Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2024 15:04
Behavioral task
behavioral1
Sample
7f70f584f4a3f62167dc235f2a6fd5bb762b4fd42c107c55c04b1143c693fb4dN.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
120 seconds
General
-
Target
7f70f584f4a3f62167dc235f2a6fd5bb762b4fd42c107c55c04b1143c693fb4dN.exe
-
Size
93KB
-
MD5
fa3016a30cbcd78e6cc1bce03aea79f0
-
SHA1
97f0e8046a918fc90e1c1cbcc4497590f00dc0b6
-
SHA256
7f70f584f4a3f62167dc235f2a6fd5bb762b4fd42c107c55c04b1143c693fb4d
-
SHA512
733da338150851758d7c725f12ee16600ac8f4394841ecf9043fb30ff25875c4505e421baf8cb5bb691ce655e7d611e42732ea2abefe6138205785665a453033
-
SSDEEP
1536:FhHTlYhy08glD8N+S0iYdLMgMWJerR3z3bK1bXNxDunEcW1DaYfMZRWuLsV+1j:y9DoN+S0iawdic3z3bK1bXNxghWgYfcL
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bombmcec.exeDcigeooj.exeDpphjp32.exeLmgabcge.exeCkeimm32.exeFbelcblk.exeOaajed32.exeOadfkdgd.exePmlfqh32.exeMcbpjg32.exeOmdppiif.exeBkibgh32.exeLbgalmej.exeNlfelogp.exeAogiap32.exeCdmfllhn.exeBbdhiojo.exeDfoiaj32.exeIbobdqid.exeKnqepc32.exeLomqcjie.exeDhhfedil.exeGaamlecg.exeCnindhpg.exePpjbmc32.exeFpjjac32.exeMcqjon32.exeLicfngjd.exeHmdlmg32.exeNcnofeof.exeDfoplpla.exeDjklmo32.exeJllokajf.exeKomhll32.exeCdimqm32.exePchlpfjb.exeGimqajgh.exeEpikpo32.exeGjfnedho.exeKkjeomld.exeMkmkkjko.exeNnfgcd32.exePddhbipj.exeFknbil32.exeAjbmdn32.exeEifaim32.exeBknlbhhe.exeBacjdbch.exeDpiplm32.exeAoabad32.exeNcqlkemc.exeEmphocjj.exeGgahedjn.exeMmbanbmg.exePlkpcfal.exeBkobmnka.exeIinjhh32.exeBkoigdom.exeCjjlkk32.exeMgphpe32.exeOmbcji32.exeDpbdopck.exeBpkdjofm.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bombmcec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcigeooj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpphjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgabcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckeimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbelcblk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaajed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oadfkdgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlfqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbpjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdppiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgalmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfelogp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmfllhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdhiojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knqepc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomqcjie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhfedil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaamlecg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnindhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knqepc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjbmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjjac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Licfngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdlmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllokajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komhll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdimqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchlpfjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjfnedho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjeomld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmkkjko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfgcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddhbipj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fknbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifaim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknlbhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpiplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoabad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncqlkemc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emphocjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggahedjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbanbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkpcfal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkobmnka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjlkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgphpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombcji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbdopck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkdjofm.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
