Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe
Resource
win10v2004-20241007-en
General
-
Target
d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe
-
Size
64KB
-
MD5
354358d715558e5a67c46b7c13265810
-
SHA1
e34ec8f7aa33c3517915a88ec0938c266b833b90
-
SHA256
d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb
-
SHA512
be316db3ec26bdcc1419dbb2da0b33b2e2a65670f50854eaa33a840b7368d0b4ec78a8d3479ed7d2bee9085f360c03c64a6edaf15bc55eb136a588bcfa00221f
-
SSDEEP
1536:0bK06c+OZWvyC3Y4uUbhwmxrVBhmCOsDYL2LJl2+lWu:0JLQw4h9wEVTmCOsDHn2+r
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jimbkh32.exeJolghndm.exeKddomchg.exeLnjcomcf.exeAccqnc32.exeDjdgic32.exeLoqmba32.exeNbflno32.exeOaghki32.exeOjomdoof.exePgfjhcge.exePghfnc32.exeBkjdndjo.exeCgaaah32.exeLqipkhbj.exePcljmdmj.exeQdlggg32.exeQndkpmkm.exeAaimopli.exeAchjibcl.exeMmbmeifk.exeQeppdo32.exeBqeqqk32.exeCileqlmg.exeHidcef32.exeKkeecogo.exeNhjjgd32.exeOlpilg32.exeAqbdkk32.exeBoogmgkl.exeKdbbgdjj.exeOnfoin32.exeOdedge32.exeOmnipjni.exeAkabgebj.exeJhbold32.exeLlbqfe32.exeNnafnopi.exeIhbcmaje.exeKjahej32.exeLboiol32.exeNnoiio32.exeOfadnq32.exeAkcomepg.exeJhdlad32.exeKgnbnpkp.exePmmeon32.exePpnnai32.exeBkegah32.exeHqfaldbo.exeJlkngc32.exeJajcdjca.exeAlqnah32.exeBbbpenco.exeMnmpdlac.exePhqmgg32.exePplaki32.exeAfdiondb.exeBkhhhd32.exeHjlioj32.exeIjnbcmkk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimbkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjcomcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accqnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdgic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbflno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pghfnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqipkhbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcljmdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdlggg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qndkpmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achjibcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbmeifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cileqlmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidcef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkeecogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhjjgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpilg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbdkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbbgdjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfoin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odedge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnipjni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbqfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafnopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbcmaje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofadnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhdlad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkegah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqfaldbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkngc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajcdjca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofadnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omnipjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbbpenco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmpdlac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phqmgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afdiondb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnbcmkk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Gneijien.exeGepafc32.exeGgnmbn32.exeHjlioj32.exeHqfaldbo.exeHcdnhoac.exeHfcjdkpg.exeHmmbqegc.exeHcgjmo32.exeHfegij32.exeHidcef32.exeHpnkbpdd.exeHcigco32.exeHldlga32.exeHcldhnkk.exeHemqpf32.exeHmdhad32.exeHpbdmo32.exeHbaaik32.exeIeomef32.exeIhniaa32.exeIpeaco32.exeIbcnojnp.exeIimfld32.exeIhpfgalh.exeIjnbcmkk.exeIhbcmaje.exeIlnomp32.exeInlkik32.exeIakgefqe.exeIjclol32.exeIoohokoo.exeIhglhp32.exeIfjlcmmj.exeJaoqqflp.exeJdnmma32.exeJkhejkcq.exeJpdnbbah.exeJbcjnnpl.exeJeafjiop.exeJimbkh32.exeJlkngc32.exeJbefcm32.exeJedcpi32.exeJhbold32.exeJpigma32.exeJolghndm.exeJajcdjca.exeJhdlad32.exeJlphbbbg.exeJkchmo32.exeJondnnbk.exeJbjpom32.exeJbjpom32.exeJehlkhig.exeKdklfe32.exeKhghgchk.exeKlbdgb32.exeKkeecogo.exeKoaqcn32.exeKaompi32.exeKekiphge.exeKhielcfh.exeKglehp32.exepid