Analysis
-
max time kernel
118s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 02:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exe
-
Size
1.1MB
-
MD5
47cb5cc4779da45f9dfee7f60cfaaa41
-
SHA1
b0070475d05574f2692025c9d4608a9fb3112d89
-
SHA256
39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c
-
SHA512
a6638326f0edc71826582f90be38b6179f136a9a05aad977c9a6de4716a80622a15f380398b765dfc9cd5471542bd9d82d38631741167f2bb6ffc086fa550766
-
SSDEEP
24576:cPPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHM:+bazR0vKLXZM
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jlfnangf.exeAbhlak32.exeEekdmk32.exeFaonqiod.exeAobnniji.exePbblkaea.exeAcbnggjo.exeGgnqfgce.exeGjbpne32.exeGqaafn32.exeNjjfli32.exeOolelj32.exeOmpefj32.exeBkqiek32.exeIamdkfnc.exeBmjekahk.exeAafnpkii.exeEklqcl32.exeCbpbgk32.exeCjlheehe.exeDemofaol.exeLgpdglhn.exeOajndh32.exePlbmom32.exeMqdbjp32.exeGmloigln.exeCpiqmlfm.exePmmeon32.exeKbmome32.exeAblbjj32.exeLlbnnq32.exeBcpiombe.exeKfenjq32.exeEemnnn32.exeNjlcah32.exeLolbjahp.exeEclbcj32.exeAmmmlcgi.exeDkpabqoa.exeJlbjcd32.exePdgmlhha.exeFkqlgc32.exeJnagmc32.exeBlqmid32.exeLbagpp32.exeMjcaimgg.exeBnlgbnbp.exeMkcplien.exeNbhkmg32.exeCpiaipmh.exeKfjfik32.exePiabdiep.exeDcghkf32.exeHnpbjnpo.exePpcbgkka.exeIgmepdbc.exeMmafmo32.exePbkgegad.exeKoddccaa.exeNqeapo32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfnangf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhlak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekdmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonqiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbblkaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbnggjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnqfgce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjbpne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqaafn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjfli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oolelj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmjekahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aafnpkii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklqcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demofaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpdglhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oajndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plbmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqdbjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmloigln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpiqmlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ablbjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcpiombe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfenjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njlcah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lolbjahp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ammmlcgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkpabqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlbjcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnagmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqmid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnlgbnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkcplien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpiaipmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piabdiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcghkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpbjnpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppcbgkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmepdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmafmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkgegad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koddccaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqeapo32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Lmfhil32.exeLfolaang.exeLklejh32.exeNaopaa32.exeOdebolpe.exeOihqgbhd.exePkacpihj.exeQglmpi32.exeAollokco.exeAidphq32.exeBlchcpko.exeBpqain32.exeCifelgmd.exeDiibag32.exeEgmojnlf.exeEdqocbkp.exeFbdlkj32.exeGjpqpl32.exeGqlebf32.exeGgfnopfg.exeGmecmg32.exeGpcoib32.exeHllmcc32.exeHhcmhdke.exeHnpbjnpo.exeHeikgh32.exeIabhah32.exeIhmpobck.exeIdfnicfl.exeIegjqk32.exeIbmgpoia.exeJlelhe32.exeJepmgj32.exeJnkakl32.exeKfkpknkq.exeKoddccaa.exeKohnoc32.exeKfbfkmeh.exeLhelbh32.exeLkdhoc32.exeLqqpgj32.exeLdoimh32.exeLiqoflfh.exeLqhfhigj.exeMbkpeake.exeMejlalji.exeMgjebg32.exeMndmoaog.exeMaefamlh.exeNmlgfnal.exeNcfoch32.exeNmnclmoj.exeNbniid32.exeNfidjbdg.exeNbpeoc32.exeNoffdd32.exeNeqnqofm.exeObdojcef.exeOhagbj32.exeOdjdmjgo.exeOgiaif32.exeOmefkplm.exePpcbgkka.exePilfpqaa.exepid