Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eeffcc3691cf599c8bd61aaa87a443a1656856e5aa0e579942a2ae4777274ef2.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
eeffcc3691cf599c8bd61aaa87a443a1656856e5aa0e579942a2ae4777274ef2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
eeffcc3691cf599c8bd61aaa87a443a1656856e5aa0e579942a2ae4777274ef2.exe
-
Size
63KB
-
MD5
9576aad244ccdcaeb11e4f7d741d21c2
-
SHA1
8d2a674758c41032ee03a4d9c6f982d5184b1c17
-
SHA256
eeffcc3691cf599c8bd61aaa87a443a1656856e5aa0e579942a2ae4777274ef2
-
SHA512
e5133a7ca23e3d15838d3f5878a622d71f2a29d29a7a69118ebea946134e3db1f318a0708be52a4c673a500a5fd981bdac529bfd2fdd0139bc97c102a9b9df9b
-
SSDEEP
768:oR9EtUCOx4Kl3ZTua3iZYqGImaLhgSmTk7mZ/1H5xXdnhg20a0kXdnhAPAPDXdn/:oR9EGCg3ZTcYqGOLhkoEBH1juIZok
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Iepaaico.exeKfpcoefj.exeNahgoe32.exeFefedmil.exeIipfmggc.exeQfkqjmdg.exeCocjiehd.exeIphioh32.exeAknifq32.exeAdkgje32.exeKpmdfonj.exeDlghoa32.exeGkkgpc32.exeQoelkp32.exeEfjimhnh.exeIpoheakj.exeFbelcblk.exeOcaebc32.exePiphgq32.exeDeqcbpld.exeDheibpje.exeEmphocjj.exeMcqjon32.exeNlfnaicd.exeOmcjep32.exeDokgdkeh.exeDkndie32.exeIgqkqiai.exeBopocbcq.exeKgninn32.exeJcdjbk32.exeMokmdh32.exeBobabg32.exeLalnmiia.exeGmggfp32.exeKnchpiom.exeKnooej32.exeLjhefhha.exeBdickcpo.exeCofnik32.exeKcidmkpq.exeLnbklm32.exeOlbdhn32.exeHbhijepa.exeAogbfi32.exeAdkqoohc.exeDjqblj32.exeGbfldf32.exeCbfgkffn.exeMfqlfb32.exeNfjola32.exeLkabjbih.exeLjkifn32.exeMniallpq.exeAaenbd32.exeKjblje32.exePagbaglh.exePkenjh32.exeKgipcogp.exeAoalgn32.exeEeelnp32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpcoefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahgoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipfmggc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocjiehd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphioh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknifq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkgje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlghoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoelkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjimhnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbelcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocaebc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aknifq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deqcbpld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheibpje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emphocjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqjon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dokgdkeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkndie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopocbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgninn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokgdkeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokmdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobabg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalnmiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmggfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knchpiom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knooej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcidmkpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhijepa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adkqoohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djqblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbfldf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfgkffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkabjbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljkifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mniallpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjblje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgipcogp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoalgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeelnp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Gddbcp32.exeGknkpjfb.exeGnlgleef.exeGdfoio32.exeHgelek32.exeHajpbckl.exeHhdhon32.exeHjedffig.exeHammhcij.exeHhfedm32.exeHjhalefe.exeHpbiip32.exeHhiajmod.exeHnfjbdmk.exeHpdfnolo.exeHgnoki32.exeHnhghcki.exeHpfcdojl.exeIgqkqiai.exeIafonaao.exeIddljmpc.exeIgchfiof.exeInmpcc32.exeIjcahd32.exeIqmidndd.exeIkcmbfcj.exeIqpfjnba.exeIgjngh32.exeIndfca32.exeJhijqj32.exeJnfcia32.exeJhlgfj32.exeJnhpoamf.exeJhndljll.exeJbfheo32.exeJkomneim.exeJbiejoaj.exeJnpfop32.exeKiejmi32.exeKnbbep32.exeKelkaj32.exeKgjgne32.exeKjhcjq32.exeKqbkfkal.exeKjkpoq32.exeKeqdmihc.exeKkjlic32.exeKniieo32.exeKgamnded.exeKjpijpdg.exeLajagj32.exeLgcjdd32.exeLjbfpo32.exeLalnmiia.exeLgffic32.exeLkabjbih.exeLbkkgl32.exeLieccf32.exeLnbklm32.exeLaqhhi32.exeLlflea32.exeLbpdblmo.exeLhmmjbkf.exeLjkifn32.exepid Process 3920 Gddbcp32.exe 2208 Gknkpjfb.exe 4308 Gnlgleef.exe 3144 Gdfoio32.exe 4940 Hgelek32.exe 4076 Hajpbckl.exe 1196 Hhdhon32.exe 2320 Hjedffig.exe 3948 Hammhcij.exe 4432 Hhfedm32.exe 4928 Hjhalefe.exe 2284 Hpbiip32.exe 1056 Hhiajmod.exe 960 Hnfjbdmk.exe 1780 Hpdfnolo.exe 4484 Hgnoki32.exe 4716 Hnhghcki.exe 4016 Hpfcdojl.exe 1892 Igqkqiai.exe 3264 Iafonaao.exe 2992 Iddljmpc.exe 4536 Igchfiof.exe 4588 Inmpcc32.exe 4336 Ijcahd32.exe 3640 Iqmidndd.exe 2312 Ikcmbfcj.exe 3184 Iqpfjnba.exe 1536 Igjngh32.exe 3120 Indfca32.exe 556 Jhijqj32.exe 2424 Jnfcia32.exe 3516 Jhlgfj32.exe 3052 Jnhpoamf.exe 3552 Jhndljll.exe 3188 Jbfheo32.exe 2536 Jkomneim.exe 3448 Jbiejoaj.exe 4360 Jnpfop32.exe 2052 Kiejmi32.exe 3496 Knbbep32.exe 3396 Kelkaj32.exe 1160 Kgjgne32.exe 4300 Kjhcjq32.exe 3876 Kqbkfkal.exe 2784 Kjkpoq32.exe 3180 Keqdmihc.exe 4436 Kkjlic32.exe 1384 Kniieo32.exe 4184 Kgamnded.exe 4732 Kjpijpdg.exe 3468 Lajagj32.exe 2836 Lgcjdd32.exe 2668 Ljbfpo32.exe 1080 Lalnmiia.exe 4832 Lgffic32.exe 3988 Lkabjbih.exe 3328 Lbkkgl32.exe 1316 Lieccf32.exe 440 Lnbklm32.exe 2740 Laqhhi32.exe 1472 Llflea32.exe 4404 Lbpdblmo.exe 3100 Lhmmjbkf.exe 1608 Ljkifn32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mkadfj32.exeCbphdn32.exeJgeghp32.exeDmohno32.exeNiakfbpa.exeOafcqcea.exeJgbjbp32.exeNagpeo32.exeKgamnded.exeQoelkp32.exePnifekmd.exeApjkcadp.exeIqpfjnba.exeAhjgjj32.exeNeclenfo.exeOdmbaj32.exeNenbjo32.exeHfcnpn32.exeJcanll32.exePlpqil32.exePiijno32.exeGdaociml.exeJphkkpbp.exeCfcjfk32.exeCbfgkffn.exeIciaqc32.exeQofcff32.exeGlcaambb.exeIdkkpf32.exeLklbdm32.exeNeoieenp.exeQmeigg32.exeAdhdjpjf.exeMalgcg32.exeGfokoelp.exeIgpdfb32.exeGpelhd32.exeAajhndkb.exeGpqjglii.exeIphioh32.exeLkchelci.exeLlodgnja.exePpahmb32.exeBahdob32.exeNihipdhl.exeBopocbcq.exeCjliajmo.exeDmfeidbe.exePllgnl32.exeHpabni32.exeJjafok32.exeAknifq32.exeLcgpni32.exeOjdgnn32.exeBkibgh32.exeManmoq32.exeDbnmke32.exeKcidmkpq.exeQdphngfl.exeOaajed32.exedescription ioc Process File created C:\Windows\SysWOW64\Efcagd32.dll Mkadfj32.exe File created C:\Windows\SysWOW64\Cijpahho.exe Cbphdn32.exe File created C:\Windows\SysWOW64\Knooej32.exe Jgeghp32.exe File created C:\Windows\SysWOW64\Dnpdegjp.exe Dmohno32.exe File opened for modification C:\Windows\SysWOW64\Okchnk32.exe Niakfbpa.exe File created C:\Windows\SysWOW64\Pllgnl32.exe Oafcqcea.exe File created C:\Windows\SysWOW64\Jjafok32.exe Jgbjbp32.exe File opened for modification C:\Windows\SysWOW64\Neclenfo.exe Nagpeo32.exe File created C:\Windows\SysWOW64\Hijeeipc.dll Kgamnded.exe File opened for modification C:\Windows\SysWOW64\Qmhlgmmm.exe Qoelkp32.exe File opened for modification C:\Windows\SysWOW64\Pagbaglh.exe Pnifekmd.exe File created C:\Windows\SysWOW64\Ahaceo32.exe Apjkcadp.exe File created C:\Windows\SysWOW64\Jpkbko32.dll Iqpfjnba.exe File created C:\Windows\SysWOW64\Achnlqjp.dll Ahjgjj32.exe File created C:\Windows\SysWOW64\Miongake.dll Neclenfo.exe File opened for modification C:\Windows\SysWOW64\Oldjcg32.exe Odmbaj32.exe File created C:\Windows\SysWOW64\Nhmofj32.exe Nenbjo32.exe File opened for modification C:\Windows\SysWOW64\Hmmfmhll.exe Hfcnpn32.exe File created C:\Windows\SysWOW64\Dnbjkgmg.dll Jcanll32.exe File opened for modification C:\Windows\SysWOW64\Pllgnl32.exe Oafcqcea.exe File opened for modification C:\Windows\SysWOW64\Poomegpf.exe Plpqil32.exe File created C:\Windows\SysWOW64\Qlggjk32.exe Piijno32.exe File created C:\Windows\SysWOW64\Cjelhg32.dll Gdaociml.exe File created C:\Windows\SysWOW64\Hhaljido.dll Jphkkpbp.exe File created