process 2924 Gneijien.exe 304 Gepafc32.exe 3004 Ggnmbn32.exe 2740 Hjlioj32.exe 2676 Hqfaldbo.exe 2820 Hcdnhoac.exe 2776 Hfcjdkpg.exe 2600 Hmmbqegc.exe 2316 Hcgjmo32.exe 1448 Hfegij32.exe 1680 Hidcef32.exe 1864 Hpnkbpdd.exe 1976 Hcigco32.exe 668 Hldlga32.exe 1044 Hcldhnkk.exe 2248 Hemqpf32.exe 1108 Hmdhad32.exe 1176 Hpbdmo32.exe 1556 Hbaaik32.exe 1440 Ieomef32.exe 1964 Ihniaa32.exe 1212 Ipeaco32.exe 2236 Ibcnojnp.exe 2036 Iimfld32.exe 3036 Ihpfgalh.exe 704 Ijnbcmkk.exe 2672 Ihbcmaje.exe 2768 Ilnomp32.exe 2824 Inlkik32.exe 2960 Iakgefqe.exe 2560 Ijclol32.exe 2588 Ioohokoo.exe 2108 Ihglhp32.exe 2328 Ifjlcmmj.exe 2288 Jaoqqflp.exe 1632 Jdnmma32.exe 1880 Jkhejkcq.exe 1856 Jpdnbbah.exe 1888 Jbcjnnpl.exe 2844 Jeafjiop.exe 1728 Jimbkh32.exe 2884 Jlkngc32.exe 3040 Jbefcm32.exe 1788 Jedcpi32.exe 2064 Jhbold32.exe 280 Jpigma32.exe 2004 Jolghndm.exe 2012 Jajcdjca.exe 2980 Jhdlad32.exe 2852 Jlphbbbg.exe 380 Jkchmo32.exe 2652 Jondnnbk.exe 2592 Jbjpom32.exe 2664 Jbjpom32.exe 1020 Jehlkhig.exe 1416 Kdklfe32.exe 1940 Khghgchk.exe 1532 Klbdgb32.exe 572 Kkeecogo.exe 1848 Koaqcn32.exe 1924 Kaompi32.exe 1512 Kekiphge.exe 1192 Khielcfh.exe 2384 Kglehp32.exe -
Loads dropped DLL 64 IoCs
Processes:
d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exeGneijien.exeGepafc32.exeGgnmbn32.exeHjlioj32.exeHqfaldbo.exeHcdnhoac.exeHfcjdkpg.exeHmmbqegc.exeHcgjmo32.exeHfegij32.exeHidcef32.exeHpnkbpdd.exeHcigco32.exeHldlga32.exeHcldhnkk.exeHemqpf32.exeHmdhad32.exeHpbdmo32.exeHbaaik32.exeIeomef32.exeIhniaa32.exeIpeaco32.exeIbcnojnp.exeIimfld32.exeIhpfgalh.exeIjnbcmkk.exeIhbcmaje.exeIlnomp32.exeInlkik32.exeIakgefqe.exeIjclol32.exepid process 2204 d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe 2204 d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe 2924 Gneijien.exe 2924 Gneijien.exe 304 Gepafc32.exe 304 Gepafc32.exe 3004 Ggnmbn32.exe 3004 Ggnmbn32.exe 2740 Hjlioj32.exe 2740 Hjlioj32.exe 2676 Hqfaldbo.exe 2676 Hqfaldbo.exe 2820 Hcdnhoac.exe 2820 Hcdnhoac.exe 2776 Hfcjdkpg.exe 2776 Hfcjdkpg.exe 2600 Hmmbqegc.exe 2600 Hmmbqegc.exe 2316 Hcgjmo32.exe 2316 Hcgjmo32.exe 1448 Hfegij32.exe 1448 Hfegij32.exe 1680 Hidcef32.exe 1680 Hidcef32.exe 1864 Hpnkbpdd.exe 1864 Hpnkbpdd.exe 1976 Hcigco32.exe 1976 Hcigco32.exe 668 Hldlga32.exe 668 Hldlga32.exe 1044 Hcldhnkk.exe 1044 Hcldhnkk.exe 2248 Hemqpf32.exe 2248 Hemqpf32.exe 1108 Hmdhad32.exe 1108 Hmdhad32.exe 1176 Hpbdmo32.exe 1176 Hpbdmo32.exe 1556 Hbaaik32.exe 1556 Hbaaik32.exe 1440 Ieomef32.exe 1440 Ieomef32.exe 1964 Ihniaa32.exe 1964 Ihniaa32.exe 1212 Ipeaco32.exe 1212 Ipeaco32.exe 2236 Ibcnojnp.exe 2236 Ibcnojnp.exe 2036 Iimfld32.exe 2036 Iimfld32.exe 3036 Ihpfgalh.exe 3036 Ihpfgalh.exe 704 Ijnbcmkk.exe 704 Ijnbcmkk.exe 2672 Ihbcmaje.exe 2672 Ihbcmaje.exe 2768 Ilnomp32.exe 2768 Ilnomp32.exe 2824 Inlkik32.exe 2824 Inlkik32.exe 2960 Iakgefqe.exe 2960 Iakgefqe.exe 2560 Ijclol32.exe 2560 Ijclol32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jajcdjca.exeAjmijmnn.exeAdifpk32.exeHcldhnkk.exeOdchbe32.exeAlnalh32.exeBfioia32.exeIjclol32.exeLbafdlod.exeNbflno32.exePaiaplin.exeKnmdeioh.exeOlebgfao.exeAqbdkk32.exeNlefhcnc.exePaknelgk.exePnbojmmp.exeAficjnpm.exeDpapaj32.exeKglehp32.exeLkgngb32.exeNedhjj32.exeKpgffe32.exeLboiol32.exeOdchbe32.exeObjaha32.exeBkjdndjo.exeJdnmma32.exeKpdjaecc.exeKjmnjkjd.exeLjfapjbi.exeOlpilg32.exeOhncbdbd.exeOiffkkbk.exeHidcef32.exeKnhjjj32.exeLjddjj32.exePljlbf32.exeAgolnbok.exeOippjl32.exeQjklenpa.exeQnghel32.exeBbbpenco.exeHfegij32.exeNbmaon32.exeOaghki32.exeHfcjdkpg.exeIhniaa32.exeOfadnq32.exeAomnhd32.exeGepafc32.exeJlkngc32.exeNcnngfna.exed2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exePkmlmbcd.exeAojabdlf.exePdjjag32.exeHmmbqegc.exeHldlga32.exeLfmbek32.exedescription