Cmipblaq.exeCgndoeag.exeCippgm32.exeCgqqdeod.exeCmniml32.exeCcgajfeh.exeCidjbmcp.exeDpnbog32.exeDjdflp32.exeDpqodfij.exeDhhfedil.exeDmdonkgc.exeDapkni32.exeDikpbl32.exeDabhdinj.exeDfoplpla.exeDjklmo32.exeDhomfc32.exeEpjajeqo.exeEjpfhnpe.exeEplnpeol.exeEhcfaboo.exeEmpoiimf.exeEhfcfb32.exeEigonjcj.exeEpagkd32.exeEfkphnbd.exeEjflhm32.exeEpcdqd32.exeEhjlaaig.exeFmgejhgn.exeFacqkg32.exeFineoi32.exeFaenpf32.exeFknbil32.exeFpjjac32.exeFhabbp32.exeFpmggb32.exeFggocmhf.exeFielph32.exeGigheh32.exeGaopfe32.exeGkgeoklj.exeGaamlecg.exeGhkeio32.exeGpfjma32.exeGklnjj32.exeGddbcp32.exeGahcmd32.exeHhbkinel.exeHajpbckl.exeHdilnojp.exeHkbdki32.exeHammhcij.exeHhfedm32.exeHgiepjga.exeHncmmd32.exeHpdfnolo.exeHjlkge32.exeHacbhb32.exeIhnkel32.exeIgqkqiai.exeIjogmdqm.exeIddljmpc.exepid Process 2480 Cmipblaq.exe 2028 Cgndoeag.exe 644 Cippgm32.exe 3456 Cgqqdeod.exe 4780 Cmniml32.exe 2696 Ccgajfeh.exe 2432 Cidjbmcp.exe 2492 Dpnbog32.exe 3060 Djdflp32.exe 2188 Dpqodfij.exe 3824 Dhhfedil.exe 2948 Dmdonkgc.exe 1172 Dapkni32.exe 3948 Dikpbl32.exe 1220 Dabhdinj.exe 3328 Dfoplpla.exe 4412 Djklmo32.exe 4540 Dhomfc32.exe 2476 Epjajeqo.exe 2840 Ejpfhnpe.exe 812 Eplnpeol.exe 4616 Ehcfaboo.exe 536 Empoiimf.exe 3800 Ehfcfb32.exe 5116 Eigonjcj.exe 3024 Epagkd32.exe 1720 Efkphnbd.exe 2916 Ejflhm32.exe 2004 Epcdqd32.exe 1592 Ehjlaaig.exe 2744 Fmgejhgn.exe 3696 Facqkg32.exe 3368 Fineoi32.exe 1476 Faenpf32.exe 2988 Fknbil32.exe 4772 Fpjjac32.exe 3124 Fhabbp32.exe 1792 Fpmggb32.exe 1716 Fggocmhf.exe 3772 Fielph32.exe 4724 Gigheh32.exe 4220 Gaopfe32.exe 672 Gkgeoklj.exe 1860 Gaamlecg.exe 4556 Ghkeio32.exe 4344 Gpfjma32.exe 2912 Gklnjj32.exe 3956 Gddbcp32.exe 1208 Gahcmd32.exe 5092 Hhbkinel.exe 3580 Hajpbckl.exe 720 Hdilnojp.exe 2572 Hkbdki32.exe 2564 Hammhcij.exe 1484 Hhfedm32.exe 4296 Hgiepjga.exe 4424 Hncmmd32.exe 3016 Hpdfnolo.exe 1080 Hjlkge32.exe 1620 Hacbhb32.exe 2440 Ihnkel32.exe 2104 Igqkqiai.exe 3660 Ijogmdqm.exe 2904 Iddljmpc.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cbeapmll.exeEidlnd32.exeLomqcjie.exeBfbaonae.exeEigonjcj.exeDmdonkgc.exeFpbflg32.exeOmbcji32.exeCncnob32.exeIjegcm32.exeHcpojd32.exeMkhapk32.exeGlgcbf32.exeIikmbh32.exePpjbmc32.exeChkobkod.exeQadoba32.exeCpbjkn32.exePibdmp32.exeJjafok32.exeLjobpiql.exeLkeekk32.exeChlflabp.exeKjlopc32.exeDfoplpla.exeIjogmdqm.exeDbcmakpl.exeJkimho32.exeJcgnbaeo.exeLqkgbcff.exeBemqih32.exeCklhcfle.exeHdilnojp.exeOampjeml.exeFfmfchle.exeCammjakm.exeNacmdf32.exeEmjgim32.exeKgdpni32.exeBkphhgfc.exeCdnmfclj.exePefabkej.exeGlipgf32.exeKglmio32.exeEokqkh32.exeGjfnedho.exeLckiihok.exeEjchhgid.exePlndcl32.exePlbfdekd.exeInmpcc32.exeIpjoja32.exeAojefobm.exeKncaec32.exePdhbmh32.exeQfkqjmdg.exeCippgm32.exeFlinkojm.exeIpoopgnf.exeCocacl32.exeBjpjel32.exeLajagj32.exeDimenegi.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Ccdnjp32.exe Cbeapmll.exe File opened for modification C:\Windows\SysWOW64\Emphocjj.exe Eidlnd32.exe File opened for modification C:\Windows\SysWOW64\Lfgipd32.exe Lomqcjie.exe File created C:\Windows\SysWOW64\Epmfkk32.dll Bfbaonae.exe File opened for modification C:\Windows\SysWOW64\Epagkd32.exe Eigonjcj.exe File created C:\Windows\SysWOW64\Dmdnjdgj.dll Dmdonkgc.exe File opened for modification C:\Windows\SysWOW64\Fflohaij.exe Fpbflg32.exe File created C:\Windows\SysWOW64\Opqofe32.exe Ombcji32.exe File opened for modification C:\Windows\SysWOW64\Cpbjkn32.exe Cncnob32.exe File opened for modification C:\Windows\SysWOW64\Ipoopgnf.exe Ijegcm32.exe File created C:\Windows\SysWOW64\Occgpjdk.dll Hcpojd32.exe File opened for modification C:\Windows\SysWOW64\Mnfnlf32.exe Mkhapk32.exe File created C:\Windows\SysWOW64\Geohklaa.exe Glgcbf32.exe File opened for modification C:\Windows\SysWOW64\Iohejo32.exe Iikmbh32.exe File created C:\Windows\SysWOW64\Pfdjinjo.exe