Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 04:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exe
-
Size
1.9MB
-
MD5
4de66eebbdcbb113e78123519ed0d183
-
SHA1
5a7c984de7684f3e27334f6b794dda19852c4fd7
-
SHA256
ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa
-
SHA512
a27cedb21d8b8d942f5aaca3b3ddbecea0301b04def9033c02789b4da0991508d95e18fb2d9c625a55fdc298e0634951c5c6256052da26ed83a25406175e13d7
-
SSDEEP
24576:s63NIVyeNIVy2jUKaNIVyeNIVy2jUtc9uO2NIVyeNIVy2jUKaNIVyeNIVy2jUK:s3yj1yj3uOpyj1yj9
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ohkpdj32.exeAjjeld32.exeFimclh32.exeCkilmfke.exeDnonjqdq.exeGpafgp32.exeIpdolbbj.exeLnnndl32.exeBbfgiabg.exeLjjjmeie.exeNbljfdoh.exeGlkgcmbg.exeJoekimld.exeQgiplffm.exeAiimfi32.exeBclqme32.exeHiabjm32.exeJgeobdkc.exeBkghjq32.exeOdnobj32.exeAkhndf32.exeBbflkcao.exeJkjbml32.exeDmcibdad.exeKbcddlnd.exePfcjiodd.exeAjmhljip.exeBoqgep32.exeJlpmndba.exeDeimaa32.exeDckcnj32.exeGohnpcmd.exeBmohjooe.exeKpcbhlki.exeLhegcg32.exeDgjfbllj.exeGhaeaaki.exeAbgeiaaf.exeHfbckagm.exeIcdhnn32.exeJknicnpf.exeIbklddof.exeFladmn32.exeMhikae32.exeAcggbffj.exeKekkkm32.exeElcbmn32.exeKfbjjjci.exeJgljfmkd.exeNphpng32.exeKflcok32.exeNcbkenba.exeJpajdi32.exeKblhdkgk.exeBmjekahk.exeAfndjdpe.exeNqamaeii.exeGaffja32.exeMcafbm32.exeJghqia32.exeOdimdqne.exePopkeh32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohkpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjeld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckilmfke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnonjqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpafgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdolbbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnndl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbfgiabg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjjmeie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbljfdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkgcmbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joekimld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgiplffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiimfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclqme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiabjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgeobdkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkghjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhndf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflkcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkjbml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcddlnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfcjiodd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmhljip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boqgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlpmndba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deimaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckcnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohnpcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmohjooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpcbhlki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhegcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjfbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghaeaaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgeiaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbckagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdhnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jknicnpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgeobdkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibklddof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fladmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhikae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acggbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbjjjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgljfmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kflcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbkenba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdolbbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpajdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblhdkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmjekahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afndjdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqamaeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaffja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcafbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghqia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odimdqne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popkeh32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Dkgldm32.exeEkghcq32.exeFmddgg32.exeHpicbe32.exeJghqia32.exeJfmnkn32.exeKglfcd32.exeMokdja32.exeMomapqgn.exeMkdbea32.exeMkfojakp.exeNohddd32.exeNphpng32.exeNommodjj.exeNkdndeon.exeOdnobj32.exeOjndpqpq.exeOomjng32.exeOqlfhjch.exePkfghh32.exePnfpjc32.exePbdipa32.exePbgefa32.exeQcjoci32.exeQanolm32.exeQijdqp32.exeAfndjdpe.exeAlmihjlj.exeApkbnibq.exeAbkkpd32.exeBodhjdcc.exeBmjekahk.exeBgdfjfmi.exeCobhdhha.exeCenmfbml.exeCnlnpd32.exeDckcnj32.exeDgkiih32.exeDoijcjde.exeElmkmo32.exeFjnkpf32.exeFladmn32.exeFnbmoi32.exeGlkgcmbg.exeGamifcmi.exeGpafgp32.exeHogcil32.exeHahljg32.exeHdhdlbpk.exeIopeoknn.exeIpdolbbj.exeIcdhnn32.exeIlmlfcel.exeIhdmld32.exeJfhmehji.exeJclnnmic.exeJkgbcofn.exeJoekimld.exeJkllnn32.exeJknicnpf.exeKfgjdlme.exeKfjfik32.exeKflcok32.exeKbcddlnd.exepid Process 2796 Dkgldm32.exe 2784 Ekghcq32.exe 2832 Fmddgg32.exe 2308 Hpicbe32.exe 1212 Jghqia32.exe 1132 Jfmnkn32.exe 2480 Kglfcd32.exe 2132 Mokdja32.exe 2456 Momapqgn.exe 2260 Mkdbea32.exe 1544 Mkfojakp.exe 2080 Nohddd32.exe 2384 Nphpng32.exe 2504 Nommodjj.exe 2752 Nkdndeon.exe 2552 Odnobj32.exe 1756 Ojndpqpq.exe 1264 Oomjng32.exe 2332 Oqlfhjch.exe 1388 Pkfghh32.exe 108 Pnfpjc32.exe 680 Pbdipa32.exe 1036 Pbgefa32.exe 2068 Qcjoci32.exe 2776 Qanolm32.exe 2800 Qijdqp32.exe 2104 Afndjdpe.exe 1984 Almihjlj.exe 2520 Apkbnibq.exe 1952 Abkkpd32.exe 2536 Bodhjdcc.exe 2844 Bmjekahk.exe 2400 Bgdfjfmi.exe 2632 Cobhdhha.exe 1512 Cenmfbml.exe 2592 Cnlnpd32.exe 888 Dckcnj32.exe 1860 Dgkiih32.exe 1912 Doijcjde.exe 1016 Elmkmo32.exe 2416 Fjnkpf32.exe 2820 Fladmn32.exe 2696 Fnbmoi32.exe 2724 Glkgcmbg.exe 2152 Gamifcmi.exe 2704 Gpafgp32.exe 1508 Hogcil32.exe 2980 Hahljg32.exe 856 Hdhdlbpk.exe 808 Iopeoknn.exe 2272 Ipdolbbj.exe 600 Icdhnn32.exe 1828 Ilmlfcel.exe 2944 Ihdmld32.exe 2700 Jfhmehji.exe 2208 Jclnnmic.exe 1652 Jkgbcofn.exe 2392 Joekimld.exe 1540 Jkllnn32.exe 1744 Jknicnpf.exe 2648 Kfgjdlme.exe 1360 Kfjfik32.exe 1636 Kflcok32.exe 884 Kbcddlnd.exe -
Loads dropped DLL 64 IoCs
Processes:
ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exeDkgldm32.exeEkghcq32.exeFmddgg32.exeHpicbe32.exeJghqia32.exeJfmnkn32.exeKglfcd32.exeMokdja32.exeMomapqgn.exeMkdbea32.exeMkfojakp.exeNohddd32.exeNphpng32.exeNommodjj.exeNkdndeon.exeOdnobj32.exeOjndpqpq.exeOomjng32.exeOqlfhjch.exePkfghh32.exePnfpjc32.exePbdipa32.exePbgefa32.exeQcjoci32.exeQanolm32.exeQijdqp32.exeAfndjdpe.exeAlmihjlj.exeApkbnibq.exeAbkkpd32.exeBodhjdcc.exepid Process 2884 ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exe 2884 ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exe 2796 Dkgldm32.exe 2796 Dkgldm32.exe 2784 Ekghcq32.exe 2784 Ekghcq32.exe 2832 Fmddgg32.exe 2832 Fmddgg32.exe 2308 Hpicbe32.exe 2308 Hpicbe32.exe 1212 Jghqia32.exe 1212 Jghqia32.exe 1132 Jfmnkn32.exe 1132 Jfmnkn32.exe 2480 Kglfcd32.exe 2480 Kglfcd32.exe 2132 Mokdja32.exe 2132 Mokdja32.exe 2456 Momapqgn.exe 2456 Momapqgn.exe 2260 Mkdbea32.exe 2260 Mkdbea32.exe 1544 Mkfojakp.exe 1544 Mkfojakp.exe 2080 Nohddd32.exe 2080 Nohddd32.exe 2384 Nphpng32.exe 2384 Nphpng32.exe 2504 Nommodjj.exe 2504 Nommodjj.exe 2752 Nkdndeon.exe 2752 Nkdndeon.exe 2552 Odnobj32.exe 2552 Odnobj32.exe 1756 Ojndpqpq.exe 1756 Ojndpqpq.exe 1264 Oomjng32.exe 1264 Oomjng32.exe 2332 Oqlfhjch.exe 2332 Oqlfhjch.exe 1388 Pkfghh32.exe 1388 Pkfghh32.exe 108 Pnfpjc32.exe 108 Pnfpjc32.exe 680 Pbdipa32.exe 680 Pbdipa32.exe 1036 Pbgefa32.exe 1036 Pbgefa32.exe 2068 Qcjoci32.exe 2068 Qcjoci32.exe 2776 Qanolm32.exe 2776 Qanolm32.exe 2800 Qijdqp32.exe 2800 Qijdqp32.exe 2104 Afndjdpe.exe 2104 Afndjdpe.exe 1984 Almihjlj.exe 1984 Almihjlj.exe 2520 Apkbnibq.exe 2520 Apkbnibq.exe 1952 Abkkpd32.exe 1952 Abkkpd32.exe 2536 Bodhjdcc.exe 2536 Bodhjdcc.