Process 2684 Lmfhil32.exe 2896 Lfolaang.exe 2656 Lklejh32.exe 2612 Naopaa32.exe 1896 Odebolpe.exe 1836 Oihqgbhd.exe 2140 Pkacpihj.exe 2852 Qglmpi32.exe 1892 Aollokco.exe 1380 Aidphq32.exe 2040 Blchcpko.exe 1940 Bpqain32.exe 264 Cifelgmd.exe 2388 Diibag32.exe 668 Egmojnlf.exe 572 Edqocbkp.exe 1236 Fbdlkj32.exe 236 Gjpqpl32.exe 352 Gqlebf32.exe 2008 Ggfnopfg.exe 2272 Gmecmg32.exe 1336 Gpcoib32.exe 2884 Hllmcc32.exe 2936 Hhcmhdke.exe 888 Hnpbjnpo.exe 2660 Heikgh32.exe 2680 Iabhah32.exe 2768 Ihmpobck.exe 2580 Idfnicfl.exe 2572 Iegjqk32.exe 2980 Ibmgpoia.exe 1840 Jlelhe32.exe 2440 Jepmgj32.exe 1844 Jnkakl32.exe 1544 Kfkpknkq.exe 2788 Koddccaa.exe 1960 Kohnoc32.exe 2372 Kfbfkmeh.exe 532 Lhelbh32.exe 2148 Lkdhoc32.exe 1044 Lqqpgj32.exe 3056 Ldoimh32.exe 964 Liqoflfh.exe 1752 Lqhfhigj.exe 540 Mbkpeake.exe 2488 Mejlalji.exe 2636 Mgjebg32.exe 2304 Mndmoaog.exe 2464 Maefamlh.exe 2800 Nmlgfnal.exe 2564 Ncfoch32.exe 2844 Nmnclmoj.exe 2556 Nbniid32.exe 932 Nfidjbdg.exe 2196 Nbpeoc32.exe 1020 Noffdd32.exe 828 Neqnqofm.exe 872 Obdojcef.exe 2000 Ohagbj32.exe 772 Odjdmjgo.exe 2920 Ogiaif32.exe 2748 Omefkplm.exe 948 Ppcbgkka.exe 824 Pilfpqaa.exe -
Loads dropped DLL 64 IoCs
Processes:
39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exeLmfhil32.exeLfolaang.exeLklejh32.exeNaopaa32.exeOdebolpe.exeOihqgbhd.exePkacpihj.exeQglmpi32.exeAollokco.exeAidphq32.exeBlchcpko.exeBpqain32.exeCifelgmd.exeDiibag32.exeEgmojnlf.exeEdqocbkp.exeFbdlkj32.exeGjpqpl32.exeGqlebf32.exeGgfnopfg.exeGmecmg32.exeGpcoib32.exeHllmcc32.exeHhcmhdke.exeHnpbjnpo.exeHeikgh32.exeIabhah32.exeIhmpobck.exeIdfnicfl.exeIegjqk32.exeIbmgpoia.exepid Process 2648 39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exe 2648 39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exe 2684 Lmfhil32.exe 2684 Lmfhil32.exe 2896 Lfolaang.exe 2896 Lfolaang.exe 2656 Lklejh32.exe 2656 Lklejh32.exe 2612 Naopaa32.exe 2612 Naopaa32.exe 1896 Odebolpe.exe 1896 Odebolpe.exe 1836 Oihqgbhd.exe 1836 Oihqgbhd.exe 2140 Pkacpihj.exe 2140 Pkacpihj.exe 2852 Qglmpi32.exe 2852 Qglmpi32.exe 1892 Aollokco.exe 1892 Aollokco.exe 1380 Aidphq32.exe 1380 Aidphq32.exe 2040 Blchcpko.exe 2040 Blchcpko.exe 1940 Bpqain32.exe 1940 Bpqain32.exe 264 Cifelgmd.exe 264 Cifelgmd.exe 2388 Diibag32.exe 2388 Diibag32.exe 668 Egmojnlf.exe 668 Egmojnlf.exe 572 Edqocbkp.exe 572 Edqocbkp.exe 1236 Fbdlkj32.exe 1236 Fbdlkj32.exe 236 Gjpqpl32.exe 236 Gjpqpl32.exe 352 Gqlebf32.exe 352 Gqlebf32.exe 2008 Ggfnopfg.exe 2008 Ggfnopfg.exe 2272 Gmecmg32.exe 2272 Gmecmg32.exe 1336 Gpcoib32.exe 1336 Gpcoib32.exe 2884 Hllmcc32.exe 2884 Hllmcc32.exe 2936 Hhcmhdke.exe 2936 Hhcmhdke.exe 888 Hnpbjnpo.exe 888 Hnpbjnpo.exe 2660 Heikgh32.exe 2660 Heikgh32.exe 2680 Iabhah32.exe 2680 Iabhah32.exe 2768 Ihmpobck.exe 2768 Ihmpobck.exe 2580 Idfnicfl.exe 2580 Idfnicfl.exe 2572 Iegjqk32.exe 2572 Iegjqk32.exe 2980 Ibmgpoia.exe 2980 Ibmgpoia.exe -
Drops file in System32 directory 64 IoCs
Processes:
Odebolpe.exeGgfnopfg.exeFjjpjgjj.exeGkephn32.exeEaebeoan.exePmhejhao.exeJnagmc32.exePlbmom32.exeNhcgkbja.exeOgpjmn32.exeHfnmbbnp.exeIjelgemi.exeMnilfc32.exePbkgegad.exeIbmgpoia.exeDemofaol.exeHbkqdepm.exeKabngjla.exePjbjjc32.exeCkkenikc.exeCjboeenh.exeIilceh32.exeAobnniji.exeLpqlemaj.exePfhhflmg.exeFfmkhe32.exeJcaqmkpn.exeBfcnfh32.exeHcldhnkk.exePhnpagdp.exeFckhhgcf.exeJkbaci32.exeEhkcpc32.exeOiokholk.exeAmhcad32.exeEmbkbdce.exeFpkchm32.exeGcikfhed.exeFaonqiod.exeMpimbcnf.exeQjeihl32.exeDlnjjc32.exeHegpjaac.exeFheoiqgi.exeHpoofm32.exeAjaagi32.exeEojoelcm.exeAgbpnh32.exeCdamao32.exeIciaim32.exeKfaljjdj.exeGcimop32.exeAfpogk32.exeEdcqjc32.exeNifgekbm.exeJffhec32.exeBnqned32.exeMkggnp32.exeKohnoc32.exeJijokbfp.exeLlbnnq32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Oihqgbhd.exe Odebolpe.exe File opened for modification C:\Windows\SysWOW64\Gmecmg32.exe Ggfnopfg.exe File opened for