Ppjbmc32.exe File created C:\Windows\SysWOW64\Aamebb32.dll Chkobkod.exe File created C:\Windows\SysWOW64\Qikgco32.exe Qadoba32.exe File created C:\Windows\SysWOW64\Mgnddp32.dll Cpbjkn32.exe File created C:\Windows\SysWOW64\Ilkibdpe.dll Pibdmp32.exe File created C:\Windows\SysWOW64\Jdfjld32.exe Jjafok32.exe File created C:\Windows\SysWOW64\Lmmolepp.exe Ljobpiql.exe File created C:\Windows\SysWOW64\Joicekop.dll Lkeekk32.exe File opened for modification C:\Windows\SysWOW64\Cnindhpg.exe Chlflabp.exe File created C:\Windows\SysWOW64\Jkjpda32.dll Kjlopc32.exe File created C:\Windows\SysWOW64\Bjbalpnl.dll Dfoplpla.exe File opened for modification C:\Windows\SysWOW64\Iddljmpc.exe Ijogmdqm.exe File opened for modification C:\Windows\SysWOW64\Dfoiaj32.exe Dbcmakpl.exe File created C:\Windows\SysWOW64\Lccahg32.dll Jkimho32.exe File created C:\Windows\SysWOW64\Jjafok32.exe Jcgnbaeo.exe File opened for modification C:\Windows\SysWOW64\Lgepom32.exe Lqkgbcff.exe File created C:\Windows\SysWOW64\Dnjfibml.dll Bemqih32.exe File created C:\Windows\SysWOW64\Dpiplm32.exe Cklhcfle.exe File opened for modification C:\Windows\SysWOW64\Hkbdki32.exe Hdilnojp.exe File opened for modification C:\Windows\SysWOW64\Olbdhn32.exe Oampjeml.exe File opened for modification C:\Windows\SysWOW64\Flinkojm.exe Ffmfchle.exe File opened for modification C:\Windows\SysWOW64\Cdkifmjq.exe Cammjakm.exe File created C:\Windows\SysWOW64\Clnedaem.dll Nacmdf32.exe File opened for modification C:\Windows\SysWOW64\Eeelnp32.exe Emjgim32.exe File created C:\Windows\SysWOW64\Klahfp32.exe Kgdpni32.exe File opened for modification C:\Windows\SysWOW64\Bnoddcef.exe Bkphhgfc.exe File created C:\Windows\SysWOW64\Cghane32.dll Cdnmfclj.exe File created C:\Windows\SysWOW64\Cqichhmn.dll Pefabkej.exe File created C:\Windows\SysWOW64\Ghcjeh32.dll Emjgim32.exe File opened for modification C:\Windows\SysWOW64\Gbchdp32.exe Glipgf32.exe File opened for modification C:\Windows\SysWOW64\Kmieae32.exe Kglmio32.exe File opened for modification C:\Windows\SysWOW64\Emoadlfo.exe Eokqkh32.exe File created C:\Windows\SysWOW64\Gmdjapgb.exe Gjfnedho.exe File created C:\Windows\SysWOW64\Ngidlo32.dll Lckiihok.exe File opened for modification C:\Windows\SysWOW64\Eleepoob.exe Ejchhgid.exe File created C:\Windows\SysWOW64\Hejkiial.dll Plndcl32.exe File created C:\Windows\SysWOW64\Hffpdd32.dll Plbfdekd.exe File opened for modification C:\Windows\SysWOW64\Iqklon32.exe Inmpcc32.exe File opened for modification C:\Windows\SysWOW64\Igdgglfl.exe Ipjoja32.exe File created C:\Windows\SysWOW64\Hkpnbd32.dll Aojefobm.exe File created C:\Windows\SysWOW64\Bppgif32.dll Kncaec32.exe File opened for modification C:\Windows\SysWOW64\Ponfka32.exe Pdhbmh32.exe File created C:\Windows\SysWOW64\Qmeigg32.exe Qfkqjmdg.exe File created C:\Windows\SysWOW64\Cgqqdeod.exe Cippgm32.exe File created C:\Windows\SysWOW64\Fdqfll32.exe Flinkojm.exe File created C:\Windows\SysWOW64\Icnklbmj.exe Ipoopgnf.exe File created C:\Windows\SysWOW64\Cfnjpfcl.exe Cocacl32.exe File opened for modification C:\Windows\SysWOW64\Bmofagfp.exe Bjpjel32.exe File opened for modification C:\Windows\SysWOW64\Liqihglg.exe Lajagj32.exe File opened for modification C:\Windows\SysWOW64\Dlkbjqgm.exe Dimenegi.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2160 14192 WerFault.exe 720 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ejpfhnpe.exeIinjhh32.exeAoioli32.exeDkndie32.exeGlgcbf32.exeCggimh32.exeLjbfpo32.exePocfpf32.exeIpoopgnf.exeAlkijdci.exeBlhpqhlh.exeDmdhcddh.exeLmmolepp.exeQachgk32.exeAafemk32.exeGklnjj32.exeKelkaj32.exeOampjeml.exeIgpdfb32.exeDdgplado.exeEifaim32.exeMfqlfb32.exeOjfcdnjc.exePlndcl32.exeHckeoeno.exeLkeekk32.exeQdphngfl.exeKdmqmc32.exeFelbnn32.exeJgkmgk32.exeNcchae32.exeBckkca32.exeDifpmfna.exeOaifpi32.exeBdojjo32.exeBpkdjofm.exeHhfedm32.exeAjdjin32.exeEjchhgid.exeEkodjiol.exeHcpojd32.exeAkepfpcl.exeAaenbd32.exeMhafeb32.exeDpbdopck.exeEbommi32.exeFdqfll32.exeEkkkoj32.exeHoobdp32.exeKpcjgnhb.exeCpdgqmnb.exeEbejfk32.exeOeokal32.exeBkaobnio.exeCnahdi32.exeInomhbeq.exeCfipef32.exeNqpcjj32.exeElpkep32.exeMgclpkac.exeJghpbk32.exeLoighj32.exeGigheh32.exeHajpbckl.