Analysis
-
max time kernel
97s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 05:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3bbea78950a648b9bd750a383fa86642bc727c9762a2d2c573acc5a604a107deN.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
3bbea78950a648b9bd750a383fa86642bc727c9762a2d2c573acc5a604a107deN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
3bbea78950a648b9bd750a383fa86642bc727c9762a2d2c573acc5a604a107deN.exe
-
Size
832KB
-
MD5
db7246f0d843742ece0eff639cf3b920
-
SHA1
78b00dfd9831322dff2b852b2e6b3a8e7cab20ce
-
SHA256
3bbea78950a648b9bd750a383fa86642bc727c9762a2d2c573acc5a604a107de
-
SHA512
15971b1b0f6ba7c00a040d8145c64047933cb3e9dfd335ae13424740a34fd19c8b59d58e331419c2e0b9d7edacf7221a0a83c05ed8e3fd602a80698ee1fb8024
-
SSDEEP
6144:42DKlxuDPQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NR5fKry:wxb/Ng1/Nmr/Ng1/Nblt01PB
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Blhpqhlh.exeOjfcdnjc.exeDhbebj32.exeHjjnae32.exeLbpdblmo.exeFinnef32.exeBhnikc32.exeHolfoqcm.exeOmalpc32.exeMiaboe32.exeNeccpd32.exeFbjmhh32.exeCofnik32.exeAaenbd32.exeHdokdg32.exeGfodeohd.exeOclkgccf.exeCcdihbgg.exeJjopcb32.exeCkkiccep.exeCmjemflb.exeQpbnhl32.exeCocacl32.exeBkibgh32.exePcegclgp.exeDjhimica.exeGingkqkd.exeMgobel32.exePmkofa32.exeCigkdmel.exeCkidcpjl.exeAjbmdn32.exeOejbfmpg.exePdhkcb32.exeIpflihfq.exeKdpmbc32.exeGfjkjo32.exeMlhqcgnk.exeMjlalkmd.exeKdinljnk.exeNhkikq32.exeEblpgjha.exeCibain32.exeMecjif32.exeOnmfimga.exeGaqhjggp.exeLklbdm32.exeBlqllqqa.exeIkejgf32.exeJbfheo32.exeJklinohd.exeNognnj32.exeKlekfinp.exeDglkoeio.exeEoepebho.exeDqpfmlce.exeFofilp32.exeHaoimcgg.exeQlgpod32.exeBoeebnhp.exeJjpode32.exeJbagbebm.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfcdnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbpdblmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Holfoqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omalpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miaboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neccpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdokdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfodeohd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclkgccf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdihbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmjemflb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocacl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcegclgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gingkqkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cigkdmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckidcpjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbmdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejbfmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhkcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjlalkmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdinljnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblpgjha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibain32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecjif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmfimga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikejgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfheo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklinohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nognnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klekfinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglkoeio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoepebho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdinljnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqpfmlce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglkoeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fofilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haoimcgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boeebnhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbagbebm.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Haoimcgg.exeHglaej32.exeHjjnae32.exeIkndgg32.exeInomhbeq.exeIbmeoq32.exeIkejgf32.exeIndfca32.exeIqbbpm32.exeJdnoplhh.exeJjjghcfp.exeJnfcia32.exeJqdoem32.exeJdpkflfe.exeJgogbgei.exeJkjcbe32.exeJnhpoamf.exeJbdlop32.exeJqglkmlj.exeJhndljll.exeJgadgf32.exeJjopcb32.exeJbfheo32.exeJqiipljg.exeJhpqaiji.exeJgcamf32.exeJjamia32.exeJbiejoaj.exeJqlefl32.exeJibmgi32.exeJgenbfoa.exeJjdjoane.exeJbkbpoog.exeKdinljnk.exeKiejmi32.exeKkcfid32.exeKnbbep32.exeKbmoen32.exeKelkaj32.exeKgjgne32.exeKkfcndce.exeKndojobi.exeKqbkfkal.exeKenggi32.exeKgmcce32.exeKjkpoq32.exeKbbhqn32.exeKaehljpj.exeKilpmh32.exeKkjlic32.exeKjmmepfj.exeKbddfmgl.exeKecabifp.exeKinmcg32.exeKkmioc32.exeKjpijpdg.exeLbgalmej.exeLeenhhdn.exeLgcjdd32.exeLkofdbkj.exeLbinam32.exeLalnmiia.exeLicfngjd.exeLkabjbih.exepid Process 4032 Haoimcgg.exe 4656 Hglaej32.exe 1732 Hjjnae32.exe 4240 Ikndgg32.exe 2484 Inomhbeq.exe 3256 Ibmeoq32.exe 2304 Ikejgf32.exe 1880 Indfca32.exe 3592 Iqbbpm32.exe 2164 Jdnoplhh.exe 4500 Jjjghcfp.exe 3996 Jnfcia32.exe 2068 Jqdoem32.exe 4856 Jdpkflfe.exe 4368 Jgogbgei.exe 4528 Jkjcbe32.exe 2516 Jnhpoamf.exe 220 Jbdlop32.exe 2012 Jqglkmlj.exe 3312 Jhndljll.exe 2760 Jgadgf32.exe 2856 Jjopcb32.exe 1352 Jbfheo32.exe 3384 Jqiipljg.exe 4940 Jhpqaiji.exe 4872 Jgcamf32.exe 1308 Jjamia32.exe 3656 Jbiejoaj.exe 4568 Jqlefl32.exe 1852 Jibmgi32.exe 4984 Jgenbfoa.exe 2976 Jjdjoane.exe 2616 Jbkbpoog.exe 724 Kdinljnk.exe 4836 Kiejmi32.exe 2736 Kkcfid32.exe 4080 Knbbep32.exe 3432 Kbmoen32.exe 5044 Kelkaj32.exe 1596 Kgjgne32.exe 1396 Kkfcndce.exe 4004 Kndojobi.exe 4304 Kqbkfkal.exe 4748 Kenggi32.exe 5040 Kgmcce32.exe 4356 Kjkpoq32.exe 4108 Kbbhqn32.exe 4140 Kaehljpj.exe 548 Kilpmh32.exe 2848 Kkjlic32.exe 5084 Kjmmepfj.exe 4388 Kbddfmgl.exe 2292 Kecabifp.exe 3076 Kinmcg32.exe 2356 Kkmioc32.exe 1856 Kjpijpdg.exe 2952 Lbgalmej.exe 5104 Leenhhdn.exe 4396 Lgcjdd32.exe 784 Lkofdbkj.exe 2676 Lbinam32.exe 4112 Lalnmiia.exe 4676 Licfngjd.exe 4072 Lkabjbih.exe -
Drops file in System32 directory 64 IoCs
Processes:
Plpjoe32.exeGiecfejd.exeNoppeaed.exeMqimikfj.exeMfenglqf.exeOadfkdgd.exeKkfcndce.exeLjgpkonp.exePojcjh32.exeFmndpq32.exeLeenhhdn.exeBopocbcq.exeFmikeaap.exeKjepjkhf.exeAafemk32.exeMcpcdg32.exeGbkkik32.exeHglaej32.exeKjmmepfj.exeNbnpcj32.exeIdfaefkd.exeKdbjhbbd.exePhajna32.exeDnonkq32.exeKbbhqn32.exeKbddfmgl.exeMblcnj32.exeOalipoiq.exeDmcain32.exeEnpmld32.exeGmafajfi.exeDoagjc32.exeKedlip32.exeBcahmb32.exeLbinam32.exeCodhnb32.exeEidlnd32.exeHnibokbd.exeMldhfpib.exeAcmobchj.exeHipmfjee.exeCkgohf32.exeGlfmgp32.exeMeamcg32.exeEcbjkngo.exeNmlddqem.exePmkofa32.exeBgdemb32.exeMiaboe32.exeAjdjin32.exeIgfclkdj.exeModpib32.exeMfbaalbi.exeMngegmbc.exeOocmii32.exeHkicaahi.exeMcecjmkl.exeMpeiie32.exeKecabifp.exeEblpgjha.exeIcdheded.exedescription ioc Process File created C:\Windows\SysWOW64\Phfjcf32.exe Plpjoe32.exe File created C:\Windows\SysWOW64\Fmbdpnaj.dll Giecfejd.exe File created C:\Windows\SysWOW64\Nmcpoedn.exe Noppeaed.exe File opened for modification C:\Windows\SysWOW64\Mgbefe32.exe Mqimikfj.exe File created C:\Windows\SysWOW64\Mqjbddpl.exe Mfenglqf.exe File opened for modification C:\Windows\SysWOW64\Oeoblb32.exe Oadfkdgd.exe File created C:\Windows\SysWOW64\Amjmfo32.dll Kkfcndce.exe File opened for modification C:\Windows\SysWOW64\Lndham32.exe Ljgpkonp.exe File created C:\Windows\SysWOW64\Pcepkfld.exe Pojcjh32.exe File created C:\Windows\SysWOW64\Fplpll32.exe Fmndpq32.exe File created C:\Windows\SysWOW64\Nogiifoh.dll Leenhhdn.exe File opened for modification C:\Windows\SysWOW64\Bbnkonbd.exe Bopocbcq.exe File opened for modification C:\Windows\SysWOW64\Fpggamqc.exe Fmikeaap.exe File created C:\Windows\SysWOW64\Inmabofh.dll Kjepjkhf.exe File created C:\Windows\SysWOW64\Enhodk32.dll Aafemk32.exe File created C:\Windows\SysWOW64\Mfqlfb32.exe Mcpcdg32.exe File created C:\Windows\SysWOW64\Giecfejd.exe Gbkkik32.exe File created C:\Windows\SysWOW64\Facdchai.dll Hglaej32.exe File opened for modification C:\Windows\SysWOW64\Kbddfmgl.exe Kjmmepfj.exe File opened for modification C:\Windows\SysWOW64\Naaqofgj.exe Nbnpcj32.exe File created C:\Windows\SysWOW64\Inqbclob.exe Idfaefkd.exe File created C:\Windows\SysWOW64\Lklbdm32.exe