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kglfcd32.exeNahfkigd.exePipjpj32.exeJkllnn32.exeFmbkfd32.exeAdkbgf32.exeQonlhd32.exeMeojkide.exeIopeoknn.exeOaciom32.exeOolelj32.exeFoidii32.exeIkhqbo32.exeDkcebg32.exeQhdfdb32.exeFmacpj32.exeFkocfa32.exeDamhmc32.exeGkiooocb.exeKblhdkgk.exeBodhjdcc.exeHfbckagm.exeCgcmiclk.exeEonfgbhc.exeFdggofgn.exeBdoeipjh.exePapmlmbp.exeDjhldahb.exeMffdmfjd.exeNogjbbma.exeDnonjqdq.exeKclmbm32.exeFgffck32.exeLpodmb32.exeMkdbea32.exeLekcffem.exeGcgnphgf.exeNcbkenba.exeJpajdi32.exeNommodjj.exeJoekimld.exeOnmfin32.exeJdjioh32.exeNeemgp32.exeOakcan32.exeGlongpao.exeCobhdhha.exeJfhmehji.exeJknicnpf.exeAepnkjcd.exeIgioiacg.exeDckcnj32.exeLmhdph32.exeCfmhfm32.exeJnojjp32.exeEheblj32.exeApkbnibq.exeQcjoci32.exeAebjaj32.exeLgdafeln.exeDeimaa32.exeJlpmndba.exedescription ioc Process File created C:\Windows\SysWOW64\Jdbfjmik.dll Kglfcd32.exe File opened for modification C:\Windows\SysWOW64\Npnclf32.exe Nahfkigd.exe File created C:\Windows\SysWOW64\Dinfgd32.dll Pipjpj32.exe File created C:\Windows\SysWOW64\Doahjaco.dll Jkllnn32.exe File created C:\Windows\SysWOW64\Gcocnk32.exe Fmbkfd32.exe File opened for modification C:\Windows\SysWOW64\Aihjpman.exe Adkbgf32.exe File created C:\Windows\SysWOW64\Pfcjiodd.exe Pipjpj32.exe File created C:\Windows\SysWOW64\Plpfpn32.dll Qonlhd32.exe File created C:\Windows\SysWOW64\Mapkfp32.dll Meojkide.exe File opened for modification C:\Windows\SysWOW64\Ipdolbbj.exe Iopeoknn.exe File opened for modification C:\Windows\SysWOW64\Oafedmlb.exe Oaciom32.exe File created C:\Windows\SysWOW64\Odimdqne.exe Oolelj32.exe File created C:\Windows\SysWOW64\Fgffck32.exe Foidii32.exe File created C:\Windows\SysWOW64\Pkoipb32.dll Ikhqbo32.exe File created C:\Windows\SysWOW64\Fefbnnpg.dll Dkcebg32.exe File created C:\Windows\SysWOW64\Aoakfl32.exe Qhdfdb32.exe File created C:\Windows\SysWOW64\Ffjghppi.exe Fmacpj32.exe File created C:\Windows\SysWOW64\Bbffjdpp.dll Fkocfa32.exe File created C:\Windows\SysWOW64\Dmcibdad.exe Damhmc32.exe File created C:\Windows\SysWOW64\Agldbd32.dll Gkiooocb.exe File created C:\Windows\SysWOW64\Bnkpmkkd.dll Kblhdkgk.exe File opened for modification C:\Windows\SysWOW64\Bmjekahk.exe Bodhjdcc.exe File opened for modification C:\Windows\SysWOW64\Hajdniep.exe Hfbckagm.exe File opened for modification C:\Windows\SysWOW64\Clpeajjb.exe Cgcmiclk.exe File created C:\Windows\SysWOW64\Lldjmo32.dll Eonfgbhc.exe File opened for modification C:\Windows\SysWOW64\Fghppa32.exe Fdggofgn.exe File created C:\Windows\SysWOW64\Bbjoki32.exe Bdoeipjh.exe File opened for modification C:\Windows\SysWOW64\Pmijgn32.exe Papmlmbp.exe File opened for modification C:\Windows\SysWOW64\Efolib32.exe Djhldahb.exe File created C:\Windows\SysWOW64\Ncbkenba.exe Mffdmfjd.exe File created C:\Windows\SysWOW64\Oqcffi32.exe Nogjbbma.exe File created C:\Windows\SysWOW64\Nlgqod32.dll Dnonjqdq.exe File created C:\Windows\SysWOW64\Idafbjna.dll Kclmbm32.exe File created C:\Windows\SysWOW64\Fdjfmolo.exe Fgffck32.exe File opened for modification C:\Windows\SysWOW64\Meojkide.exe Lpodmb32.exe File created C:\Windows\SysWOW64\Fmeefhhi.dll Mkdbea32.exe File created C:\Windows\SysWOW64\Lpddgd32.exe Lekcffem.exe File opened for modification C:\Windows\SysWOW64\Gnoocq32.exe Gcgnphgf.exe File opened for modification C:\Windows\SysWOW64\Nnhobgag.exe Ncbkenba.exe File created C:\Windows\SysWOW64\Eehfdldj.dll Jpajdi32.exe File created C:\Windows\SysWOW64\Aphgbo32.dll Nommodjj.exe File created C:\Windows\SysWOW64\Bmcoed32.dll Joekimld.exe File created C:\Windows\SysWOW64\Oolbcaij.exe Onmfin32.exe File created C:\Windows\SysWOW64\Jkdalb32.exe Jdjioh32.exe File opened for modification C:\Windows\SysWOW64\Nbljfdoh.exe Neemgp32.exe File opened for modification C:\Windows\SysWOW64\Papmlmbp.exe Oakcan32.exe File created C:\Windows\SysWOW64\Gnaaicgh.dll Glongpao.exe File created C:\Windows\SysWOW64\Hlilhb32.dll Cobhdhha.exe File created C:\Windows\SysWOW64\Jclnnmic.exe Jfhmehji.exe File created C:\Windows\SysWOW64\Kfgjdlme.exe Jknicnpf.exe File created C:\Windows\SysWOW64\Iejohemh.dll Aepnkjcd.exe File opened for modification C:\Windows\SysWOW64\Iadphghe.exe Igioiacg.exe File opened for modification C:\Windows\SysWOW64\Dgkiih32.exe Dckcnj32.exe File created C:\Windows\SysWOW64\Kpqfpd32.dll Lmhdph32.exe File created C:\Windows\SysWOW64\Cmgpcg32.exe Cfmhfm32.exe File created C:\Windows\SysWOW64\Kpiihgoh.exe Jnojjp32.exe File opened for modification C:\Windows\SysWOW64\Elbkbh32.exe Eheblj32.exe File created C:\Windows\SysWOW64\Abkkpd32.exe Apkbnibq.exe File opened for modification C:\Windows\SysWOW64\Jkdalb32.exe Jdjioh32.exe File opened for modification C:\Windows\SysWOW64\Qanolm32.exe Qcjoci32.exe File created C:\Windows\SysWOW64\Abldll32.dll Aebjaj32.exe File opened for modification C:\Windows\SysWOW64\Lcmopepp.exe Lgdafeln.exe File created C:\Windows\SysWOW64\Ghofhlpo.dll Deimaa32.exe File created C:\Windows\SysWOW64\Jnojjp32.exe Jlpmndba.