ioc process File created C:\Windows\SysWOW64\Neghkn32.dll Jajcdjca.exe File created C:\Windows\SysWOW64\Nmlfpfpl.dll Ajmijmnn.exe File opened for modification C:\Windows\SysWOW64\Ahebaiac.exe Adifpk32.exe File opened for modification C:\Windows\SysWOW64\Hemqpf32.exe Hcldhnkk.exe File created C:\Windows\SysWOW64\Odchbe32.exe Odchbe32.exe File created C:\Windows\SysWOW64\Akabgebj.exe Alnalh32.exe File created C:\Windows\SysWOW64\Bigkel32.exe Bfioia32.exe File created C:\Windows\SysWOW64\Ioohokoo.exe Ijclol32.exe File opened for modification C:\Windows\SysWOW64\Lfmbek32.exe Lbafdlod.exe File created C:\Windows\SysWOW64\Nfahomfd.exe Nbflno32.exe File created C:\Windows\SysWOW64\Fkdhkd32.dll Paiaplin.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Knmdeioh.exe File created C:\Windows\SysWOW64\Dkodahqi.dll Olebgfao.exe File opened for modification C:\Windows\SysWOW64\Adnpkjde.exe Aqbdkk32.exe File opened for modification C:\Windows\SysWOW64\Njhfcp32.exe Nlefhcnc.exe File opened for modification C:\Windows\SysWOW64\Ppnnai32.exe Paknelgk.exe File created C:\Windows\SysWOW64\Nlbjim32.dll Pnbojmmp.exe File opened for modification C:\Windows\SysWOW64\Adlcfjgh.exe Aficjnpm.exe File created C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File created C:\Windows\SysWOW64\Kkgahoel.exe Kglehp32.exe File created C:\Windows\SysWOW64\Lcofio32.exe Lkgngb32.exe File created C:\Windows\SysWOW64\Nmkplgnq.exe Nedhjj32.exe File opened for modification C:\Windows\SysWOW64\Kdbbgdjj.exe Kpgffe32.exe File opened for modification C:\Windows\SysWOW64\Ljfapjbi.exe Lboiol32.exe File opened for modification C:\Windows\SysWOW64\Ohncbdbd.exe Odchbe32.exe File created C:\Windows\SysWOW64\Offmipej.exe Objaha32.exe File opened for modification C:\Windows\SysWOW64\Bjmeiq32.exe Bkjdndjo.exe File created C:\Windows\SysWOW64\Jkhejkcq.exe Jdnmma32.exe File opened for modification C:\Windows\SysWOW64\Kdpfadlm.exe Kpdjaecc.exe File created C:\Windows\SysWOW64\Knhjjj32.exe Kjmnjkjd.exe File created C:\Windows\SysWOW64\Llechb32.dll Ljfapjbi.exe File opened for modification C:\Windows\SysWOW64\Oplelf32.exe Olpilg32.exe File created C:\Windows\SysWOW64\Opqoge32.exe Olebgfao.exe File opened for modification C:\Windows\SysWOW64\Ofadnq32.exe Ohncbdbd.exe File created C:\Windows\SysWOW64\Ghfcobil.dll Oiffkkbk.exe File created C:\Windows\SysWOW64\Hpnkbpdd.exe Hidcef32.exe File opened for modification C:\Windows\SysWOW64\Kadfkhkf.exe Knhjjj32.exe File opened for modification C:\Windows\SysWOW64\Lhfefgkg.exe Ljddjj32.exe File created C:\Windows\SysWOW64\Nfdgghho.dll Pljlbf32.exe File created C:\Windows\SysWOW64\Aebmjo32.exe Agolnbok.exe File created C:\Windows\SysWOW64\Bjlkhpje.dll Ljddjj32.exe File created C:\Windows\SysWOW64\Ljfapjbi.exe Lboiol32.exe File created C:\Windows\SysWOW64\Oippjl32.exe Oippjl32.exe File opened for modification C:\Windows\SysWOW64\Qnghel32.exe Qjklenpa.exe File created C:\Windows\SysWOW64\Dicdjqhf.dll Qnghel32.exe File opened for modification C:\Windows\SysWOW64\Bqeqqk32.exe Bbbpenco.exe File opened for modification C:\Windows\SysWOW64\Hidcef32.exe Hfegij32.exe File created C:\Windows\SysWOW64\Blangfdh.dll Nbmaon32.exe File created C:\Windows\SysWOW64\Oaghki32.exe Oaghki32.exe File created C:\Windows\SysWOW64\Bleoal32.dll Hfcjdkpg.exe File created C:\Windows\SysWOW64\Ipeaco32.exe Ihniaa32.exe File created C:\Windows\SysWOW64\Nlboaceh.dll Ofadnq32.exe File created C:\Windows\SysWOW64\Oplelf32.exe Olpilg32.exe File opened for modification C:\Windows\SysWOW64\Achjibcl.exe Aomnhd32.exe File created