Kdbjhbbd.exe File created C:\Windows\SysWOW64\Pnkbkk32.exe Phajna32.exe File created C:\Windows\SysWOW64\Bfcjjj32.dll Dnonkq32.exe File opened for modification C:\Windows\SysWOW64\Kaehljpj.exe Kbbhqn32.exe File created C:\Windows\SysWOW64\Ecmomj32.dll Kbddfmgl.exe File opened for modification C:\Windows\SysWOW64\Mejpje32.exe Mblcnj32.exe File created C:\Windows\SysWOW64\Bmnogj32.dll Oalipoiq.exe File created C:\Windows\SysWOW64\Dodjjimm.exe Dmcain32.exe File opened for modification C:\Windows\SysWOW64\Emanjldl.exe Enpmld32.exe File created C:\Windows\SysWOW64\Fbpcnkaj.dll Gmafajfi.exe File opened for modification C:\Windows\SysWOW64\Dglkoeio.exe Doagjc32.exe File created C:\Windows\SysWOW64\Kpiqfima.exe Kedlip32.exe File opened for modification C:\Windows\SysWOW64\Hjjnae32.exe Hglaej32.exe File created C:\Windows\SysWOW64\Qfcnkn32.dll Bcahmb32.exe File created C:\Windows\SysWOW64\Lalnmiia.exe Lbinam32.exe File created C:\Windows\SysWOW64\Kadcjkfm.dll Codhnb32.exe File created C:\Windows\SysWOW64\Elbhjp32.exe Eidlnd32.exe File created C:\Windows\SysWOW64\Hahokfag.exe Hnibokbd.exe File created C:\Windows\SysWOW64\Njghbl32.exe Mldhfpib.exe File created C:\Windows\SysWOW64\Abponp32.exe Acmobchj.exe File created C:\Windows\SysWOW64\Ldldehjm.dll Hipmfjee.exe File created C:\Windows\SysWOW64\Cpfoag32.dll Ckgohf32.exe File created C:\Windows\SysWOW64\Coffgmig.dll Glfmgp32.exe File created C:\Windows\SysWOW64\Bepjbf32.dll Noppeaed.exe File opened for modification C:\Windows\SysWOW64\Milidebi.exe Meamcg32.exe File created C:\Windows\SysWOW64\Ejlbhh32.exe Ecbjkngo.exe File created C:\Windows\SysWOW64\Qofmkc32.dll Nmlddqem.exe File opened for modification C:\Windows\SysWOW64\Pcegclgp.exe Pmkofa32.exe File created C:\Windows\SysWOW64\Anbgamkp.dll Bgdemb32.exe File created C:\Windows\SysWOW64\Bfbghcbm.dll Miaboe32.exe File created C:\Windows\SysWOW64\Akffafgg.exe Ajdjin32.exe File created C:\Windows\SysWOW64\Cjjlkk32.exe Codhnb32.exe File created C:\Windows\SysWOW64\Jekqmhia.exe Igfclkdj.exe File created C:\Windows\SysWOW64\Mablfnne.exe Modpib32.exe File created C:\Windows\SysWOW64\Mlljnf32.exe Mfbaalbi.exe File opened for modification C:\Windows\SysWOW64\Mbbagk32.exe Mngegmbc.exe File created C:\Windows\SysWOW64\Oboijgbl.exe Oocmii32.exe File created C:\Windows\SysWOW64\Bbaffgag.dll Hkicaahi.exe File created C:\Windows\SysWOW64\Mjokgg32.exe Mcecjmkl.exe File opened for modification C:\Windows\SysWOW64\Mfbaalbi.exe Mpeiie32.exe File created C:\Windows\SysWOW64\Kinmcg32.exe Kecabifp.exe File created C:\Windows\SysWOW64\Eifhdd32.exe Eblpgjha.exe File created C:\Windows\SysWOW64\Aobbbd32.dll Icdheded.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2788 5728 WerFault.exe 742 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Mlkepaam.exeDmcain32.exeFcniglmb.exeFmikeaap.exeAhfmpnql.exeAmcehdod.exeOflmnh32.exeDphiaffa.exeOlgncmim.exeElgaeolp.exeHihibbjo.exeMalpia32.exeKgiiiidd.exeMmkdcm32.exeHnibokbd.exeOkedcjcm.exePllgnl32.exeAjbmdn32.exeCkpbnb32.exeOaqbkn32.exeJjjghcfp.exeNklbmllg.exeMicoed32.exeGaqhjggp.exeJlbejloe.exeAplaoj32.exeJgadgf32.exeMalgcg32.exeKjhloj32.exeOgjdmbil.exeBdojjo32.exeConanfli.exeJqglkmlj.exeKecabifp.exeFfmfchle.exeHdokdg32.exeJgogbgei.exeKkfcndce.exeNoeahkfc.exeBkafmd32.exeDodjjimm.exeFflohaij.exeQclmck32.exeHglaej32.exeJqdoem32.exeBfngdn32.exeIdcepgmg.exeDkokcl32.exeOcjoadei.exeCgfbbb32.exeCpacqg32.exeJkjcbe32.exeJgcamf32.exeAaldccip.exeOqhoeb32.exeBkobmnka.exeEmjgim32.exeCofnik32.exeIgfclkdj.exeHhfpbpdo.exeKeifdpif.exeObgohklm.exeGmggfp32.exeJjlmclqa.