modification C:\Windows\SysWOW64\Fqfemqod.exe Fjjpjgjj.exe File opened for modification C:\Windows\SysWOW64\Gdmdacnn.exe Gkephn32.exe File created C:\Windows\SysWOW64\Djepmm32.dll Eaebeoan.exe File created C:\Windows\SysWOW64\Dlfqea32.dll Pmhejhao.exe File created C:\Windows\SysWOW64\Jabponba.exe Jnagmc32.exe File created C:\Windows\SysWOW64\Inalmqgb.dll Plbmom32.exe File created C:\Windows\SysWOW64\Okfmbm32.exe Nhcgkbja.exe File opened for modification C:\Windows\SysWOW64\Ollcee32.exe Ogpjmn32.exe File created C:\Windows\SysWOW64\Kaadjh32.dll Hfnmbbnp.exe File opened for modification C:\Windows\SysWOW64\Ijghmd32.exe Ijelgemi.exe File opened for modification C:\Windows\SysWOW64\Mjpmkdpp.exe Mnilfc32.exe File opened for modification C:\Windows\SysWOW64\Ppogok32.exe Pbkgegad.exe File created C:\Windows\SysWOW64\Fmqgqj32.dll Ibmgpoia.exe File created C:\Windows\SysWOW64\Deollamj.exe Demofaol.exe File created C:\Windows\SysWOW64\Kmkbjj32.dll Hbkqdepm.exe File opened for modification C:\Windows\SysWOW64\Kmiolk32.exe Kabngjla.exe File created C:\Windows\SysWOW64\Lnfbic32.dll Pjbjjc32.exe File created C:\Windows\SysWOW64\Fgfien32.dll Ckkenikc.exe File created C:\Windows\SysWOW64\Jkfapl32.dll Cjboeenh.exe File created C:\Windows\SysWOW64\Ljecbkfm.dll Iilceh32.exe File opened for modification C:\Windows\SysWOW64\Abpjjeim.exe Aobnniji.exe File opened for modification C:\Windows\SysWOW64\Lemdncoa.exe Lpqlemaj.exe File opened for modification C:\Windows\SysWOW64\Qigebglj.exe Pfhhflmg.exe File created C:\Windows\SysWOW64\Gfogneop.exe Ffmkhe32.exe File opened for modification C:\Windows\SysWOW64\Jafmngde.exe Jcaqmkpn.exe File created C:\Windows\SysWOW64\Cicggcke.exe Bfcnfh32.exe File opened for modification C:\Windows\SysWOW64\Hemqpf32.exe Hcldhnkk.exe File created C:\Windows\SysWOW64\Pohhna32.exe Phnpagdp.exe File opened for modification C:\Windows\SysWOW64\Fiepea32.exe Fckhhgcf.exe File created C:\Windows\SysWOW64\Jqnodo32.dll Jkbaci32.exe File opened for modification C:\Windows\SysWOW64\Eacghhkd.exe Ehkcpc32.exe File opened for modification C:\Windows\SysWOW64\Odflmp32.exe Oiokholk.exe File opened for modification C:\Windows\SysWOW64\Amjpgdik.exe Amhcad32.exe File created C:\Windows\SysWOW64\Epcddopf.exe Embkbdce.exe File created C:\Windows\SysWOW64\Cdonlp32.dll Fpkchm32.exe File created C:\Windows\SysWOW64\Mflnei32.dll Gcikfhed.exe File created C:\Windows\SysWOW64\Lijfkjba.dll Faonqiod.exe File created C:\Windows\SysWOW64\Hndnokni.dll File created C:\Windows\SysWOW64\Ncpkpiaj.dll Mpimbcnf.exe File opened for modification C:\Windows\SysWOW64\Aqanke32.exe Qjeihl32.exe File opened for modification C:\Windows\SysWOW64\Dpjfjalp.exe Dlnjjc32.exe File opened for modification C:\Windows\SysWOW64\Homfboco.exe File created C:\Windows\SysWOW64\Gblakg32.dll Hegpjaac.exe File created C:\Windows\SysWOW64\Fmbgageq.exe Fheoiqgi.exe File created C:\Windows\SysWOW64\Ipaklm32.exe Hpoofm32.exe File created C:\Windows\SysWOW64\Ggknde32.dll Ajaagi32.exe File created C:\Windows\SysWOW64\Eahkag32.exe Eojoelcm.exe File created C:\Windows\SysWOW64\Dfmcfjpo.dll Agbpnh32.exe File opened for modification C:\Windows\SysWOW64\Ckkenikc.exe Cdamao32.exe File opened for modification C:\Windows\SysWOW64\Jfjjkhhg.exe Iciaim32.exe File created C:\Windows\SysWOW64\Kioiffcn.exe Kfaljjdj.exe File opened for modification C:\Windows\SysWOW64\Hggeeo32.exe Gcimop32.exe File created C:\Windows\SysWOW64\Qaejidpg.dll Afpogk32.exe File created C:\Windows\SysWOW64\Hoicpqbb.dll Edcqjc32.exe File created C:\Windows\SysWOW64\Ocqhcqgk.exe Nifgekbm.exe File created C:\Windows\SysWOW64\Amkmognm.dll Jffhec32.exe File created C:\Windows\SysWOW64\Caaggpdh.exe Bnqned32.exe File opened for modification C:\Windows\SysWOW64\Epcddopf.exe Embkbdce.exe File created C:\Windows\SysWOW64\Moccnoni.exe Mkggnp32.exe File created C:\Windows\SysWOW64\Kfbfkmeh.exe Kohnoc32.exe File created C:\Windows\SysWOW64\Pojhbfni.dll Jijokbfp.exe File created C:\Windows\SysWOW64\Lccmhojk.dll Llbnnq32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Qhkkim32.exeCdfief32.exeLmfjcajl.exeFkkfgi32.exeCcgklc32.exeNeblqoel.exeIainddpg.exeDlifcqfl.exeKmegjdad.exeQigebglj.exeDifqji32.exeEikfdl32.exePadccpal.exeQjeihl32.exeLbjlnd32.exeLkjjma32.exeDbiocd32.exeBcfmfc32.exeCbfeam32.exeLmfhil32.exeKjhfjpdd.exePpcbgkka.exeEcbhfeip.exeMqfooonp.exeMndmoaog.exeNfidjbdg.exeJijokbfp.exeBqmpdioa.exeCdfgmnpa.exeIciaim32.exeGgfnopfg.exePdmnam32.exeEemnnn32.exeLamkllea.exeLfolaang.exeBkbaii32.exeBknfeege.exeBbgplq32.exeFhbnbpjc.exeNdfpnl32.exeIjclol32.exeGfabkl32.exeOpkndldc.exeQamjmh32.exeEafkhn32.exeHghdjn32.exeEkipgb32.exeBnknoogp.exeFeachqgb.exeLpbhmiji.exeAjdego32.exeOhbmppia.exeGdjpcj32.exeIeibdnnp.exeOojhfj32.exeLpanne32.exeCikdbhhi.