Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2024 17:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
527d08d7f876751a2833d898b31d9f551089a733f348618a5896c4470d063227N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
527d08d7f876751a2833d898b31d9f551089a733f348618a5896c4470d063227N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
527d08d7f876751a2833d898b31d9f551089a733f348618a5896c4470d063227N.exe
-
Size
96KB
-
MD5
1b5795b61300705eb5e54fb7418df100
-
SHA1
03bbe91941984d5e2e06c7ac4f10216bd0fef13a
-
SHA256
527d08d7f876751a2833d898b31d9f551089a733f348618a5896c4470d063227
-
SHA512
721c0ee6695c1d5672d43da49ac04d9128d48ffcca268a4ccf74d32a0fc8ac1ff784e7830d82910681d4c478658d0dd2df59c0cf42e4eecc0be425359e0d03cb
-
SSDEEP
1536:uILEaCaI0oCSzYSW5/Ta9QUSuBPC2Lq7RZObZUUWaegPYAi:uILmazSzYSW5baSUSuBXqClUUWae3
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jejefqaf.exeDfoplpla.exeApeknk32.exePlpqil32.exeBokehc32.exeEmbddb32.exeIggjga32.exeHlpfhe32.exeJllhpkfk.exeMjggal32.exeDkceokii.exeIfdonfka.exeOocddono.exeAmcmpodi.exeBnfihkqm.exeKoodbl32.exeMqhfoebo.exeNimmifgo.exeNcnofeof.exeIqipio32.exeBhkfkmmg.exeCkgohf32.exeNqcejcha.exeOdoogi32.exeBkjiao32.exeLgibpf32.exeLlcghg32.exeJpmlnjco.exeDabhdinj.exeNihipdhl.exeAjdjin32.exeDpgnjo32.exeBddjpd32.exeOphjiaql.exeGfjkjo32.exePplhhm32.exeAgbkmijg.exeCjjcfabm.exeIdieem32.exeNnkpnclp.exeEnkmfolf.exeHifcgion.exeBmhocd32.exeIogopi32.exeOokoaokf.exePmhbqbae.exeMibijk32.exeMehjol32.exePflibgil.exeCljobphg.exeMjlhgaqp.exePpolhcnm.exeGaloohke.exeKbekqdjh.exeGahcmd32.exeFdglmkeg.exeHildmn32.exeOileggkb.exeMaeachag.exeKelalp32.exeGaefgd32.exeCoohhlpe.exeNqbpojnp.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jejefqaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apeknk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpqil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokehc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Embddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllhpkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkceokii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apeknk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifdonfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oocddono.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcmpodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfihkqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koodbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqhfoebo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimmifgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnofeof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqipio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkfkmmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgohf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odoogi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llcghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpmlnjco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabhdinj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihipdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpgnjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddjpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophjiaql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pplhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbkmijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjcfabm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idieem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkpnclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkmfolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifcgion.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iogopi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ookoaokf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhbqbae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mibijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mehjol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflibgil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljobphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Galoohke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbekqdjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gahcmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdglmkeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oileggkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maeachag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kelalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaefgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coohhlpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqbpojnp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Hfningai.exeHhlejcpm.exeHgoeep32.exeHofmfmhj.exeHhnbpb32.exeIohjlmeg.exeInkjhi32.exeIhqoeb32.exeIkokan32.exeIokgal32.exeIfdonfka.exeIickkbje.exeIomcgl32.exeIbkpcg32.exeIfgldfio.exeIghhln32.exeIoopml32.exeInbqhhfj.exeIigdfa32.exeIkfabm32.exeIoambknl.exeIfleoe32.exeIijaka32.exeJkhngl32.exeJngjch32.exeJfnbdecg.exeJilnqqbj.exeJkkjmlan.exeJnifigpa.exeJfpojead.exeJecofa32.exeJiokfpph.exeJoiccj32.exeJfbkpd32.exeJeekkafl.exeJgdhgmep.exeJkodhk32.exeJpkphjeb.exeJnnpdg32.exeJfehed32.exeJicdap32.exeJkaqnk32.exeJpmlnjco.exeJblijebc.exeJejefqaf.exeJghabl32.exeKldmckic.exeKnbiofhg.exeKbnepe32.exeKelalp32.exeKihnmohm.exeKpbfii32.exeKbpbed32.exeKflnfcgg.exeKijjbofj.exeKhmknk32.exeKlifnj32.exeKngcje32.exeKbbokdlk.exeKimghn32.exeKhpgckkb.exeKlkcdj32.exeKnippe32.exeKbekqdjh.exepid Process 3860 Hfningai.exe 4600 Hhlejcpm.exe 1376 Hgoeep32.exe 1484 Hofmfmhj.exe 4912 Hhnbpb32.exe 4472 Iohjlmeg.exe 4376 Inkjhi32.exe 2240 Ihqoeb32.exe 2040 Ikokan32.exe 3716 Iokgal32.exe 404 Ifdonfka.exe 896 Iickkbje.exe 1940 Iomcgl32.exe 1752 Ibkpcg32.exe 1760 Ifgldfio.exe 4140 Ighhln32.exe 2300 Ioopml32.exe 3248 Inbqhhfj.exe 3668 Iigdfa32.exe 1192 Ikfabm32.exe 3292 Ioambknl.exe 4952 Ifleoe32.exe 4988 Iijaka32.exe 4572 Jkhngl32.exe 3088 Jngjch32.exe 2460 Jfnbdecg.exe 1676 Jilnqqbj.exe 1016 Jkkjmlan.exe 1564 Jnifigpa.exe 364 Jfpojead.exe 3488 Jecofa32.exe 3256 Jiokfpph.exe 5084 Joiccj32.exe 3856 Jfbkpd32.exe 3924 Jeekkafl.exe 3412 Jgdhgmep.exe 3948 Jkodhk32.exe 5076 Jpkphjeb.exe 376 Jnnpdg32.exe 2452 Jfehed32.exe 3972 Jicdap32.exe 3308 Jkaqnk32.exe 2136 Jpmlnjco.exe 4232 Jblijebc.exe 924 Jejefqaf.exe 624 Jghabl32.exe 852 Kldmckic.exe 2060 Knbiofhg.exe 3332 Kbnepe32.exe 1984 Kelalp32.exe 4956 Kihnmohm.exe 4176 Kpbfii32.exe 4396 Kbpbed32.exe 1952 Kflnfcgg.exe 2488 Kijjbofj.exe 1680 Khmknk32.exe 1056 Klifnj32.exe 5096 Kngcje32.exe 1060 Kbbokdlk.exe 2440 Kimghn32.exe 884 Khpgckkb.exe 2408 Klkcdj32.exe 3664 Knippe32.exe 928 Kbekqdjh.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jiokfpph.exeOjdnid32.exeIpkdek32.exeOndljl32.exeNqcejcha.exeKhmknk32.exeAglnbhal.exeBjbfklei.exeBnhenj32.exeNmkmjjaa.exeLomqcjie.exeLoofnccf.exePcpnhl32.exe527d08d7f876751a2833d898b31d9f551089a733f348618a5896c4470d063227N.exeIigdfa32.exeKlifnj32.exeBjlgdc32.exeNdflak32.exeAfinioip.exeCbbnpg32.exeBpkdjofm.exeKnqepc32.exeEdgbii32.exeJlbejloe.exeDannij32.exeEifhdd32.exeKjmfjj32.exeLekmnajj.exeBkaobnio.exeLegben32.exeHemmac32.exePfillg32.exeBjicdmmd.exeMebcop32.exeGifkpknp.exePalklf32.exeCmfclm32.exeOmegjomb.exeOdoogi32.exePdkoch32.exeLcmodajm.exeJgogbgei.exeJbkbpoog.exeDjelgied.exeLmdnbn32.exeCnaaib32.exeGlgjlm32.exeDgcihgaj.exeDkcndeen.exeKldmckic.exeLbnngbbn.exeQcdbfk32.exeHkbdki32.exePccahbmn.exeNmigoagp.exeFelbnn32.exeLgibpf32.exeIghhln32.exeAojlaeei.exeIknmla32.exeJlhljhbg.exeMgobel32.exedescription ioc Process File created C:\Windows\SysWOW64\Joiccj32.exe Jiokfpph.exe File created C:\Windows\SysWOW64\Bmnogj32.dll Ojdnid32.exe File opened for modification C:\Windows\SysWOW64\Ibjqaf32.exe Ipkdek32.exe File created C:\Windows\SysWOW64\Oabhfg32.exe Ondljl32.exe File created C:\Windows\SysWOW64\Kebkgjkg.dll Nqcejcha.exe File opened for modification C:\Windows\SysWOW64\Binhnomg.exe File created C:\Windows\SysWOW64\Klifnj32.exe Khmknk32.exe File created C:\Windows\SysWOW64\Fcdomhkp.dll Aglnbhal.exe File created C:\Windows\SysWOW64\Nbcpja32.dll Bjbfklei.exe File created C:\Windows\SysWOW64\Bdbnjdfg.exe Bnhenj32.exe File created C:\Windows\SysWOW64\Dgfnagdi.dll Nmkmjjaa.exe File created C:\Windows\SysWOW64\Eanmnefk.dll Lomqcjie.exe File created C:\Windows\SysWOW64\Llcghg32.exe Loofnccf.exe File created C:\Windows\SysWOW64\Pimfpc32.exe Pcpnhl32.exe File created C:\Windows\SysWOW64\Hfningai.exe 