C:\Windows\SysWOW64\Mhiaka32.dll Gepafc32.exe File created C:\Windows\SysWOW64\Jbefcm32.exe Jlkngc32.exe File opened for modification C:\Windows\SysWOW64\Nhjjgd32.exe Ncnngfna.exe File created C:\Windows\SysWOW64\Gneijien.exe d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe File created C:\Windows\SysWOW64\Mlbakl32.dll Pkmlmbcd.exe File created C:\Windows\SysWOW64\Acfmcc32.exe Aojabdlf.exe File created C:\Windows\SysWOW64\Pcljmdmj.exe Pdjjag32.exe File opened for modification C:\Windows\SysWOW64\Hcgjmo32.exe Hmmbqegc.exe File created C:\Windows\SysWOW64\Hcldhnkk.exe Hldlga32.exe File created C:\Windows\SysWOW64\Lhknaf32.exe Lfmbek32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4776 4700 WerFault.exe Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Obhdcanc.exeObjaha32.exePhlclgfc.exeAlnalh32.exeLqipkhbj.exeMbcoio32.exePmpbdm32.exeAcfmcc32.exeBffbdadk.exeAkcomepg.exeAndgop32.exeCileqlmg.exeHmdhad32.exeKkeecogo.exeLboiol32.exeOiffkkbk.exeQcogbdkg.exeNlefhcnc.exePgcmbcih.exeAlihaioe.exed2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exeHfcjdkpg.exeIhpfgalh.exeLhnkffeo.exeNplimbka.exeIpeaco32.exeOidiekdn.exePplaki32.exeIeomef32.exeKdpfadlm.exeMclebc32.exeAhbekjcf.exeBqlfaj32.exePifbjn32.exeAgjobffl.exeDjdgic32.exeJhbold32.exeJbjpom32.exeMcnbhb32.exeMpgobc32.exePaknelgk.exeJkchmo32.exeMjcaimgg.exeNhgnaehm.exeCbppnbhm.exeOmpefj32.exePepcelel.exePafdjmkq.exePleofj32.exeBqeqqk32.exeJeafjiop.exeLlgjaeoj.exeOlbfagca.exeAakjdo32.exeAjpepm32.exeCkhdggom.exeIhniaa32.exeKnkgpi32.exeNapbjjom.exePidfdofi.exePpnnai32.exeNcnngfna.exeAbmgjo32.exeNibqqh32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdcanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbcoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcomepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andgop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdhad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeecogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lboiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiffkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcogbdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefhcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmbcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alihaioe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcjdkpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpfgalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnkffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplimbka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieomef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpfadlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbekjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqlfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjobffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjpom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcnbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paknelgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkchmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcaimgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhgnaehm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompefj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepcelel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafdjmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeafjiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgjaeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbfagca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhdggom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihniaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidfdofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnngfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibqqh32.exe -
Modifies registry class 64 IoCs
Processes:
Mkndhabp.exeNcnngfna.exeKnmdeioh.exeLcjlnpmo.exeLjfapjbi.exeLhiakf32.exeOippjl32.exeOfcqcp32.exeAgjobffl.exeBdqlajbb.exeHcigco32.exeAbmgjo32.exeOeindm32.exePebpkk32.exePkoicb32.exeKgnbnpkp.exeAbpcooea.exeCagienkb.exeAfdiondb.exeMkqqnq32.exeOaghki32.exeCgaaah32.exeIjnbcmkk.exeIlnomp32.exeKekiphge.exeKgclio32.exeLclicpkm.exePadhdm32.exeQjklenpa.exeHcdnhoac.exeJbjpom32.exeKnhjjj32.exeOdedge32.exePmmeon32.exeIakgefqe.exeOdchbe32.exeQkfocaki.exeHmmbqegc.exeLhnkffeo.exePgfjhcge.exeAebmjo32.exeAgjobffl.exeDjdgic32.exeLhknaf32.exeBniajoic.exeBbbpenco.exeKklkcn32.exeMcjhmcok.exeQiioon32.exeKaompi32.exeOfadnq32.exeQpbglhjq.exeAqbdkk32.exeBkhhhd32.exeMmbmeifk.exeMjaddn32.exeMmgfqh32.exeAakjdo32.exeOnfoin32.exePplaki32.exeKpgffe32.exePnbojmmp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkndhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llechb32.dll" Ljfapjbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcinhie.dll" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agjobffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcigco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll" Abmgjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeindm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgnbnpkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpcooea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll" Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijnbcmkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilnomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lclicpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqhdl32.dll" Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmkijgm.dll" Jbjpom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knhjjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odedge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iakgefqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohlogok.dll" Hmmbqegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhnkffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgfjhcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aebmjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bniajoic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kklkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll" Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljdnm32.dll" Kaompi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofadnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll" Aqbdkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjibgc32.dll" Mmbmeifk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjaddn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkndhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pplaki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnbojmmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exeGneijien.exeGepafc32.exeGgnmbn32.exeHjlioj32.exeHqfaldbo.exeHcdnhoac.exeHfcjdkpg.exeHmmbqegc.exeHcgjmo32.exeHfegij32.exeHidcef32.exeHpnkbpdd.exeHcigco32.exeHldlga32.exeHcldhnkk.exedescription pid process target process PID 2204 wrote to memory of 2924 2204 d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe Gneijien.exe PID 2204 wrote to memory of 2924 2204 d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe Gneijien.exe PID 2204 wrote to memory of 2924 2204 d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe Gneijien.exe PID 2204 wrote to memory of 2924 2204 d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe Gneijien.exe PID 2924 wrote to memory of 304 2924 Gneijien.exe Gepafc32.exe PID 2924 wrote to memory of 304 2924 Gneijien.exe Gepafc32.exe PID 2924 wrote to memory of 304 2924 Gneijien.exe Gepafc32.exe PID 2924 wrote to memory of 304 2924 Gneijien.exe Gepafc32.exe PID 304 wrote to memory of 3004 304 Gepafc32.exe Ggnmbn32.exe PID 304 wrote to memory of 3004 304 Gepafc32.exe Ggnmbn32.exe PID 304 wrote to memory of 3004 304 Gepafc32.exe Ggnmbn32.exe PID 304 