote to memory of 4504 3528 Bifmqo32.exe 102 PID 3528 wrote to memory of 4504 3528 Bifmqo32.exe 102 PID 3528 wrote to memory of 4504 3528 Bifmqo32.exe 102 PID 4504 wrote to memory of 2012 4504 Bppfmigl.exe 103 PID 4504 wrote to memory of 2012 4504 Bppfmigl.exe 103 PID 4504 wrote to memory of 2012 4504 Bppfmigl.exe 103 PID 2012 wrote to memory of 1508 2012 Cgjjdf32.exe 105 PID 2012 wrote to memory of 1508 2012 Cgjjdf32.exe 105 PID 2012 wrote to memory of 1508 2012 Cgjjdf32.exe 105 PID 1508 wrote to memory of 964 1508 Ccqkigkp.exe 106 PID 1508 wrote to memory of 964 1508 Ccqkigkp.exe 106 PID 1508 wrote to memory of 964 1508 Ccqkigkp.exe 106 PID 964 wrote to memory of 3588 964 Cjmpkqqj.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe"C:\Users\Admin\AppData\Local\Temp\b992ebadd1be4e83cb0c6cc974f3d63f41a66d7cf335db5131185845f55df1d4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe25⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4972 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe28⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe29⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:60 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe37⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe39⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe40⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe41⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe43⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe44⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe45⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe46⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe47⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe48⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe49⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe50⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe52⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe53⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe54⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe56⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe58⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe59⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe63⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe64⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe66⤵PID:2596
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe68⤵PID:4744
-
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe69⤵PID:1008
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe70⤵PID:1124
-
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe71⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe72⤵PID:2172
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3092 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe75⤵PID:1012
-
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe76⤵PID:4348
-
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe77⤵PID:5028
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe78⤵PID:4032
-
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe79⤵PID:3088
-
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe80⤵PID:1764
-
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3300 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe82⤵PID:4884
-
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe83⤵
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4468 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe85⤵
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe86⤵PID:1896
-
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4716 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe88⤵PID:1728
-
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe89⤵PID:1308
-
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe90⤵PID:2808
-
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe91⤵
- Modifies registry class
PID:3376 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe92⤵
- System Location Discovery: System Language Discovery
PID:984 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe93⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe94⤵PID:5144
-
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe95⤵PID:5192
-
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe96⤵PID:5244
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe97⤵PID:5288
-
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe98⤵
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe99⤵
- Modifies registry class
PID:5380 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5428 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe101⤵
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe102⤵PID:5516
-
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe103⤵PID:5560
-
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe104⤵PID:5612
-
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe105⤵
- Drops file in System32 directory
PID:5660 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5704 -
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe107⤵PID:5756
-
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe108⤵PID:5812
-
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe109⤵PID:5856
-
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe110⤵PID:5900
-
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe111⤵
- System Location Discovery: System Language Discovery
PID:5948 -
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe112⤵
- Modifies registry class
PID:5992 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe113⤵PID:6036
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe114⤵
- Drops file in System32 directory
PID:6084 -
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe115⤵PID:6132
-
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe116⤵PID:5180
-
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe117⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300 -
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe119⤵PID:5372
-
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe120⤵
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-