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpfhnpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoioli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkndie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocfpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoopgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkijdci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blhpqhlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdhcddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmolepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qachgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafemk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelkaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oampjeml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgplado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqlfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojfcdnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plndcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckeoeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkeekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdphngfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmqmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncchae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckkca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difpmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaifpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpkdjofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfedm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejchhgid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekodjiol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akepfpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaenbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhafeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbdopck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebommi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqfll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoobdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgqmnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeokal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkaobnio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnahdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inomhbeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfipef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpcjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgclpkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghpbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loighj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigheh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajpbckl.exe -
Modifies registry class 64 IoCs
Processes:
Ebhglj32.exeLnmkfh32.exeAoabad32.exeJlhljhbg.exeCjjlkk32.exeAdkgje32.exeIpjoja32.exeDabhdinj.exeOlbdhn32.exeKnqepc32.exeMfeeabda.exeLnadagbm.exeAogiap32.exeBnhenj32.exeLncjlq32.exeAanbhp32.exeDpphjp32.exeChdialdl.exeFbjmhh32.exeLkeekk32.exeHoobdp32.exeBgkiaj32.exeFineoi32.exeNjpdnedf.exeLnoaaaad.exeIpflihfq.exeKcpjnjii.exePnfiplog.exeOanfen32.exeMmhgmmbf.exeOcaebc32.exeHjlkge32.exeAjdjin32.exeJgkmgk32.exePdhbmh32.exeMicoed32.exeNacmdf32.exeFdqfll32.exeCnaaib32.exeCmniml32.exeJnmijq32.exeIdieem32.exeIggaah32.exeGgahedjn.exeEkodjiol.exeKfnfjehl.exeDikpbl32.exeGbdoof32.exeAojefobm.exeDjdflp32.exeDlkbjqgm.exeNjmhhefi.exeJcdjbk32.exeJncoikmp.exeOeokal32.exeCdkifmjq.exeCgndoeag.exeKecabifp.exeCacckp32.exeJdmgfedl.exeCocacl32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoabad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inngdb32.dll" Jlhljhbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngqpijkf.dll" Cjjlkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adkgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laniklje.dll" Dabhdinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbdhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leilnmkp.dll" Mfeeabda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnadagbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