wrote to memory of 3004 304 Gepafc32.exe Ggnmbn32.exe PID 3004 wrote to memory of 2740 3004 Ggnmbn32.exe Hjlioj32.exe PID 3004 wrote to memory of 2740 3004 Ggnmbn32.exe Hjlioj32.exe PID 3004 wrote to memory of 2740 3004 Ggnmbn32.exe Hjlioj32.exe PID 3004 wrote to memory of 2740 3004 Ggnmbn32.exe Hjlioj32.exe PID 2740 wrote to memory of 2676 2740 Hjlioj32.exe Hqfaldbo.exe PID 2740 wrote to memory of 2676 2740 Hjlioj32.exe Hqfaldbo.exe PID 2740 wrote to memory of 2676 2740 Hjlioj32.exe Hqfaldbo.exe PID 2740 wrote to memory of 2676 2740 Hjlioj32.exe Hqfaldbo.exe PID 2676 wrote to memory of 2820 2676 Hqfaldbo.exe Hcdnhoac.exe PID 2676 wrote to memory of 2820 2676 Hqfaldbo.exe Hcdnhoac.exe PID 2676 wrote to memory of 2820 2676 Hqfaldbo.exe Hcdnhoac.exe PID 2676 wrote to memory of 2820 2676 Hqfaldbo.exe Hcdnhoac.exe PID 2820 wrote to memory of 2776 2820 Hcdnhoac.exe Hfcjdkpg.exe PID 2820 wrote to memory of 2776 2820 Hcdnhoac.exe Hfcjdkpg.exe PID 2820 wrote to memory of 2776 2820 Hcdnhoac.exe Hfcjdkpg.exe PID 2820 wrote to memory of 2776 2820 Hcdnhoac.exe Hfcjdkpg.exe PID 2776 wrote to memory of 2600 2776 Hfcjdkpg.exe Hmmbqegc.exe PID 2776 wrote to memory of 2600 2776 Hfcjdkpg.exe Hmmbqegc.exe PID 2776 wrote to memory of 2600 2776 Hfcjdkpg.exe Hmmbqegc.exe PID 2776 wrote to memory of 2600 2776 Hfcjdkpg.exe Hmmbqegc.exe PID 2600 wrote to memory of 2316 2600 Hmmbqegc.exe Hcgjmo32.exe PID 2600 wrote to memory of 2316 2600 Hmmbqegc.exe Hcgjmo32.exe PID 2600 wrote to memory of 2316 2600 Hmmbqegc.exe Hcgjmo32.exe PID 2600 wrote to memory of 2316 2600 Hmmbqegc.exe Hcgjmo32.exe PID 2316 wrote to memory of 1448 2316 Hcgjmo32.exe Hfegij32.exe PID 2316 wrote to memory of 1448 2316 Hcgjmo32.exe Hfegij32.exe PID 2316 wrote to memory of 1448 2316 Hcgjmo32.exe Hfegij32.exe PID 2316 wrote to memory of 1448 2316 Hcgjmo32.exe Hfegij32.exe PID 1448 wrote to memory of 1680 1448 Hfegij32.exe Hidcef32.exe PID 1448 wrote to memory of 1680 1448 Hfegij32.exe Hidcef32.exe PID 1448 wrote to memory of 1680 1448 Hfegij32.exe Hidcef32.exe PID 1448 wrote to memory of 1680 1448 Hfegij32.exe Hidcef32.exe PID 1680 wrote to memory of 1864 1680 Hidcef32.exe Hpnkbpdd.exe PID 1680 wrote to memory of 1864 1680 Hidcef32.exe Hpnkbpdd.exe PID 1680 wrote to memory of 1864 1680 Hidcef32.exe Hpnkbpdd.exe PID 1680 wrote to memory of 1864 1680 Hidcef32.exe Hpnkbpdd.exe PID 1864 wrote to memory of 1976 1864 Hpnkbpdd.exe Hcigco32.exe PID 1864 wrote to memory of 1976 1864 Hpnkbpdd.exe Hcigco32.exe PID 1864 wrote to memory of 1976 1864 Hpnkbpdd.exe Hcigco32.exe PID 1864 wrote to memory of 1976 1864 Hpnkbpdd.exe Hcigco32.exe PID 1976 wrote to memory of 668 1976 Hcigco32.exe Hldlga32.exe PID 1976 wrote to memory of 668 1976 Hcigco32.exe Hldlga32.exe PID 1976 wrote to memory of 668 1976 Hcigco32.exe Hldlga32.exe PID 1976 wrote to memory of 668 1976 Hcigco32.exe Hldlga32.exe PID 668 wrote to memory of 1044 668 Hldlga32.exe Hcldhnkk.exe PID 668 wrote to memory of 1044 668 Hldlga32.exe Hcldhnkk.exe PID 668 wrote to memory of 1044 668 Hldlga32.exe Hcldhnkk.exe PID 668 wrote to memory of 1044 668 Hldlga32.exe Hcldhnkk.exe PID 1044 wrote to memory of 2248 1044 Hcldhnkk.exe Hemqpf32.exe PID 1044 wrote to memory of 2248 1044 Hcldhnkk.exe Hemqpf32.exe PID 1044 wrote to memory of 2248 1044 Hcldhnkk.exe Hemqpf32.exe PID 1044 wrote to memory of 2248 1044 Hcldhnkk.exe Hemqpf32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe"C:\Users\Admin\AppData\Local\Temp\d2a6d0b8446dda0e0e9c059d11ca1266233f10efe842987176bbdf7d4aaafccb.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1176 -