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2564 944 WerFault.exe 356 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jkpfcnoe.exeHajkip32.exeNdpmbjbk.exeOiifcdhn.exeKekkkm32.exeOolbcaij.exeHjhlnahk.exeAiimfi32.exePceqfl32.exeMomapqgn.exePbjkop32.exeCacegd32.exeFmbkfd32.exeDhgelk32.exeDodlfmlb.exeAjmhljip.exeDjhldahb.exeDkcebg32.exeJacjna32.exeEidchjbi.exePgbejj32.exeBfieec32.exeKfbjjjci.exeFfcbce32.exeJcekbk32.exeNkdndeon.exeFjnkpf32.exeAcjdgf32.exeCmaeoo32.exeLgdafeln.exeBqambacb.exeFlbgak32.exeOdnobj32.exeMioeeifi.exeIeelnkpd.exeAjjeld32.exeKblhdkgk.exeDkgldm32.exeMhfoleio.exeAaeiqf32.exeGhihfl32.exeEonfgbhc.exeLhbhdnio.exeMhikae32.exeIadphghe.exeLolpah32.exeEabeal32.exeOhkpdj32.exeCgcmiclk.exeEheblj32.exeJkjbml32.exeDoijcjde.exeNahfkigd.exeGnoocq32.exeGohnpcmd.exeCppjadhk.exeFfjghppi.exeNmacej32.exeOpkndldc.exeIecaad32.exeNommodjj.exeIopeoknn.exeNafiej32.exeOqcffi32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpfcnoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndpmbjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiifcdhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oolbcaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjhlnahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiimfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pceqfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momapqgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgelk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodlfmlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmhljip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhldahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcebg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacjna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidchjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbejj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfieec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbjjjci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcbce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcekbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkdndeon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjdgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmaeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdafeln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqambacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbgak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mioeeifi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieelnkpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblhdkgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkgldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfoleio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaeiqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghihfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eonfgbhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhbhdnio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhikae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadphghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolpah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkpdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcmiclk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheblj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjbml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doijcjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahfkigd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoocq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohnpcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppjadhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffjghppi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmacej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkndldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecaad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nommodjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopeoknn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafiej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqcffi32.exe -
Modifies registry class 64 IoCs
Processes:
Ejpipf32.exeHopgikop.exeApbblg32.exeBodhjdcc.exeBmjekahk.exeDhgelk32.exeGnoocq32.exeCkdpinhf.exeCkilmfke.exeEapcjo32.exeKfccmini.exeAlmihjlj.exeApkbnibq.exeDckcnj32.exeEgndgdai.exeDgjfbllj.exeQcjoci32.exeJoekimld.exeOiifcdhn.exeOedqcdim.exeGkiooocb.exeLmhdph32.exeHfbckagm.exeLcfhpf32.exeHhbgkn32.exeLpqnpacp.exeEkghcq32.exeJkdalb32.exePmijgn32.exeOafclh32.exeGhihfl32.exeFladmn32.exePceqfl32.exeHoegoqng.exeJknicnpf.exeGbkdgn32.exeClpeajjb.exeGaffja32.exeNqamaeii.exeQonlhd32.exeAjmhljip.exeDoapanne.exeHnlqemal.exeOjnhdn32.exeHpicbe32.exeMokdja32.exeJpndkj32.exeDmcibdad.exeQanolm32.exeCenmfbml.exeGpafgp32.exeMgfjjh32.exeOjndpqpq.exeDilddl32.exeHkhbkc32.exeJcodcp32.exeKclmbm32.exeEagbnh32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcoomeg.dll" Ejpipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hopgikop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apbblg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bodhjdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmjekahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodpobjn.dll" Dhgelk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eboeqj32.dll" Gnoocq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckdpinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijicnf.dll" Ckilmfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eapcjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfccmini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Almihjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apkbnibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dckcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlamnm32.dll" Egndgdai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edlmlclc.dll" Dgjfbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcjoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joekimld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiifcdhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oedqcdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agldbd32.dll" Gkiooocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmhdph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfbckagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffdlkng.dll" Lcfhpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfccmini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efolfnif.dll" Hhbgkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqfgpkij.dll" Lpqnpacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefdpl32.dll" Jkdalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmijgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oafclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engplgdp.dll" Fladmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pceqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddifg32.dll" Hoegoqng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jknicnpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbbbol32.dll" Jknicnpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbkdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmffaheh.dll" Clpeajjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaffja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqamaeii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Almihjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qonlhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajmhljip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiedgbnd.dll" Doapanne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnlqemal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojnhdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpicbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mokdja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knmpnnjb.dll" Jpndkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcfhpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acloba32.dll" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdiiopj.dll" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qanolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjmhcbh.dll" Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abeoed32.dll" Gpafgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgfjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpaeljha.dll" Ojndpqpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jalnli32.dll" Almihjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dilddl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faconabh.dll" Hkhbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kclmbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eagbnh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exeDkgldm32.exeEkghcq32.exeFmddgg32.exeHpicbe32.exeJghqia32.exeJfmnkn32.exeKglfcd32.exeMokdja32.exeMomapqgn.exeMkdbea32.exeMkfojakp.exeNohddd32.exeNphpng32.exeNommodjj.exeNkdndeon.exedescription pid Process