danihi32.dll" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomnmjjb.dll" Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lncjlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll" Chdialdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkeekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijqqd32.dll" Hoobdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fineoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbiemdb.dll" Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnoaaaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkbado32.dll" Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjfnlo.dll" Pnfiplog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmpjlk32.dll" Mmhgmmbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocaebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjlkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbnffffp.dll" Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mieced32.dll" Micoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nacmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjnik32.dll" Fdqfll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmniml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnmijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idieem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkank32.dll" Iggaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggahedjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbdfl32.dll" Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll" Kfnfjehl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dikpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgpgh32.dll" Fineoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpnbd32.dll" Aojefobm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlkbjqgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdjbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbbcjfp.dll" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll" Cdkifmjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgndoeag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kecabifp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdmgfedl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocacl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7f70f584f4a3f62167dc235f2a6fd5bb762b4fd42c107c55c04b1143c693fb4dN.exeCmipblaq.exeCgndoeag.exeCippgm32.exeCgqqdeod.exeCmniml32.exeCcgajfeh.exeCidjbmcp.exeDpnbog32.exeDjdflp32.exeDpqodfij.exeDhhfedil.exeDmdonkgc.exeDapkni32.exeDikpbl32.exeDabhdinj.exeDfoplpla.exeDjklmo32.exeDhomfc32.exeEpjajeqo.exeEjpfhnpe.exeEplnpeol.exedescription pid Process procid_target PID 1360 wrote to memory of 2480 1360 7f70f584f4a3f62167dc235f2a6fd5bb762b4fd42c107c55c04b1143c693fb4dN.exe 83 PID 1360 wrote to memory of 2480 1360 7f70f584f4a3f62167dc235f2a6fd5bb762b4fd42c107c55c04b1143c693fb4dN.exe 83 PID 1360 wrote to memory of 2480 1360 7f70f584f4a3f62167dc235f2a6fd5bb762b4fd42c107c55c04b1143c693fb4dN.exe 83 PID 2480 wrote to memory of 2028 2480 Cmipblaq.exe 84 PID 2480 wrote to memory of 2028 2480 Cmipblaq.exe 84 PID 2480 wrote to memory of 2028 2480 Cmipblaq.exe 84 PID 2028 wrote to memory of 644 2028 Cgndoeag.exe 85 PID 2028 wrote to memory of 644 2028 Cgndoeag.exe 85 PID 2028 wrote to memory of 644 2028 Cgndoeag.exe 85 PID 644 wrote to memory of 3456 644 Cippgm32.exe 86 PID 644 wrote to memory of 3456 644 Cippgm32.exe 86 PID 644 wrote to memory of 3456 644 Cippgm32.exe 86 PID 3456 wrote to memory of 4780 3456 Cgqqdeod.exe 87 PID 3456 wrote to memory of 4780 3456 Cgqqdeod.exe 87 PID 3456 wrote to memory of 4780 3456 Cgqqdeod.exe 87 PID 4780 wrote to memory of 2696 4780 Cmniml32.exe 88 PID 4780 wrote to memory of 2696 4780 Cmniml32.exe 88 PID 4780 wrote to memory of 2696 4780 Cmniml32.exe 88 PID 2696 wrote to memory of 2432 2696 Ccgajfeh.exe 89 PID 2696 wrote to memory of 2432 2696 Ccgajfeh.exe 89 PID 2696 wrote to memory of 2432 2696 Ccgajfeh.exe 89 PID 2432 wrote to memory of 2492 2432 Cidjbmcp.exe 90 PID 2432 wrote to memory of 2492 2432 Cidjbmcp.exe 90 PID 2432 wrote to memory of 2492 2432 Cidjbmcp.exe 90 PID 2492 wrote to memory of 