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe33⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe34⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe35⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe36⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe38⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe39⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe40⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe44⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe45⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe47⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe51⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:380 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe53⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe54⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe56⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe57⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe58⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe59⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:572 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe61⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe64⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe66⤵PID:2848
-
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe67⤵PID:2688
-
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe68⤵PID:596
-
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe69⤵PID:2860
-
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe70⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe71⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe72⤵PID:2312
-
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe74⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe75⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe76⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe77⤵PID:1196
-
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:832 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe80⤵PID:1644
-
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe81⤵PID:1716
-
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe82⤵
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe83⤵PID:2624
-
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe84⤵
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe85⤵PID:2240
-
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe86⤵PID:2340
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe88⤵PID:1264
-
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe89⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe92⤵PID:1684
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe93⤵PID:2504
-
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe94⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe95⤵PID:1572
-
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe96⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe97⤵PID:2568
-
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe100⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe103⤵
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe104⤵PID:2356
-
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe105⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe106⤵PID:2936
-
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe107⤵
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe108⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe109⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe110⤵
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe111⤵PID:1884
-
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe112⤵PID:2556
-
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe113⤵PID:2320
-
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe114⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe115⤵PID:1128
-
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe116⤵PID:2764
-
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:468 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe119⤵PID:1420
-
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe120⤵
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe121⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-