procid_target PID 2884 wrote to memory of 2796 2884 ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exe 30 PID 2884 wrote to memory of 2796 2884 ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exe 30 PID 2884 wrote to memory of 2796 2884 ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exe 30 PID 2884 wrote to memory of 2796 2884 ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exe 30 PID 2796 wrote to memory of 2784 2796 Dkgldm32.exe 31 PID 2796 wrote to memory of 2784 2796 Dkgldm32.exe 31 PID 2796 wrote to memory of 2784 2796 Dkgldm32.exe 31 PID 2796 wrote to memory of 2784 2796 Dkgldm32.exe 31 PID 2784 wrote to memory of 2832 2784 Ekghcq32.exe 32 PID 2784 wrote to memory of 2832 2784 Ekghcq32.exe 32 PID 2784 wrote to memory of 2832 2784 Ekghcq32.exe 32 PID 2784 wrote to memory of 2832 2784 Ekghcq32.exe 32 PID 2832 wrote to memory of 2308 2832 Fmddgg32.exe 33 PID 2832 wrote to memory of 2308 2832 Fmddgg32.exe 33 PID 2832 wrote to memory of 2308 2832 Fmddgg32.exe 33 PID 2832 wrote to memory of 2308 2832 Fmddgg32.exe 33 PID 2308 wrote to memory of 1212 2308 Hpicbe32.exe 34 PID 2308 wrote to memory of 1212 2308 Hpicbe32.exe 34 PID 2308 wrote to memory of 1212 2308 Hpicbe32.exe 34 PID 2308 wrote to memory of 1212 2308 Hpicbe32.exe 34 PID 1212 wrote to memory of 1132 1212 Jghqia32.exe 35 PID 1212 wrote to memory of 1132 1212 Jghqia32.exe 35 PID 1212 wrote to memory of 1132 1212 Jghqia32.exe 35 PID 1212 wrote to memory of 1132 1212 Jghqia32.exe 35 PID 1132 wrote to memory of 2480 1132 Jfmnkn32.exe 36 PID 1132 wrote to memory of 2480 1132 Jfmnkn32.exe 36 PID 1132 wrote to memory of 2480 1132 Jfmnkn32.exe 36 PID 1132 wrote to memory of 2480 1132 Jfmnkn32.exe 36 PID 2480 wrote to memory of 2132 2480 Kglfcd32.exe 37 PID 2480 wrote to memory of 2132 2480 Kglfcd32.exe 37 PID 2480 wrote to memory of 2132 2480 Kglfcd32.exe 37 PID 2480 wrote to memory of 2132 2480 Kglfcd32.exe 37 PID 2132 wrote to memory of 2456 2132 Mokdja32.exe 38 PID 2132 wrote to memory of 2456 2132 Mokdja32.exe 38 PID 2132 wrote to memory of 2456 2132 Mokdja32.exe 38 PID 2132 wrote to memory of 2456 2132 Mokdja32.exe 38 PID 2456 wrote to memory of 2260 2456 Momapqgn.exe 39 PID 2456 wrote to memory of 2260 2456 Momapqgn.exe 39 PID 2456 wrote to memory of 2260 2456 Momapqgn.exe 39 PID 2456 wrote to memory of 2260 2456 Momapqgn.exe 39 PID 2260 wrote to memory of 1544 2260 Mkdbea32.exe 40 PID 2260 wrote to memory of 1544 2260 Mkdbea32.exe 40 PID 2260 wrote to memory of 1544 2260 Mkdbea32.exe 40 PID 2260 wrote to memory of 1544 2260 Mkdbea32.exe 40 PID 1544 wrote to memory of 2080 1544 Mkfojakp.exe 41 PID 1544 wrote to memory of 2080 1544 Mkfojakp.exe 41 PID 1544 wrote to memory of 2080 1544 Mkfojakp.exe 41 PID 1544 wrote to memory of 2080 1544 Mkfojakp.exe 41 PID 2080 wrote to memory of 2384 2080 Nohddd32.exe 42 PID 2080 wrote to memory of 2384 2080 Nohddd32.exe 42 PID 2080 wrote to memory of 2384 2080 Nohddd32.exe 42 PID 2080 wrote to memory of 2384 2080 Nohddd32.exe 42 PID 2384 wrote to memory of 2504 2384 Nphpng32.exe 43 PID 2384 wrote to memory of 2504 2384 Nphpng32.exe 43 PID 2384 wrote to memory of 2504 2384 Nphpng32.exe 43 PID 2384 wrote to memory of 2504 2384 Nphpng32.exe 43 PID 2504 wrote to memory of 2752 2504 Nommodjj.exe 44 PID 2504 wrote to memory of 2752 2504 Nommodjj.exe 44 PID 2504 wrote to memory of 2752 2504 Nommodjj.exe 44 PID 2504 wrote to memory of 2752 2504 Nommodjj.exe 44 PID 2752 wrote to memory of 2552 2752 Nkdndeon.exe 45 PID 2752 wrote to memory of 2552 2752 Nkdndeon.exe 45 PID 2752 wrote to memory of 2552 2752 Nkdndeon.exe 45 PID 2752 wrote to memory of 2552 2752 Nkdndeon.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exe"C:\Users\Admin\AppData\Local\Temp\ee0bf050e447de47372ec45556774ceb585d9677706f098f1755ba59dd0c3faa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Mokdja32.exeC:\Windows\system32\Mokdja32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Momapqgn.exeC:\Windows\system32\Momapqgn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Mkdbea32.exeC:\Windows\system32\Mkdbea32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Mkfojakp.exeC:\Windows\system32\Mkfojakp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Nohddd32.exeC:\Windows\system32\Nohddd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Nommodjj.exeC:\Windows\system32\Nommodjj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Nkdndeon.exeC:\Windows\system32\Nkdndeon.