527d08d7f876751a2833d898b31d9f551089a733f348618a5896c4470d063227N.exe File created C:\Windows\SysWOW64\Ikfabm32.exe Iigdfa32.exe File opened for modification C:\Windows\SysWOW64\Kngcje32.exe Klifnj32.exe File opened for modification C:\Windows\SysWOW64\Bqfoamfj.exe Bjlgdc32.exe File created C:\Windows\SysWOW64\Nhahaiec.exe Ndflak32.exe File opened for modification C:\Windows\SysWOW64\Cgiohbfi.exe File created C:\Windows\SysWOW64\Faikapbo.dll Afinioip.exe File created C:\Windows\SysWOW64\Heeeiopa.dll Cbbnpg32.exe File opened for modification C:\Windows\SysWOW64\Bkphhgfc.exe Bpkdjofm.exe File created C:\Windows\SysWOW64\Koaagkcb.exe Knqepc32.exe File created C:\Windows\SysWOW64\Gimngjie.dll Edgbii32.exe File created C:\Windows\SysWOW64\Jcoiaikp.dll Jlbejloe.exe File created C:\Windows\SysWOW64\Jhkjmn32.dll Dannij32.exe File created C:\Windows\SysWOW64\Blickdlj.dll Eifhdd32.exe File opened for modification C:\Windows\SysWOW64\Kdbjhbbd.exe Kjmfjj32.exe File created C:\Windows\SysWOW64\Ljhefhha.exe Lekmnajj.exe File created C:\Windows\SysWOW64\Aphblj32.dll Bkaobnio.exe File created C:\Windows\SysWOW64\Lplfcf32.exe Legben32.exe File created C:\Windows\SysWOW64\Ihkjno32.exe Hemmac32.exe File opened for modification C:\Windows\SysWOW64\Phhhhc32.exe Pfillg32.exe File created C:\Windows\SysWOW64\Blhpqhlh.exe Bjicdmmd.exe File created C:\Windows\SysWOW64\Fnipgg32.dll Mebcop32.exe File created C:\Windows\SysWOW64\Pfnmog32.dll Gifkpknp.exe File opened for modification C:\Windows\SysWOW64\Ppolhcnm.exe Palklf32.exe File created C:\Windows\SysWOW64\Cjjcfabm.exe Cmfclm32.exe File created C:\Windows\SysWOW64\Lebcnn32.dll Omegjomb.exe File opened for modification C:\Windows\SysWOW64\Olfghg32.exe Odoogi32.exe File opened for modification C:\Windows\SysWOW64\Plbfdekd.exe Pdkoch32.exe File opened for modification C:\Windows\SysWOW64\Mapppn32.exe Lcmodajm.exe File created C:\Windows\SysWOW64\Jkjcbe32.exe Jgogbgei.exe File opened for modification C:\Windows\SysWOW64\Kdinljnk.exe Jbkbpoog.exe File opened for modification C:\Windows\SysWOW64\Dpbdopck.exe Djelgied.exe File opened for modification C:\Windows\SysWOW64\Lqojclne.exe Lmdnbn32.exe File created C:\Windows\SysWOW64\Lelgfl32.dll Cnaaib32.exe File opened for modification C:\Windows\SysWOW64\Gbabigfj.exe Glgjlm32.exe File created C:\Windows\SysWOW64\Jilpfgkh.dll Dgcihgaj.exe File opened for modification C:\Windows\SysWOW64\Damfao32.exe Dkcndeen.exe File created C:\Windows\SysWOW64\Gdhkdfdh.dll Kldmckic.exe File opened for modification C:\Windows\SysWOW64\Lfjjga32.exe Lbnngbbn.exe File created C:\Windows\SysWOW64\Dccdcfha.dll Qcdbfk32.exe File opened for modification C:\Windows\SysWOW64\Hnaqgd32.exe Hkbdki32.exe File created C:\Windows\SysWOW64\Phonha32.exe Pccahbmn.exe File created C:\Windows\SysWOW64\Jebiel32.dll Nmigoagp.exe File opened for modification C:\Windows\SysWOW64\Flfkkhid.exe Felbnn32.exe File created C:\Windows\SysWOW64\Fboqkn32.dll Lgibpf32.exe File opened for modification C:\Windows\SysWOW64\Ioopml32.exe Ighhln32.exe File created C:\Windows\SysWOW64\Aaiimadl.exe Aojlaeei.exe File created C:\Windows\SysWOW64\Iloidijb.exe Iknmla32.exe File created C:\Windows\SysWOW64\Jkimho32.exe Jlhljhbg.exe File opened for modification C:\Windows\SysWOW64\Mnhkbfme.exe Mgobel32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 7560 8992 1154 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ajndioga.exeEifhdd32.exeJkgpbp32.exeNceefd32.exeCpmapodj.exeJbojlfdp.exeNfqnbjfi.exeLldfjh32.exeOfegni32.exeOogpjbbb.exeEqiibjlj.exeNabfjpak.exeJcgnbaeo.exeBmhocd32.exeFphnlcdo.exeLjhefhha.exeGehbjm32.exeCggimh32.exeOdoogi32.exeIhgnkkbd.exeGjfnedho.exeJenmcggo.exeDpnbog32.exeFmndpq32.exeLnqeqd32.exeKdbjhbbd.exeAojlaeei.exeJhndljll.exeHpmhdmea.exeKoajmepf.exeAjcdnd32.exePgkelj32.exeGgilil32.exeIqipio32.exeMogcihaj.exeLlgcph32.exeNgmpcn32.exeHnaqgd32.exeOlicnfco.exeLnjgfb32.exeOfckhj32.exeJecofa32.exeAknbkjfh.exeMpapnfhg.exeFpkibf32.exeMoipoh32.exeMmhgmmbf.exeKcndbp32.exeBlielbfi.exeDnmhpg32.exeKlifnj32.exeKolabf32.exeDcnqpo32.exeFjjnifbl.exeGblbca32.exeHehkajig.exePalklf32.exeFecadghc.exeInkjhi32.exeLjqhkckn.exeDabhdinj.exeLgkpdcmi.exeCodhnb32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajndioga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifhdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgpbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmapodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbojlfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfqnbjfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldfjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofegni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogpjbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqiibjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgnbaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphnlcdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhefhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoogi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgnkkbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfnedho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenmcggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnbog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmndpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnqeqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbjhbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojlaeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhndljll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmhdmea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koajmepf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcdnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkelj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggilil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqipio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogcihaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgcph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmpcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnaqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olicnfco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofckhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jecofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpapnfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moipoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmhgmmbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcndbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blielbfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmhpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolabf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnqpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjnifbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehkajig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fecadghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkjhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljqhkckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkpdcmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codhnb32.exe -
Modifies registry class 64 IoCs
Processes:
Pcobaedj.exeOabhfg32.exeEkajec32.exeIkokan32.exeMoobbb32.exeJqdoem32.exeAbponp32.exeEmphocjj.exeEfjimhnh.exeHlegnjbm.exeDqnjgl32.exeJkhngl32.exeJpmlnjco.exeLpneegel.exeAimogakj.exeGkhkjd32.exeGbeejp32.exeHlepcdoa.exeNbbeml32.exePcpnhl32.exePjbkgfej.exePjjahe32.exeBbdhiojo.exeJgpfbjlo.exeQhhpop32.exeAglnbhal.exeDfoplpla.exeKkjeomld.exeKqphfe32.exePdmkhgho.exeQdphngfl.exeCkjknfnh.exeMfenglqf.exePedbahod.exeHjhalefe.exeEifhdd32.exeOokoaokf.exePlbfdekd.exeGpolbo32.exePmhbqbae.exeFmikeaap.exeManmoq32.exeBddjpd32.exeNpchgdcd.exePgihfj32.exeCihclh32.exeMaeachag.exeIlccoh32.exeMgobel32.exeIoambknl.exeKngcje32.exeLjclki32.exeKpiqfima.exeBifmqo32.exeIhphkl32.exeFffhifdk.exeLmpkadnm.exeLjhefhha.exeJejefqaf.exeLeadnm32.exePpopjp32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcobaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcpfdbd.dll" Ekajec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikokan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moobbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnnnnod.dll" Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqpakfgb.dll" Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmioc32.dll" Emphocjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjimhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlegnjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjaei32.dll" Dqnjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpmlnjco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpneegel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aimogakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnipccc.dll" Gkhkjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophfi32.dll" Gbeejp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll" Nbbeml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcpnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deohpe32.dll" Pjbkgfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgiapmj.dll" Pjjahe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbdhiojo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll" Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdomhkp.dll" Aglnbhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjeomld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdmkhgho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdphngfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqobhgmh.dll" Mfenglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pedbahod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhalefe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eifhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maenpfhk.dll" Ookoaokf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoaedogc.dll" Plbfdekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqfid32.dll" Gpolbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajefoog.dll" Pmhbqbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aglnbhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekpedip.dll" Fmikeaap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Manmoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhdjbno.dll" Bddjpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npchgdcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgihfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maeachag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilccoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgobel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioambknl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecegjob.dll" Kngcje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgihfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljclki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfomc32.dll" Kpiqfima.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeocld32.dll" Bifmqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihphkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekeodnf.dll" Lmpkadnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jejefqaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leadnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppopjp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
527d08d7f876751a2833d898b31d9f551089a733f348618a5896c4470d063227N.exeHfningai.exeHhlejcpm.exeHgoeep32.exeHofmfmhj.exeHhnbpb32.exeIohjlmeg.exeInkjhi32.exeIhqoeb32.exeIkokan32.exeIokgal32.exeIfdonfka.exeIickkbje.exeIomcgl32.exeIbkpcg32.exeIfgldfio.exeIghhln32.exeIoopml32.exeInbqhhfj.exeIigdfa32.exeIkfabm32.exeIoambknl.exedescription pid Process procid_target PID 216 wrote to memory of 3860 216 527d08d7f876751a2833d898b31d9f551089a733f348618a5896c4470d063227N.exe 83 PID 216 wrote to memory of 3860 216 527d08d7f876751a2833d898b31d9f551089a733f348618a5896c4470d063227N.exe 83 PID 216 wrote to memory of 3860 216 527d08d7f876751a2833d898b31d9f551089a733f348618a5896c4470d063227N.exe 83 PID 3860 wrote to memory of 4600 3860 Hfningai.exe 84 PID 3860 wrote to memory of 4600 3860 Hfningai.exe 84 PID 3860 wrote to memory of 4600 3860 Hfningai.exe 84 PID 4600 wrote to memory of 1376 4600 Hhlejcpm.exe 85 PID 4600 wrote to memory of 1376 4600 Hhlejcpm.exe 85 PID 4600 wrote to memory of 1376 4600 Hhlejcpm.exe 85 PID 1376 wrote to memory of 1484 1376 Hgoeep32.exe 86 PID 1376 wrote to memory of 1484 1376 Hgoeep32.exe 86 PID 1376 wrote to memory of 1484 1376 Hgoeep32.exe 86 PID 1484 wrote to memory of 4912 1484 Hofmfmhj.exe 87 PID 1484 wrote to memory of 4912 1484 Hofmfmhj.exe 