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkepaam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcniglmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmikeaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfmpnql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphiaffa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgncmim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgaeolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihibbjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malpia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgiiiidd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnibokbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okedcjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajbmdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjghcfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklbmllg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micoed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaqhjggp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aplaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgadgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjdmbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conanfli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqglkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecabifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmfchle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdokdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgogbgei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfcndce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noeahkfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkafmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fflohaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qclmck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqdoem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfngdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcepgmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkokcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjoadei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfbbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpacqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjcbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgcamf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaldccip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkobmnka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfclkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfpbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keifdpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgohklm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmggfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlmclqa.exe -
Modifies registry class 64 IoCs
Processes:
Jilfifme.exeBhpofl32.exePemomqcn.exeCgfbbb32.exeBmjkic32.exeJdnoplhh.exeGlbjggof.exeAaenbd32.exeKkfcndce.exeKdpmbc32.exeBdojjo32.exeQclmck32.exeAcmobchj.exeAjbmdn32.exeGoglcahb.exeAmcehdod.exeKnbbep32.exeLindkm32.exeLjnlecmp.exePllgnl32.exeEfepbi32.exeFpggamqc.exeGkaclqkk.exeJgadgf32.exeHlnjbedi.exeDqpfmlce.exeIogopi32.exeApjdikqd.exeGjdaodja.exeEnpmld32.exeEdeeci32.exeGbpedjnb.exeIhmfco32.exePbekii32.exeQcaofebg.exePcobaedj.exeMjokgg32.exeKdinljnk.exeGmafajfi.exeJjlmclqa.exeJbiejoaj.exeMbenmk32.exeJqglkmlj.exeKkcfid32.exeGhojbq32.exeNkqkhk32.exePcepkfld.exeHdokdg32.exePmcclm32.exeJhndljll.exeCpljehpo.exeOklkdi32.exeDihlbf32.exeDodjjimm.exeGimqajgh.exeAiplmq32.exeMbighjdd.exeBedgjgkg.exeAaldccip.exeJlgoek32.exeBgdemb32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll" Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlijb32.dll" Pemomqcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgfbbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmjkic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnknamej.dll" Jdnoplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glbjggof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjmfo32.dll" Kkfcndce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdojjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qclmck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acmobchj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajbmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emcnmpcj.dll" Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibeebbj.dll" Knbbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lindkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnpaa32.dll" Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpggamqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkaclqkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgadgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhjedb.dll" Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipaooi32.dll" Dqpfmlce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpeipb32.dll" Apjdikqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjdaodja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enpmld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncepolj.dll" Gbpedjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihmfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajgdm32.dll" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjmbk32.dll" Qcaofebg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcobaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbobmnod.dll" Mjokgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logooemi.dll" Kdinljnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpcnkaj.dll" Gmafajfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapmipen.dll" Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbenmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckjejfe.dll" Gkaclqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpajnp32.dll" Jqglkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophpeg32.dll" Kkcfid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghojbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdinljnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkqkhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcepkfld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockkandf.dll" Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhndljll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll" Cpljehpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oklkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Injmlc32.dll" Dihlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblbgn32.dll" Aiplmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bedgjgkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlgoek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgdemb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3bbea78950a648b9bd750a383fa86642bc727c9762a2d2c573acc5a604a107deN.exeHaoimcgg.exeHglaej32.exeHjjnae32.exeIkndgg32.exeInomhbeq.exeIbmeoq32.exeIkejgf32.exeIndfca32.exeIqbbpm32.exeJdnoplhh.exeJjjghcfp.exeJnfcia32.exeJqdoem32.exeJdpkflfe.exeJgogbgei.exeJkjcbe32.exeJnhpoamf.exeJbdlop32.exeJqglkmlj.exeJhndljll.exeJgadgf32.exedescription pid Process procid_target PID 4712 wrote to memory of 4032 4712 3bbea78950a648b9bd750a383fa86642bc727c9762a2d2c573acc5a604a107deN.exe 83 PID 4712 wrote to memory of 4032 4712 3bbea78950a648b9bd750a383fa86642bc727c9762a2d2c573acc5a604a107deN.exe 83 PID 4712 wrote to memory of 4032 4712 3bbea78950a648b9bd750a383fa86642bc727c9762a2d2c573acc5a604a107deN.exe 83 PID 4032 wrote to memory of 4656 4032 Haoimcgg.exe 84 PID 4032 wrote to memory of 4656 4032 Haoimcgg.exe 84 PID 4032 wrote to memory of 4656 4032 Haoimcgg.exe 84 PID 4656 wrote to memory of 1732 4656 Hglaej32.exe 85 PID 4656 wrote to memory of 1732 4656 Hglaej32.exe 85 PID 4656 wrote to memory of 1732 4656 Hglaej32.exe 85 PID 1732 wrote to memory of 4240 1732 Hjjnae32.exe 86 PID 1732 wrote to memory of 4240 1732 Hjjnae32.exe 86 PID 1732 wrote to memory of 4240 1732 Hjjnae32.exe 86 PID 4240 wrote to memory of 2484 4240 Ikndgg32.exe 87 PID 4240 wrote to memory of 2484 4240 Ikndgg32.exe 87 PID 4240 wrote to memory of 2484 4240 Ikndgg32.exe 87 PID 2484 wrote to memory of 3256 2484 Inomhbeq.exe 88 PID 2484 wrote to memory of 3256 2484 Inomhbeq.exe 88 PID 2484 wrote to memory of 3256 2484 Inomhbeq.exe 88 PID 3256 wrote to memory of 2304 3256 Ibmeoq32.exe 89 PID 3256 wrote to memory of 2304 3256 Ibmeoq32.exe 89 PID 3256 wrote to memory of 2304 3256 Ibmeoq32.exe 89 PID 2304 wrote to memory of 1880 2304 Ikejgf32.exe 90 PID 2304 wrote to memory of 1880 2304 Ikejgf32.exe 90 PID 2304 wrote to memory of 1880 2304 Ikejgf32.exe 90 PID 1880 wrote to memory of 3592 1880 Indfca32.exe 91 PID 1880 wrote to memory of 