C:\Windows\SysWOW64\Cjnffjkl.exe Cfcjfk32.exe File created C:\Windows\SysWOW64\Bgfeip32.dll Cbfgkffn.exe File opened for modification C:\Windows\SysWOW64\Iggjga32.exe Iciaqc32.exe File created C:\Windows\SysWOW64\Qepkbpak.exe Qofcff32.exe File created C:\Windows\SysWOW64\Gbmingjo.exe Glcaambb.exe File created C:\Windows\SysWOW64\Ikdcmpnl.exe Idkkpf32.exe File opened for modification C:\Windows\SysWOW64\Lmmolepp.exe Lklbdm32.exe File opened for modification C:\Windows\SysWOW64\Nhmeapmd.exe Neoieenp.exe File created C:\Windows\SysWOW64\Dmlijb32.dll Piijno32.exe File created C:\Windows\SysWOW64\Okddnh32.dll Qmeigg32.exe File created C:\Windows\SysWOW64\Dapgni32.dll Adhdjpjf.exe File created C:\Windows\SysWOW64\Egdeookg.dll Malgcg32.exe File created C:\Windows\SysWOW64\Gkkgpc32.exe Gfokoelp.exe File created C:\Windows\SysWOW64\Aobbbd32.dll Igpdfb32.exe File opened for modification C:\Windows\SysWOW64\Gfodeohd.exe Gpelhd32.exe File created C:\Windows\SysWOW64\Kajimagp.dll Aajhndkb.exe File opened for modification C:\Windows\SysWOW64\Gfkbde32.exe Gpqjglii.exe File created C:\Windows\SysWOW64\Jfkafocc.dll Iphioh32.exe File opened for modification C:\Windows\SysWOW64\Ljfhqh32.exe Lkchelci.exe File created C:\Windows\SysWOW64\Neclenfo.exe Nagpeo32.exe File created C:\Windows\SysWOW64\Lcimdh32.exe Llodgnja.exe File opened for modification C:\Windows\SysWOW64\Qfkqjmdg.exe Ppahmb32.exe File created C:\Windows\SysWOW64\Bdfpkm32.exe Bahdob32.exe File created C:\Windows\SysWOW64\Njiegl32.exe Nihipdhl.exe File created C:\Windows\SysWOW64\Fnpeoe32.dll Bopocbcq.exe File opened for modification C:\Windows\SysWOW64\Cioilg32.exe Cjliajmo.exe File opened for modification C:\Windows\SysWOW64\Dbcmakpl.exe Dmfeidbe.exe File created C:\Windows\SysWOW64\Knhebpni.dll Pllgnl32.exe File opened for modification C:\Windows\SysWOW64\Hgkkkcbc.exe Hpabni32.exe File opened for modification C:\Windows\SysWOW64\Jlobkg32.exe Jjafok32.exe File opened for modification C:\Windows\SysWOW64\Anmfbl32.exe Aknifq32.exe File created C:\Windows\SysWOW64\Idefqiag.dll Lcgpni32.exe File created C:\Windows\SysWOW64\Ombcji32.exe Ojdgnn32.exe File created C:\Windows\SysWOW64\Bpfkpp32.exe Bkibgh32.exe File created C:\Windows\SysWOW64\Dmmcnn32.dll Lklbdm32.exe File opened for modification C:\Windows\SysWOW64\Nclikl32.exe Manmoq32.exe File created C:\Windows\SysWOW64\Ddligq32.exe Dbnmke32.exe File opened for modification C:\Windows\SysWOW64\Kjblje32.exe Kcidmkpq.exe File opened for modification C:\Windows\SysWOW64\Qoelkp32.exe Qdphngfl.exe File created C:\Windows\SysWOW64\Kloeol32.dll Oaajed32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 14088 13676 WerFault.exe 730 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jnhpoamf.exeHckeoeno.exeNjkkbehl.exeLlodgnja.exeHpfcdojl.exeIciaqc32.exeNaecop32.exeBkaobnio.exeGmdcfidg.exeKpoalo32.exeAoalgn32.exeDkokcl32.exeHekgfj32.exeEjalcgkg.exeNhokljge.exeEokqkh32.exeIpgbdbqb.exeAfpjel32.exeCpfcfmlp.exeOhiemobf.exeBmabggdm.exeHkdjfb32.exeJlobkg32.exeNcnofeof.exeNgqagcag.exeKjpijpdg.exeFbhpch32.exeKggcnoic.exeAhaceo32.exeEicedn32.exeMaodigil.exeNhmeapmd.exeOkjnnj32.exeFbajbi32.exeKdbjhbbd.exeMnkggfkb.exeQmhlgmmm.exeFefedmil.exeHoobdp32.exeKpjgaoqm.exeCnhgjaml.exeBkphhgfc.exeKqbkfkal.exeKniieo32.exeMniallpq.exeHoeieolb.exeKfpcoefj.exeOgekbb32.exeAaenbd32.exeMldhfpib.exeCioilg32.exeIloidijb.exeOldjcg32.exeEfpomccg.exeMfqlfb32.exeHienlpel.exeMcqjon32.exeNmgjia32.exeFelbnn32.exeKjgeedch.exeKlhnfo32.exeIinqbn32.exeAkglloai.exeBadanigc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnhpoamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckeoeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkkbehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llodgnja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfcdojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naecop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkaobnio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdcfidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoalo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoalgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkokcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekgfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejalcgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhokljge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokqkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipgbdbqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfcfmlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiemobf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmabggdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlobkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnofeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqagcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpijpdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhpch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggcnoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahaceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicedn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maodigil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmeapmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbajbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbjhbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkggfkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhlgmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefedmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoobdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjgaoqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhgjaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkphhgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbkfkal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kniieo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mniallpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoeieolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpcoefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogekbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaenbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldhfpib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cioilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iloidijb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efpomccg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqlfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hienlpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgeedch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhnfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinqbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akglloai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badanigc.exe -
Modifies registry class 64 IoCs
Processes:
Fflohaij.exeLlmhaold.exeLcnfohmi.exeOgekbb32.exeApjkcadp.exeHjhalefe.exeNpepkf32.exeBknlbhhe.exeCbbnpg32.exeHammhcij.exeAhjgjj32.exeIggjga32.exeOdalmibl.exeGojiiafp.exePpahmb32.exeBpfkpp32.exeeeffcc3691cf599c8bd61aaa87a443a1656856e5aa0e579942a2ae4777274ef2.exeQdphngfl.exeClchbqoo.exeIgpdfb32.exeDafppp32.exePekbga32.exeMejpje32.exeGfokoelp.exeJljbeali.exeLljklo32.exeMalgcg32.exeCjliajmo.exeDpgnjo32.exeManmoq32.exePlmmif32.exeCkmonl32.exeHpfcdojl.exeNhpbfpka.exeKgninn32.exeFbbpmb32.exeKgjgne32.exeOlanmgig.exeAoalgn32.exeMonjjgkb.exeCpbjkn32.exeBffcpg32.exeJphkkpbp.exeMfchlbfd.exeDdligq32.exeGifkpknp.exeCdkifmjq.exeMaiccajf.exeElnoopdj.exeBljlfh32.exeEiokinbk.exeJmbhoeid.exeKgamnded.exeBbiado32.exeKjjiej32.exeJedccfqg.exeKcpjnjii.exeHhdhon32.exeKlhnfo32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llmhaold.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcefi32.dll" Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll" Apjkcadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnneheln.dll" Hjhalefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll" Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll" Bknlbhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heeeiopa.dll" Cbbnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achnlqjp.dll" Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egacbb32.dll" Iggjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odalmibl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll" Ppahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll" Bpfkpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID eeffcc3691cf599c8bd61aaa87a443a1656856e5aa0e579942a2ae4777274ef2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdphngfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhglpo32.dll" Clchbqoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobbbd32.dll" Igpdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgieglah.dll" Pekbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mejpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcelk32.dll" Gfokoelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdeookg.dll" Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcgeilmb.dll" Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Manmoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plmmif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckmonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpfcdojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhpbfpka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmeoam32.dll" Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimhbfpl.dll" Fbbpmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgjgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpefo32.dll" Olanmgig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoalgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll" Cpbjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmpjalb.dll" Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciggeb32.dll" Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jphkkpbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddligq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknlbhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifkpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdkifmjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maiccajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlljlela.dll" Elnoopdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bljlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmhce32.dll" Eiokinbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gifkpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polalahi.dll" Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hijeeipc.dll" Kgamnded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdgmickl.dll" Plmmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jedccfqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohgljdl.dll" Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhdhon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klhnfo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
eeffcc3691cf599c8bd61aaa87a443a1656856e5aa0e579942a2ae4777274ef2.exeGddbcp32.exeGknkpjfb.exeGnlgleef.exeGdfoio32.exeHgelek32.exeHajpbckl.exeHhdhon32.exeHjedffig.exeHammhcij.exeHhfedm32.exeHjhalefe.exeHpbiip32.exeHhiajmod.exeHnfjbdmk.exeHpdfnolo.exeHgnoki32.exeHnhghcki.exeHpfcdojl.exeIgqkqiai.exeIafonaao.exeIddljmpc.exedescription pid Process procid_target PID 4460 wrote to memory of 3920 4460 eeffcc3691cf599c8bd61aaa87a443a1656856e5aa0e579942a2ae4777274ef2.exe 83 PID 4460 wrote to memory of 3920 4460 eeffcc3691cf599c8bd61aaa87a443a1656856e5aa0e579942a2ae4777274ef2.exe 83 PID 4460 wrote to memory of 3920 4460 eeffcc3691cf599c8bd61aaa87a443a1656856e5aa0e579942a2ae4777274ef2.exe 83 PID 3920 wrote to memory of 2208 3920 Gddbcp32.exe 84 PID 3920 wrote to memory of 2208 3920 Gddbcp32.exe 84 PID 3920 wrote to memory of 2208 3920 Gddbcp32.exe 84 PID 2208 wrote to memory of 4308 2208 Gknkpjfb.exe 85 PID 2208 wrote to memory of 4308 2208 Gknkpjfb.exe 85 PID 2208 wrote to memory of 4308 2208 Gknkpjfb.exe 85 PID 4308 wrote to memory of 3144 4308 Gnlgleef.exe 86 PID 4308 wrote to memory of 3144 4308 Gnlgleef.exe 86 PID 4308 wrote to memory of 3144 4308 Gnlgleef.exe 86 PID 3144 wrote to memory of 4940 3144 Gdfoio32.exe 87 PID 3144 wrote to memory of 4940 3144 Gdfoio32.exe 87 PID 3144 wrote to memory of 4940 3144 Gdfoio32.exe 87 PID 4940 wrote to memory of 4076 4940 Hgelek32.exe 88 PID 4940 wrote to memory of 4076 4940 Hgelek32.exe 88 PID 4940 wrote to memory of 4076 4940 Hgelek32.exe 88 PID 4076 wrote to memory of 