87 PID 1484 wrote to memory of 4912 1484 Hofmfmhj.exe 87 PID 4912 wrote to memory of 4472 4912 Hhnbpb32.exe 88 PID 4912 wrote to memory of 4472 4912 Hhnbpb32.exe 88 PID 4912 wrote to memory of 4472 4912 Hhnbpb32.exe 88 PID 4472 wrote to memory of 4376 4472 Iohjlmeg.exe 89 PID 4472 wrote to memory of 4376 4472 Iohjlmeg.exe 89 PID 4472 wrote to memory of 4376 4472 Iohjlmeg.exe 89 PID 4376 wrote to memory of 2240 4376 Inkjhi32.exe 90 PID 4376 wrote to memory of 2240 4376 Inkjhi32.exe 90 PID 4376 wrote to memory of 2240 4376 Inkjhi32.exe 90 PID 2240 wrote to memory of 2040 2240 Ihqoeb32.exe 91 PID 2240 wrote to memory of 2040 2240 Ihqoeb32.exe 91 PID 2240 wrote to memory of 2040 2240 Ihqoeb32.exe 91 PID 2040 wrote to memory of 3716 2040 Ikokan32.exe 92 PID 2040 wrote to memory of 3716 2040 Ikokan32.exe 92 PID 2040 wrote to memory of 3716 2040 Ikokan32.exe 92 PID 3716 wrote to memory of 404 3716 Iokgal32.exe 93 PID 3716 wrote to memory of 404 3716 Iokgal32.exe 93 PID 3716 wrote to memory of 404 3716 Iokgal32.exe 93 PID 404 wrote to memory of 896 404 Ifdonfka.exe 94 PID 404 wrote to memory of 896 404 Ifdonfka.exe 94 PID 404 wrote to memory of 896 404 Ifdonfka.exe 94 PID 896 wrote to memory of 1940 896 Iickkbje.exe 95 PID 896 wrote to memory of 1940 896 Iickkbje.exe 95 PID 896 wrote to memory of 1940 896 Iickkbje.exe 95 PID 1940 wrote to memory of 1752 1940 Iomcgl32.exe 96 PID 1940 wrote to memory of 1752 1940 Iomcgl32.exe 96 PID 1940 wrote to memory of 1752 1940 Iomcgl32.exe 96 PID 1752 wrote to memory of 1760 1752 Ibkpcg32.exe 97 PID 1752 wrote to memory of 1760 1752 Ibkpcg32.exe 97 PID 1752 wrote to memory of 1760 1752 Ibkpcg32.exe 97 PID 1760 wrote to memory of 4140 1760 Ifgldfio.exe 98 PID 1760 wrote to memory of 4140 1760 Ifgldfio.exe 98 PID 1760 wrote to memory of 4140 1760 Ifgldfio.exe 98 PID 4140 wrote to memory of 2300 4140 Ighhln32.exe 99 PID 4140 wrote to memory of 2300 4140 Ighhln32.exe 99 PID 4140 wrote to memory of 2300 4140 Ighhln32.exe 99 PID 2300 wrote to memory of 3248 2300 Ioopml32.exe 100 PID 2300 wrote to memory of 3248 2300 Ioopml32.exe 100 PID 2300 wrote to memory of 3248 2300 Ioopml32.exe 100 PID 3248 wrote to memory of 3668 3248 Inbqhhfj.exe 101 PID 3248 wrote to memory of 3668 3248 Inbqhhfj.exe 101 PID 3248 wrote to memory of 3668 3248 Inbqhhfj.exe 101 PID 3668 wrote to memory of 1192 3668 Iigdfa32.exe 102 PID 3668 wrote to memory of 1192 3668 Iigdfa32.exe 102 PID 3668 wrote to memory of 1192 3668 Iigdfa32.exe 102 PID 1192 wrote to memory of 3292 1192 Ikfabm32.exe 103 PID 1192 wrote to memory of 3292 1192 Ikfabm32.exe 103 PID 1192 wrote to memory of 3292 1192 Ikfabm32.exe 103 PID 3292 wrote to memory of 4952 3292 Ioambknl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\527d08d7f876751a2833d898b31d9f551089a733f348618a5896c4470d063227N.exe"C:\Users\Admin\AppData\Local\Temp\527d08d7f876751a2833d898b31d9f551089a733f348618a5896c4470d063227N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe23⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe24⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe26⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe27⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe28⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe29⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe30⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe31⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3488 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe34⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe35⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe36⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe37⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe38⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe39⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe40⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe41⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe42⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe43⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe45⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe47⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe49⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe50⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe52⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe53⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe54⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe55⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe56⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe60⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe61⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe62⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe63⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe64⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe66⤵PID:1124
-
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe67⤵PID:2732
-
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe68⤵PID:4312
-
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe69⤵PID:3288
-
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe70⤵PID:1264
-
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe71⤵PID:4512
-
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe72⤵PID:4712
-
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe73⤵PID:1932
-
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe74⤵PID:3732
-
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe75⤵PID:1644
-
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe76⤵PID:3476
-
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe77⤵
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe78⤵
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe80⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe81⤵PID:4132
-
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe82⤵
- System Location Discovery: System Language Discovery
PID:4932 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe83⤵PID:1064
-
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe84⤵PID:3524
-
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe85⤵
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe86⤵PID:4568
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe87⤵PID:3724
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe88⤵PID:3644
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe90⤵PID:2400
-
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe91⤵
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4588 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe93⤵PID:1920
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe94⤵PID:536
-
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe95⤵PID:4508
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe96⤵PID:4156
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe97⤵PID:1560
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe98⤵PID:2632
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe99⤵PID:3392
-
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe100⤵PID:232
-
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe101⤵
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe102⤵
- System Location Discovery: System Language Discovery
PID:3364 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe103⤵PID:1404
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe104⤵PID:2896
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe105⤵PID:2444
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe106⤵PID:1548
-
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe107⤵PID:4628
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe108⤵PID:1468
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe109⤵PID:1516
-
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe110⤵PID:4372
-
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe111⤵PID:4724
-
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe112⤵PID:1476
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe114⤵PID:1692
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe116⤵PID:4808
-
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4640 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe118⤵
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe119⤵PID:5216
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe120⤵PID:5260
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe121⤵PID:5316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-