3060 2492 Dpnbog32.exe 91 PID 2492 wrote to memory of 3060 2492 Dpnbog32.exe 91 PID 2492 wrote to memory of 3060 2492 Dpnbog32.exe 91 PID 3060 wrote to memory of 2188 3060 Djdflp32.exe 92 PID 3060 wrote to memory of 2188 3060 Djdflp32.exe 92 PID 3060 wrote to memory of 2188 3060 Djdflp32.exe 92 PID 2188 wrote to memory of 3824 2188 Dpqodfij.exe 93 PID 2188 wrote to memory of 3824 2188 Dpqodfij.exe 93 PID 2188 wrote to memory of 3824 2188 Dpqodfij.exe 93 PID 3824 wrote to memory of 2948 3824 Dhhfedil.exe 94 PID 3824 wrote to memory of 2948 3824 Dhhfedil.exe 94 PID 3824 wrote to memory of 2948 3824 Dhhfedil.exe 94 PID 2948 wrote to memory of 1172 2948 Dmdonkgc.exe 95 PID 2948 wrote to memory of 1172 2948 Dmdonkgc.exe 95 PID 2948 wrote to memory of 1172 2948 Dmdonkgc.exe 95 PID 1172 wrote to memory of 3948 1172 Dapkni32.exe 96 PID 1172 wrote to memory of 3948 1172 Dapkni32.exe 96 PID 1172 wrote to memory of 3948 1172 Dapkni32.exe 96 PID 3948 wrote to memory of 1220 3948 Dikpbl32.exe 97 PID 3948 wrote to memory of 1220 3948 Dikpbl32.exe 97 PID 3948 wrote to memory of 1220 3948 Dikpbl32.exe 97 PID 1220 wrote to memory of 3328 1220 Dabhdinj.exe 98 PID 1220 wrote to memory of 3328 1220 Dabhdinj.exe 98 PID 1220 wrote to memory of 3328 1220 Dabhdinj.exe 98 PID 3328 wrote to memory of 4412 3328 Dfoplpla.exe 99 PID 3328 wrote to memory of 4412 3328 Dfoplpla.exe 99 PID 3328 wrote to memory of 4412 3328 Dfoplpla.exe 99 PID 4412 wrote to memory of 4540 4412 Djklmo32.exe 100 PID 4412 wrote to memory of 4540 4412 Djklmo32.exe 100 PID 4412 wrote to memory of 4540 4412 Djklmo32.exe 100 PID 4540 wrote to memory of 2476 4540 Dhomfc32.exe 101 PID 4540 wrote to memory of 2476 4540 Dhomfc32.exe 101 PID 4540 wrote to memory of 2476 4540 Dhomfc32.exe 101 PID 2476 wrote to memory of 2840 2476 Epjajeqo.exe 102 PID 2476 wrote to memory of 2840 2476 Epjajeqo.exe 102 PID 2476 wrote to memory of 2840 2476 Epjajeqo.exe 102 PID 2840 wrote to memory of 812 2840 Ejpfhnpe.exe 103 PID 2840 wrote to memory of 812 2840 Ejpfhnpe.exe 103 PID 2840 wrote to memory of 812 2840 Ejpfhnpe.exe 103 PID 812 wrote to memory of 4616 812 Eplnpeol.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f70f584f4a3f62167dc235f2a6fd5bb762b4fd42c107c55c04b1143c693fb4dN.exe"C:\Users\Admin\AppData\Local\Temp\7f70f584f4a3f62167dc235f2a6fd5bb762b4fd42c107c55c04b1143c693fb4dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe23⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe24⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe25⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5116 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe27⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe28⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe29⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe30⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe31⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe32⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe33⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3368 -
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe35⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe38⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe39⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe40⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe41⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe43⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe44⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe46⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe47⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe49⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe50⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe51⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3580 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:720 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe54⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe55⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe57⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe58⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe59⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe61⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe62⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe63⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe65⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe66⤵