3592 1880 Indfca32.exe 91 PID 1880 wrote to memory of 3592 1880 Indfca32.exe 91 PID 3592 wrote to memory of 2164 3592 Iqbbpm32.exe 92 PID 3592 wrote to memory of 2164 3592 Iqbbpm32.exe 92 PID 3592 wrote to memory of 2164 3592 Iqbbpm32.exe 92 PID 2164 wrote to memory of 4500 2164 Jdnoplhh.exe 93 PID 2164 wrote to memory of 4500 2164 Jdnoplhh.exe 93 PID 2164 wrote to memory of 4500 2164 Jdnoplhh.exe 93 PID 4500 wrote to memory of 3996 4500 Jjjghcfp.exe 94 PID 4500 wrote to memory of 3996 4500 Jjjghcfp.exe 94 PID 4500 wrote to memory of 3996 4500 Jjjghcfp.exe 94 PID 3996 wrote to memory of 2068 3996 Jnfcia32.exe 95 PID 3996 wrote to memory of 2068 3996 Jnfcia32.exe 95 PID 3996 wrote to memory of 2068 3996 Jnfcia32.exe 95 PID 2068 wrote to memory of 4856 2068 Jqdoem32.exe 96 PID 2068 wrote to memory of 4856 2068 Jqdoem32.exe 96 PID 2068 wrote to memory of 4856 2068 Jqdoem32.exe 96 PID 4856 wrote to memory of 4368 4856 Jdpkflfe.exe 97 PID 4856 wrote to memory of 4368 4856 Jdpkflfe.exe 97 PID 4856 wrote to memory of 4368 4856 Jdpkflfe.exe 97 PID 4368 wrote to memory of 4528 4368 Jgogbgei.exe 98 PID 4368 wrote to memory of 4528 4368 Jgogbgei.exe 98 PID 4368 wrote to memory of 4528 4368 Jgogbgei.exe 98 PID 4528 wrote to memory of 2516 4528 Jkjcbe32.exe 99 PID 4528 wrote to memory of 2516 4528 Jkjcbe32.exe 99 PID 4528 wrote to memory of 2516 4528 Jkjcbe32.exe 99 PID 2516 wrote to memory of 220 2516 Jnhpoamf.exe 100 PID 2516 wrote to memory of 220 2516 Jnhpoamf.exe 100 PID 2516 wrote to memory of 220 2516 Jnhpoamf.exe 100 PID 220 wrote to memory of 2012 220 Jbdlop32.exe 101 PID 220 wrote to memory of 2012 220 Jbdlop32.exe 101 PID 220 wrote to memory of 2012 220 Jbdlop32.exe 101 PID 2012 wrote to memory of 3312 2012 Jqglkmlj.exe 102 PID 2012 wrote to memory of 3312 2012 Jqglkmlj.exe 102 PID 2012 wrote to memory of 3312 2012 Jqglkmlj.exe 102 PID 3312 wrote to memory of 2760 3312 Jhndljll.exe 103 PID 3312 wrote to memory of 2760 3312 Jhndljll.exe 103 PID 3312 wrote to memory of 2760 3312 Jhndljll.exe 103 PID 2760 wrote to memory of 2856 2760 Jgadgf32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bbea78950a648b9bd750a383fa86642bc727c9762a2d2c573acc5a604a107deN.exe"C:\Users\Admin\AppData\Local\Temp\3bbea78950a648b9bd750a383fa86642bc727c9762a2d2c573acc5a604a107deN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe25⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe26⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe28⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe30⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe31⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe32⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe33⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe34⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:724 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe36⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe39⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe40⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe41⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe43⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe44⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe45⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe46⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe47⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe49⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe50⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe51⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5084 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4388 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe55⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe56⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe57⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe58⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5104 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe60⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe61⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe63⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe64⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe65⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe66⤵PID:3348