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkkim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfief32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfjcajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkfgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neblqoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iainddpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifcqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmegjdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qigebglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padccpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjeihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjlnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjjma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbiocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcfmfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfeam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfhil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhfjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcbgkka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbhfeip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfooonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mndmoaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfidjbdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijokbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqmpdioa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfgmnpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfnopfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmnam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamkllea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfolaang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbaii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknfeege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgplq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbnbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfpnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijclol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfabkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkndldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qamjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekipgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnknoogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feachqgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbhmiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdego32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbmppia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjpcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieibdnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojhfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpanne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikdbhhi.exe -
Modifies registry class 64 IoCs
Processes:
Gckfpc32.exeHdbbnd32.exeIocioq32.exeHmdkjmip.exeGfabkl32.exeMaldfbjn.exeOjbnkp32.exeEcjibgdh.exeCmbghgdg.exeKpeonkig.exeKdbbgdjj.exeInhdgdmk.exeChjmmnnb.exeEfkbdbai.exeJjneoeeh.exePeiaij32.exeEcbhfeip.exeFmacpj32.exePfnmmn32.exeQiiahgjh.exeFbniohpl.exeDammoahg.exeDpjfjalp.exeIeiegf32.exeAollokco.exeIeajkfmd.exeKomjmk32.exeLbmpnjai.exeKjchmclb.exeAbmgjo32.exeCogfqe32.exeLhlqjone.exeChlgid32.exeHkogpn32.exeJlghpa32.exeCmedlk32.exeGoqnae32.exeIgmepdbc.exeGfcopl32.exeOknjmb32.exeBemmenhb.exeIiaoip32.exeJkjaaglp.exePanaeb32.exeLlbconkd.exePiemih32.exeJndjmifj.exeHdhbci32.exeEikimeff.exeDfegjknm.exeCiaefa32.exeIahkpg32.exeIjclol32.exeAcnlgajg.exeDhleaq32.exeOlioeoeo.exePihlhagn.exeDeonff32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gckfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jemffb32.dll" Hdbbnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbdocdh.dll" Iocioq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgdkphm.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbdnb32.dll" Hmdkjmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfabkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maldfbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojbnkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecjibgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmbghgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcmqj32.dll" Kpeonkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmhnp32.dll" Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inhdgdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chjmmnnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efkbdbai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjneoeeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idopmjih.dll" Ecbhfeip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmacpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfnmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iocioq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qiiahgjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilkhl32.dll" Fbniohpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fefbnnpg.dll" Dammoahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclqho32.dll" Dpjfjalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmcibej.dll" Ieiegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghonhno.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aollokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emldia32.dll" Efkbdbai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqghocek.dll" Komjmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbmpnjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kejpdk32.dll" Kjchmclb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abmgjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cogfqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhlqjone.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chlgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkogpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlghpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deflhh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll" Cmedlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifaeqgo.dll" Igmepdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaokbi32.dll" Gfcopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oknjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmdaidg.dll" Bemmenhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbldej32.dll" Iiaoip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkjaaglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcicglo.dll" Panaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llbconkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkcpmmb.dll" Piemih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jndjmifj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdhbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfegjknm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciaefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iahkpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnehm32.dll" Acnlgajg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhleaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olioeoeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbfmc32.dll" Pihlhagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deonff32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exeLmfhil32.exeLfolaang.exeLklejh32.exeNaopaa32.exeOdebolpe.exeOihqgbhd.exePkacpihj.exeQglmpi32.exeAollokco.exeAidphq32.exeBlchcpko.exeBpqain32.exeCifelgmd.exeDiibag32.exeEgmojnlf.exedescription pid Process procid_target PID 2648 wrote to memory of 2684 2648 39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exe 30 PID 2648 wrote to memory of 2684 2648 39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exe 30 PID 2648 wrote to memory of 2684 2648 39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exe 30 PID 2648 wrote to memory of 2684 2648 