1196 4076 Hajpbckl.exe 89 PID 4076 wrote to memory of 1196 4076 Hajpbckl.exe 89 PID 4076 wrote to memory of 1196 4076 Hajpbckl.exe 89 PID 1196 wrote to memory of 2320 1196 Hhdhon32.exe 90 PID 1196 wrote to memory of 2320 1196 Hhdhon32.exe 90 PID 1196 wrote to memory of 2320 1196 Hhdhon32.exe 90 PID 2320 wrote to memory of 3948 2320 Hjedffig.exe 91 PID 2320 wrote to memory of 3948 2320 Hjedffig.exe 91 PID 2320 wrote to memory of 3948 2320 Hjedffig.exe 91 PID 3948 wrote to memory of 4432 3948 Hammhcij.exe 92 PID 3948 wrote to memory of 4432 3948 Hammhcij.exe 92 PID 3948 wrote to memory of 4432 3948 Hammhcij.exe 92 PID 4432 wrote to memory of 4928 4432 Hhfedm32.exe 93 PID 4432 wrote to memory of 4928 4432 Hhfedm32.exe 93 PID 4432 wrote to memory of 4928 4432 Hhfedm32.exe 93 PID 4928 wrote to memory of 2284 4928 Hjhalefe.exe 94 PID 4928 wrote to memory of 2284 4928 Hjhalefe.exe 94 PID 4928 wrote to memory of 2284 4928 Hjhalefe.exe 94 PID 2284 wrote to memory of 1056 2284 Hpbiip32.exe 95 PID 2284 wrote to memory of 1056 2284 Hpbiip32.exe 95 PID 2284 wrote to memory of 1056 2284 Hpbiip32.exe 95 PID 1056 wrote to memory of 960 1056 Hhiajmod.exe 96 PID 1056 wrote to memory of 960 1056 Hhiajmod.exe 96 PID 1056 wrote to memory of 960 1056 Hhiajmod.exe 96 PID 960 wrote to memory of 1780 960 Hnfjbdmk.exe 97 PID 960 wrote to memory of 1780 960 Hnfjbdmk.exe 97 PID 960 wrote to memory of 1780 960 Hnfjbdmk.exe 97 PID 1780 wrote to memory of 4484 1780 Hpdfnolo.exe 98 PID 1780 wrote to memory of 4484 1780 Hpdfnolo.exe 98 PID 1780 wrote to memory of 4484 1780 Hpdfnolo.exe 98 PID 4484 wrote to memory of 4716 4484 Hgnoki32.exe 99 PID 4484 wrote to memory of 4716 4484 Hgnoki32.exe 99 PID 4484 wrote to memory of 4716 4484 Hgnoki32.exe 99 PID 4716 wrote to memory of 4016 4716 Hnhghcki.exe 100 PID 4716 wrote to memory of 4016 4716 Hnhghcki.exe 100 PID 4716 wrote to memory of 4016 4716 Hnhghcki.exe 100 PID 4016 wrote to memory of 1892 4016 Hpfcdojl.exe 101 PID 4016 wrote to memory of 1892 4016 Hpfcdojl.exe 101 PID 4016 wrote to memory of 1892 4016 Hpfcdojl.exe 101 PID 1892 wrote to memory of 3264 1892 Igqkqiai.exe 102 PID 1892 wrote to memory of 3264 1892 Igqkqiai.exe 102 PID 1892 wrote to memory of 3264 1892 Igqkqiai.exe 102 PID 3264 wrote to memory of 2992 3264 Iafonaao.exe 103 PID 3264 wrote to memory of 2992 3264 Iafonaao.exe 103 PID 3264 wrote to memory of 2992 3264 Iafonaao.exe 103 PID 2992 wrote to memory of 4536 2992 Iddljmpc.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeffcc3691cf599c8bd61aaa87a443a1656856e5aa0e579942a2ae4777274ef2.exe"C:\Users\Admin\AppData\Local\Temp\eeffcc3691cf599c8bd61aaa87a443a1656856e5aa0e579942a2ae4777274ef2.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe23⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe24⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe25⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe26⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe27⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe29⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe30⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe31⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe32⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe33⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe35⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe36⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe37⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe38⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe39⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe40⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe41⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe42⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe44⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe46⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe47⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe48⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4184 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe52⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe53⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe54⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe56⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe58⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe59⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe61⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe62⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe63⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe64⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe66⤵PID:844