-
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe67⤵PID:2380
-
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe68⤵PID:3360
-
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe69⤵PID:4008
-
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe70⤵PID:2912
-
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe71⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe72⤵PID:4496
-
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4300 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe74⤵PID:3968
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe75⤵PID:492
-
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe76⤵PID:2372
-
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe77⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe78⤵PID:1332
-
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe79⤵
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe80⤵PID:2644
-
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe81⤵
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe82⤵PID:4952
-
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe83⤵
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1020 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe85⤵PID:4436
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe86⤵PID:1788
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe87⤵PID:4408
-
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe88⤵PID:5132
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe89⤵PID:5164
-
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5200 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe91⤵PID:5236
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe92⤵PID:5272
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe93⤵
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe94⤵
- System Location Discovery: System Language Discovery
PID:5344 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe95⤵
- System Location Discovery: System Language Discovery
PID:5380 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe96⤵PID:5416
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe97⤵PID:5452
-
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe98⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe99⤵PID:5524
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe100⤵PID:5560
-
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe101⤵
- Drops file in System32 directory
PID:5596 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe102⤵PID:5632
-
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe103⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe104⤵PID:5704
-
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe105⤵PID:5740
-
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5776 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe107⤵PID:5812
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe108⤵
- System Location Discovery: System Language Discovery
PID:5848 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe109⤵PID:5884
-
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe110⤵PID:5920
-
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe111⤵PID:5956
-
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe112⤵
- System Location Discovery: System Language Discovery
PID:5992 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6028 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe114⤵PID:6064
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe115⤵PID:6100
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe116⤵PID:6136
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe117⤵PID:4796
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe118⤵PID:2884
-
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe119⤵PID:3396
-
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4504 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe121⤵PID:4652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-