Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2024 19:54
Behavioral task
behavioral1
Sample
9139ab42b2950a6c3bb7cb9028b6cf021bb784fa8256cf2a91292f2894c507be.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
9139ab42b2950a6c3bb7cb9028b6cf021bb784fa8256cf2a91292f2894c507be.exe
-
Size
93KB
-
MD5
15b99ca4cb318150a671ff2a0745f1a0
-
SHA1
5a6620d13aa73227a06d90da156b46fc4e57e0af
-
SHA256
9139ab42b2950a6c3bb7cb9028b6cf021bb784fa8256cf2a91292f2894c507be
-
SHA512
5e0631dc24a851fb76c94c874e9da2e240ee06eb171e88d02f866852a953286bfe2d4926d186eb27360a547156af488565d08b94a44dfae5f61913be8b3e32c4
-
SSDEEP
1536:QGiaicfVbqpYc392KgTRh+1DaYfMZRWuLsV+1b:wRNpc5T7+gYfc0DV+1b
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fjjcmbci.exeBblnindg.exeKjjbjd32.exeCancekeo.exeJjnaaa32.exeQbngeadf.exeCpipkl32.exeClchbqoo.exeElnehifk.exeKnhakh32.exeNdlacapp.exeBklomh32.exeEekjep32.exeBmggingc.exeGppcmeem.exeLakfeodm.exeKkbkmqed.exePhneqf32.exeEmphocjj.exePlpjoe32.exeBdocph32.exeIdhnkf32.exeJjafok32.exeLklbdm32.exeBoenhgdd.exePalbgl32.exeQpbnhl32.exeDoccpcja.exeGokbgpeg.exePfojdh32.exeFpcdof32.exeDmennnni.exeBmimdg32.exeIqgjmg32.exeInkjfk32.exeKebodc32.exeIgieoleg.exeBkafmd32.exePmbegqjk.exeJmgmhgig.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjcmbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblnindg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cancekeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjnaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbngeadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpipkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clchbqoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnehifk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhakh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndlacapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmggingc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppcmeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkbkmqed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phneqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emphocjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdocph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idhnkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjafok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklbdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palbgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbnhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doccpcja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokbgpeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfojdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpcdof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmennnni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmimdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqgjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebodc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igieoleg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkafmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbegqjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmgmhgig.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