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Odnobj32.exeC:\Windows\system32\Odnobj32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Oomjng32.exeC:\Windows\system32\Oomjng32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Pkfghh32.exeC:\Windows\system32\Pkfghh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Pnfpjc32.exeC:\Windows\system32\Pnfpjc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Pbdipa32.exeC:\Windows\system32\Pbdipa32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Pbgefa32.exeC:\Windows\system32\Pbgefa32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Qcjoci32.exeC:\Windows\system32\Qcjoci32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Qanolm32.exeC:\Windows\system32\Qanolm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Afndjdpe.exeC:\Windows\system32\Afndjdpe.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Almihjlj.exeC:\Windows\system32\Almihjlj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Apkbnibq.exeC:\Windows\system32\Apkbnibq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Abkkpd32.exeC:\Windows\system32\Abkkpd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Bgdfjfmi.exeC:\Windows\system32\Bgdfjfmi.exe34⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Cenmfbml.exeC:\Windows\system32\Cenmfbml.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe37⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Dgkiih32.exeC:\Windows\system32\Dgkiih32.exe39⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Doijcjde.exeC:\Windows\system32\Doijcjde.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Elmkmo32.exeC:\Windows\system32\Elmkmo32.exe41⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Fladmn32.exeC:\Windows\system32\Fladmn32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Fnbmoi32.exeC:\Windows\system32\Fnbmoi32.exe44⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Glkgcmbg.exeC:\Windows\system32\Glkgcmbg.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Gamifcmi.exeC:\Windows\system32\Gamifcmi.exe46⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Gpafgp32.exeC:\Windows\system32\Gpafgp32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Hogcil32.exeC:\Windows\system32\Hogcil32.exe48⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Hahljg32.exeC:\Windows\system32\Hahljg32.exe49⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Hdhdlbpk.exeC:\Windows\system32\Hdhdlbpk.exe50⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Iopeoknn.exeC:\Windows\system32\Iopeoknn.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Ipdolbbj.exeC:\Windows\system32\Ipdolbbj.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Icdhnn32.exeC:\Windows\system32\Icdhnn32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Ilmlfcel.exeC:\Windows\system32\Ilmlfcel.exe54⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ihdmld32.exeC:\Windows\system32\Ihdmld32.exe55⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Jfhmehji.exeC:\Windows\system32\Jfhmehji.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Jclnnmic.exeC:\Windows\system32\Jclnnmic.exe57⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe58⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Joekimld.exeC:\Windows\system32\Joekimld.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Jknicnpf.exeC:\Windows\system32\Jknicnpf.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Kfgjdlme.exeC:\Windows\system32\Kfgjdlme.exe62⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Kfjfik32.exeC:\Windows\system32\Kfjfik32.exe63⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Kflcok32.exeC:\Windows\system32\Kflcok32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Kbcddlnd.exeC:\Windows\system32\Kbcddlnd.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Kfaljjdj.exeC:\Windows\system32\Kfaljjdj.exe66⤵PID:3004
-
C:\Windows\SysWOW64\Lbhmok32.exeC:\Windows\system32\Lbhmok32.exe67⤵PID:2140
-
C:\Windows\SysWOW64\Lnnndl32.exeC:\Windows\system32\Lnnndl32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe69⤵PID:2712
-
C:\Windows\SysWOW64\Lekcffem.exeC:\Windows\system32\Lekcffem.exe70⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Lpddgd32.exeC:\Windows\system32\Lpddgd32.exe71⤵PID:952
-
C:\Windows\SysWOW64\Lmhdph32.exeC:\Windows\system32\Lmhdph32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Mioeeifi.exeC:\Windows\system32\Mioeeifi.exe73⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\Miaaki32.exeC:\Windows\system32\Miaaki32.exe74⤵PID:2640