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe68⤵PID:452
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe69⤵PID:804
-
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe70⤵PID:3992
-
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe71⤵PID:3904
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe72⤵PID:2396
-
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe74⤵PID:2956
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe75⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe76⤵
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe77⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe78⤵PID:3528
-
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe79⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe80⤵PID:2080
-
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe81⤵PID:4028
-
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe82⤵
- Drops file in System32 directory
PID:5112 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe83⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe84⤵PID:32
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe85⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe86⤵PID:1456
-
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:232 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe88⤵PID:1684
-
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe89⤵
- Drops file in System32 directory
PID:3740 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe90⤵PID:4188
-
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe91⤵PID:2768
-
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe92⤵PID:1444
-
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3652 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe94⤵PID:4544
-
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe95⤵PID:2924
-
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe96⤵
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe97⤵PID:4508
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe98⤵PID:3116
-
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe99⤵
- Drops file in System32 directory
PID:5144 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe100⤵PID:5192
-
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe101⤵
- System Location Discovery: System Language Discovery
PID:5236 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe102⤵PID:5280
-
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe103⤵PID:5320
-
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe104⤵PID:5364
-
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe105⤵PID:5408
-
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe106⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe107⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe109⤵PID:5588
-
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe110⤵
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe111⤵PID:5668
-
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe112⤵PID:5720
-
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe113⤵PID:5764
-
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5808 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe115⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe116⤵PID:5900
-
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe117⤵PID:5944
-
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe118⤵
- Drops file in System32 directory
PID:5992 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe119⤵PID:6036
-
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe120⤵
- Drops file in System32 directory
PID:6084 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe121⤵PID:6132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-