Aeddnp32.exeAhcajk32.exeAakebqbj.exeAfgacokc.exeAjbmdn32.exeAanbhp32.exeAlcfei32.exeAfkknogn.exeAkhcfe32.exeAbbkcpma.exeBjicdmmd.exeBlhpqhlh.exeBjlpjm32.exeBkmmaeap.exeBfbaonae.exeBkoigdom.exeBbiado32.exeBfendmoc.exeBkafmd32.exeBblnindg.exeBheffh32.exeBckkca32.exeCfigpm32.exeCobkhb32.exeCkilmcgb.exeCodhnb32.exeCfqmpl32.exeCfcjfk32.exeDjqblj32.exeDblgpl32.exeDbndfl32.exeDikihe32.exeDbcmakpl.exeDpgnjo32.exeEjlbhh32.exeEbhglj32.exeEfepbi32.exeEmphocjj.exeEfhlhh32.exeEppqqn32.exeFfmfchle.exeFikbocki.exeFdqfll32.exeFllkqn32.exeFlngfn32.exeFfclcgfn.exeFffhifdk.exeGlcaambb.exeGfheof32.exeGlengm32.exeGpqjglii.exeGmdjapgb.exeGdobnj32.exeGfmojenc.exeGmggfp32.exeGdaociml.exeGkkgpc32.exeGmiclo32.exeGphphj32.exeGbfldf32.exeGkmdecbg.exeHmlpaoaj.exeHdehni32.exeHkpqkcpd.exepid Process 828 Aeddnp32.exe 2400 Ahcajk32.exe 1096 Aakebqbj.exe 3688 Afgacokc.exe 4936 Ajbmdn32.exe 1452 Aanbhp32.exe 4128 Alcfei32.exe 2172 Afkknogn.exe 3692 Akhcfe32.exe 4912 Abbkcpma.exe 4680 Bjicdmmd.exe 4220 Blhpqhlh.exe 5056 Bjlpjm32.exe 5068 Bkmmaeap.exe 4296 Bfbaonae.exe 4260 Bkoigdom.exe 4092 Bbiado32.exe 2456 Bfendmoc.exe 3224 Bkafmd32.exe 1100 Bblnindg.exe 3892 Bheffh32.exe 2348 Bckkca32.exe 3720 Cfigpm32.exe 3216 Cobkhb32.exe 5000 Ckilmcgb.exe 2488 Codhnb32.exe 4792 Cfqmpl32.exe 1696 Cfcjfk32.exe 4072 Djqblj32.exe 2812 Dblgpl32.exe 4552 Dbndfl32.exe 3812 Dikihe32.exe 372 Dbcmakpl.exe 2888 Dpgnjo32.exe 2148 Ejlbhh32.exe 2136 Ebhglj32.exe 2264 Efepbi32.exe 220 Emphocjj.exe 980 Efhlhh32.exe 744 Eppqqn32.exe 620 Ffmfchle.exe 4508 Fikbocki.exe 2732 Fdqfll32.exe 4384 Fllkqn32.exe 3376 Flngfn32.exe 1908 Ffclcgfn.exe 1220 Fffhifdk.exe 2672 Glcaambb.exe 3056 Gfheof32.exe 5116 Glengm32.exe 4304 Gpqjglii.exe 3268 Gmdjapgb.exe 3492 Gdobnj32.exe 3360 Gfmojenc.exe 2892 Gmggfp32.exe 8 Gdaociml.exe 2352 Gkkgpc32.exe 3532 Gmiclo32.exe 4500 Gphphj32.exe 1388 Gbfldf32.exe 1368 Gkmdecbg.exe 4644 Hmlpaoaj.exe 1516 Hdehni32.exe 3176 Hkpqkcpd.exe -
Drops file in System32 directory 64 IoCs
Processes:
Imfmgcdn.exeMjdebfnd.exeOelolmnd.exeHfpenj32.exeBhhiemoj.exeFncibg32.exeMcqjon32.exeGpmomo32.exeLknojl32.exeGojiiafp.exeEfjbcakl.exePjpfjl32.exeAeffgkkp.exeLojmcdgl.exeGemkelcd.exeHjaioe32.exeDheibpje.exeFbelcblk.exeLobjni32.exeAknbkjfh.exeHnkhjdle.exeKbjbnnfg.exeAlbpkc32.exeBlnoga32.exePagbaglh.exeGnoacp32.exeLancko32.exeLfiokmkc.exeMhnjna32.exeFfqhcq32.exeJocefm32.exedescription ioc Process File created C:\Windows\SysWOW64\Fcdfimja.dll Imfmgcdn.exe File created C:\Windows\SysWOW64\Kjeqge32.dll Mjdebfnd.exe File created C:\Windows\SysWOW64\Lebcnn32.dll Oelolmnd.exe File created C:\Windows\SysWOW64\Hljnkdnk.exe Hfpenj32.exe File created C:\Windows\SysWOW64\Nopkoobi.dll File created C:\Windows\SysWOW64\Mikiin32.dll File created C:\Windows\SysWOW64\Bkgeainn.exe Bhhiemoj.exe File