- Drops file in System32 directory
PID:4120 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe67⤵PID:3104
-
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe68⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe69⤵
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe70⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe72⤵PID:968
-
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe73⤵PID:2732
-
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe74⤵PID:232
-
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe75⤵PID:2628
-
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe76⤵
- Modifies registry class
PID:4720 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe77⤵PID:1940
-
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe78⤵PID:4248
-
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe79⤵
- System Location Discovery: System Language Discovery
PID:5096 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe80⤵PID:4596
-
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe81⤵PID:1600
-
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe82⤵PID:4364
-
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe83⤵PID:1724
-
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe84⤵PID:4648
-
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe85⤵PID:2632
-
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe86⤵PID:1348
-
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe87⤵
- Modifies registry class
PID:5084 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe88⤵PID:5080
-
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4264 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe90⤵
- Drops file in System32 directory
PID:3188 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe91⤵PID:5052
-
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe92⤵PID:3920
-
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe93⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe94⤵PID:4452
-
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe95⤵PID:392
-
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4408 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe97⤵PID:3648
-
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe98⤵PID:2540
-
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe99⤵PID:2864
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe100⤵PID:3236
-
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe101⤵PID:4376
-
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe102⤵PID:5160
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe103⤵PID:5208
-
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe104⤵PID:5252
-
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe105⤵PID:5296
-
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe106⤵
- System Location Discovery: System Language Discovery
PID:5332 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe107⤵PID:5384
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe108⤵PID:5428
-
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe109⤵PID:5460
-
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe110⤵PID:5512
-
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe111⤵
- Modifies registry class
PID:5552 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe112⤵PID:5596
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe113⤵PID:5640
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe114⤵PID:5684
-
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe115⤵PID:5728
-
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe116⤵PID:5772
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5816 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe118⤵PID:5860
-
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe120⤵PID:5948
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe121⤵PID:5992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-