-
C:\Windows\SysWOW64\Mhfoleio.exeC:\Windows\system32\Mhfoleio.exe75⤵
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\Mhikae32.exeC:\Windows\system32\Mhikae32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Mdplfflp.exeC:\Windows\system32\Mdplfflp.exe77⤵PID:2908
-
C:\Windows\SysWOW64\Neohqicc.exeC:\Windows\system32\Neohqicc.exe78⤵PID:2172
-
C:\Windows\SysWOW64\Nafiej32.exeC:\Windows\system32\Nafiej32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Nahfkigd.exeC:\Windows\system32\Nahfkigd.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Npnclf32.exeC:\Windows\system32\Npnclf32.exe81⤵PID:1256
-
C:\Windows\SysWOW64\Nmacej32.exeC:\Windows\system32\Nmacej32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Oemhjlha.exeC:\Windows\system32\Oemhjlha.exe83⤵PID:2340
-
C:\Windows\SysWOW64\Oaciom32.exeC:\Windows\system32\Oaciom32.exe84⤵
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Oafedmlb.exeC:\Windows\system32\Oafedmlb.exe85⤵PID:2364
-
C:\Windows\SysWOW64\Onmfin32.exeC:\Windows\system32\Onmfin32.exe86⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Oolbcaij.exeC:\Windows\system32\Oolbcaij.exe87⤵
- System Location Discovery: System Language Discovery
PID:3080 -
C:\Windows\SysWOW64\Pipjpj32.exeC:\Windows\system32\Pipjpj32.exe88⤵
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Pfcjiodd.exeC:\Windows\system32\Pfcjiodd.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3208 -
C:\Windows\SysWOW64\Pbjkop32.exeC:\Windows\system32\Pbjkop32.exe90⤵
- System Location Discovery: System Language Discovery
PID:3268 -
C:\Windows\SysWOW64\Qonlhd32.exeC:\Windows\system32\Qonlhd32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Qgiplffm.exeC:\Windows\system32\Qgiplffm.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3380 -
C:\Windows\SysWOW64\Aiimfi32.exeC:\Windows\system32\Aiimfi32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe94⤵
- Drops file in System32 directory
PID:3504 -
C:\Windows\SysWOW64\Aebjaj32.exeC:\Windows\system32\Aebjaj32.exe95⤵
- Drops file in System32 directory
PID:3556 -
C:\Windows\SysWOW64\Acggbffj.exeC:\Windows\system32\Acggbffj.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3616 -
C:\Windows\SysWOW64\Acjdgf32.exeC:\Windows\system32\Acjdgf32.exe97⤵
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Windows\SysWOW64\Bclqme32.exeC:\Windows\system32\Bclqme32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3732 -
C:\Windows\SysWOW64\Bneancnc.exeC:\Windows\system32\Bneancnc.exe99⤵PID:3800
-
C:\Windows\SysWOW64\Bafkookd.exeC:\Windows\system32\Bafkookd.exe100⤵PID:3872
-
C:\Windows\SysWOW64\Bbfgiabg.exeC:\Windows\system32\Bbfgiabg.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3932 -
C:\Windows\SysWOW64\Bmohjooe.exeC:\Windows\system32\Bmohjooe.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4000 -
C:\Windows\SysWOW64\Cmaeoo32.exeC:\Windows\system32\Cmaeoo32.exe103⤵
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Windows\SysWOW64\Cmdaeo32.exeC:\Windows\system32\Cmdaeo32.exe104⤵PID:2016
-
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe105⤵PID:2280
-
C:\Windows\SysWOW64\Cimooo32.exeC:\Windows\system32\Cimooo32.exe106⤵PID:1088
-
C:\Windows\SysWOW64\Cedpdpdf.exeC:\Windows\system32\Cedpdpdf.exe107⤵PID:2028
-
C:\Windows\SysWOW64\Dakpiajj.exeC:\Windows\system32\Dakpiajj.exe108⤵PID:2940
-
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Cppjadhk.exeC:\Windows\system32\Cppjadhk.exe111⤵
- System Location Discovery: System Language Discovery
PID:3400 -
C:\Windows\SysWOW64\Caqfiloi.exeC:\Windows\system32\Caqfiloi.exe112⤵PID:3444
-
C:\Windows\SysWOW64\Ckndmaad.exeC:\Windows\system32\Ckndmaad.exe113⤵PID:3536
-
C:\Windows\SysWOW64\Dgiomabc.exeC:\Windows\system32\Dgiomabc.exe114⤵PID:3564
-
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe115⤵PID:3656
-
C:\Windows\SysWOW64\Dilddl32.exeC:\Windows\system32\Dilddl32.exe116⤵
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Eonfgbhc.exeC:\Windows\system32\Eonfgbhc.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3780 -
C:\Windows\SysWOW64\Egndgdai.exeC:\Windows\system32\Egndgdai.exe118⤵
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Ffcahq32.exeC:\Windows\system32\Ffcahq32.exe119⤵PID:332
-
C:\Windows\SysWOW64\Fokfqflb.exeC:\Windows\system32\Fokfqflb.exe120⤵PID:3972
-
C:\Windows\SysWOW64\Fmacpj32.exeC:\Windows\system32\Fmacpj32.exe121⤵
- Drops file in System32 directory
PID:4044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-