39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exe 30 PID 2684 wrote to memory of 2896 2684 Lmfhil32.exe 31 PID 2684 wrote to memory of 2896 2684 Lmfhil32.exe 31 PID 2684 wrote to memory of 2896 2684 Lmfhil32.exe 31 PID 2684 wrote to memory of 2896 2684 Lmfhil32.exe 31 PID 2896 wrote to memory of 2656 2896 Lfolaang.exe 32 PID 2896 wrote to memory of 2656 2896 Lfolaang.exe 32 PID 2896 wrote to memory of 2656 2896 Lfolaang.exe 32 PID 2896 wrote to memory of 2656 2896 Lfolaang.exe 32 PID 2656 wrote to memory of 2612 2656 Lklejh32.exe 33 PID 2656 wrote to memory of 2612 2656 Lklejh32.exe 33 PID 2656 wrote to memory of 2612 2656 Lklejh32.exe 33 PID 2656 wrote to memory of 2612 2656 Lklejh32.exe 33 PID 2612 wrote to memory of 1896 2612 Naopaa32.exe 34 PID 2612 wrote to memory of 1896 2612 Naopaa32.exe 34 PID 2612 wrote to memory of 1896 2612 Naopaa32.exe 34 PID 2612 wrote to memory of 1896 2612 Naopaa32.exe 34 PID 1896 wrote to memory of 1836 1896 Odebolpe.exe 35 PID 1896 wrote to memory of 1836 1896 Odebolpe.exe 35 PID 1896 wrote to memory of 1836 1896 Odebolpe.exe 35 PID 1896 wrote to memory of 1836 1896 Odebolpe.exe 35 PID 1836 wrote to memory of 2140 1836 Oihqgbhd.exe 36 PID 1836 wrote to memory of 2140 1836 Oihqgbhd.exe 36 PID 1836 wrote to memory of 2140 1836 Oihqgbhd.exe 36 PID 1836 wrote to memory of 2140 1836 Oihqgbhd.exe 36 PID 2140 wrote to memory of 2852 2140 Pkacpihj.exe 37 PID 2140 wrote to memory of 2852 2140 Pkacpihj.exe 37 PID 2140 wrote to memory of 2852 2140 Pkacpihj.exe 37 PID 2140 wrote to memory of 2852 2140 Pkacpihj.exe 37 PID 2852 wrote to memory of 1892 2852 Qglmpi32.exe 38 PID 2852 wrote to memory of 1892 2852 Qglmpi32.exe 38 PID 2852 wrote to memory of 1892 2852 Qglmpi32.exe 38 PID 2852 wrote to memory of 1892 2852 Qglmpi32.exe 38 PID 1892 wrote to memory of 1380 1892 Aollokco.exe 39 PID 1892 wrote to memory of 1380 1892 Aollokco.exe 39 PID 1892 wrote to memory of 1380 1892 Aollokco.exe 39 PID 1892 wrote to memory of 1380 1892 Aollokco.exe 39 PID 1380 wrote to memory of 2040 1380 Aidphq32.exe 40 PID 1380 wrote to memory of 2040 1380 Aidphq32.exe 40 PID 1380 wrote to memory of 2040 1380 Aidphq32.exe 40 PID 1380 wrote to memory of 2040 1380 Aidphq32.exe 40 PID 2040 wrote to memory of 1940 2040 Blchcpko.exe 41 PID 2040 wrote to memory of 1940 2040 Blchcpko.exe 41 PID 2040 wrote to memory of 1940 2040 Blchcpko.exe 41 PID 2040 wrote to memory of 1940 2040 Blchcpko.exe 41 PID 1940 wrote to memory of 264 1940 Bpqain32.exe 42 PID 1940 wrote to memory of 264 1940 Bpqain32.exe 42 PID 1940 wrote to memory of 264 1940 Bpqain32.exe 42 PID 1940 wrote to memory of 264 1940 Bpqain32.exe 42 PID 264 wrote to memory of 2388 264 Cifelgmd.exe 43 PID 264 wrote to memory of 2388 264 Cifelgmd.exe 43 PID 264 wrote to memory of 2388 264 Cifelgmd.exe 43 PID 264 wrote to memory of 2388 264 Cifelgmd.exe 43 PID 2388 wrote to memory of 668 2388 Diibag32.exe 44 PID 2388 wrote to memory of 668 2388 Diibag32.exe 44 PID 2388 wrote to memory of 668 2388 Diibag32.exe 44 PID 2388 wrote to memory of 668 2388 Diibag32.exe 44 PID 668 wrote to memory of 572 668 Egmojnlf.exe 45 PID 668 wrote to memory of 572 668 Egmojnlf.exe 45 PID 668 wrote to memory of 572 668 Egmojnlf.exe 45 PID 668 wrote to memory of 572 668 Egmojnlf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exe"C:\Users\Admin\AppData\Local\Temp\39429f63ead563ceca1b28a3abb39e1c94437678382d7d9fdb7cadf8c65a934c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:352 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe33⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe34⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe35⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe36⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe39⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe40⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe41⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe42⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe43⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe44⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe45⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe46⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe47⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe48⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe50⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe51⤵PID:1588
-
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe52⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe53⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe54⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe55⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:932 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe57⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe58⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe59⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe60⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe61⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe62⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe63⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe64⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe66⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe67⤵PID:1680
-
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe68⤵PID:1312
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe69⤵PID:2332
-
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe70⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe72⤵PID:2204
-
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe73⤵PID:2604
-
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe74⤵PID:2552
-
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe75⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe76⤵PID:1792
-
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe77⤵PID:2400
-
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe79⤵PID:2244
-
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe80⤵PID:1976
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe81⤵PID:2732
-
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe82⤵PID:1036
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe83⤵PID:2940
-
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe84⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe85⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe86⤵PID:2996
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe87⤵PID:1264
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe90⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe91⤵PID:1476
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe92⤵PID:1596
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe94⤵PID:2444
-
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe95⤵PID:3064
-
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe96⤵PID:2208
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe97⤵PID:2108
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1180 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe99⤵PID:912
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe100⤵PID:996
-
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe101⤵PID:1252
-
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe103⤵PID:2808
-
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe104⤵PID:2820
-
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe105⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe106⤵PID:2848
-
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe107⤵PID:1664
-
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe108⤵PID:2424
-
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe109⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe110⤵PID:1096
-
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe111⤵PID:1848
-
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe112⤵PID:1748
-
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe113⤵PID:2328
-
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe114⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe115⤵PID:2628
-
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe116⤵PID:2404
-
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe117⤵PID:2448
-
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe118⤵PID:2772
-
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe119⤵PID:2092
-
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe120⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe121⤵PID:1772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-