opened for modification C:\Windows\SysWOW64\Fdmaoahm.exe Fncibg32.exe File created C:\Windows\SysWOW64\Mbkmngfn.exe File opened for modification C:\Windows\SysWOW64\Iaqapggb.exe File created C:\Windows\SysWOW64\Mkhapk32.exe Mcqjon32.exe File created C:\Windows\SysWOW64\Kkooep32.exe File created C:\Windows\SysWOW64\Gnobcjlg.dll Gpmomo32.exe File created C:\Windows\SysWOW64\Bjqjbanf.dll File created C:\Windows\SysWOW64\Loqjlg32.exe File opened for modification C:\Windows\SysWOW64\Ljaoeini.exe Lknojl32.exe File created C:\Windows\SysWOW64\Hmkigh32.exe Gojiiafp.exe File created C:\Windows\SysWOW64\Mgjcohao.dll File opened for modification C:\Windows\SysWOW64\Fihnomjp.exe Efjbcakl.exe File created C:\Windows\SysWOW64\Apobakpn.exe File created C:\Windows\SysWOW64\Pnlcdg32.exe File created C:\Windows\SysWOW64\Beaeca32.dll File opened for modification C:\Windows\SysWOW64\Jcfejfag.exe File opened for modification C:\Windows\SysWOW64\Hhkgpjqn.exe File opened for modification C:\Windows\SysWOW64\Knhbflbp.exe File created C:\Windows\SysWOW64\Kfcfimfi.dll Pjpfjl32.exe File created C:\Windows\SysWOW64\Eobepglo.dll Aeffgkkp.exe File opened for modification C:\Windows\SysWOW64\Ldlmieaa.exe File created C:\Windows\SysWOW64\Kcnkmn32.dll File created C:\Windows\SysWOW64\Ljadem32.dll File created C:\Windows\SysWOW64\Bpemfc32.dll Lojmcdgl.exe File created C:\Windows\SysWOW64\Kiaqnagj.exe File created C:\Windows\SysWOW64\Ihdjfhhc.exe File created C:\Windows\SysWOW64\Kgnonhdl.dll File opened for modification C:\Windows\SysWOW64\Ofmbkipk.exe File created C:\Windows\SysWOW64\Gpbpbecj.exe Gemkelcd.exe File created C:\Windows\SysWOW64\Mohpjh32.dll Hjaioe32.exe File created C:\Windows\SysWOW64\Pqpiiqce.dll File created C:\Windows\SysWOW64\Gikbneio.exe File created C:\Windows\SysWOW64\Hifaic32.exe File created C:\Windows\SysWOW64\Nklinjmj.dll Dheibpje.exe File created C:\Windows\SysWOW64\Ffqhcq32.exe Fbelcblk.exe File created C:\Windows\SysWOW64\Lgibpf32.exe Lobjni32.exe File opened for modification C:\Windows\SysWOW64\Amlogfel.exe Aknbkjfh.exe File created C:\Windows\SysWOW64\Heepfn32.exe Hnkhjdle.exe File created C:\Windows\SysWOW64\Khfkfedn.exe Kbjbnnfg.exe File created C:\Windows\SysWOW64\Aoalgn32.exe Albpkc32.exe File created C:\Windows\SysWOW64\Bheplb32.exe Blnoga32.exe File opened for modification C:\Windows\SysWOW64\Dqgjoenq.exe File created C:\Windows\SysWOW64\Egoomnin.exe File created C:\Windows\SysWOW64\Gmqjga32.exe File created C:\Windows\SysWOW64\Hlgjko32.exe File created C:\Windows\SysWOW64\Iefedcmk.exe File opened for modification C:\Windows\SysWOW64\Pjpfjl32.exe Pagbaglh.exe File created C:\Windows\SysWOW64\Gdhjpjjd.exe Gnoacp32.exe File created C:\Windows\SysWOW64\Jacodldj.dll Lancko32.exe File created C:\Windows\SysWOW64\Mjpnkbfj.dll Lfiokmkc.exe File created C:\Windows\SysWOW64\Kefjdppe.dll Mhnjna32.exe File created C:\Windows\SysWOW64\Kiiajl32.dll File created C:\Windows\SysWOW64\Jdhcdlco.dll File created C:\Windows\SysWOW64\Mfdlif32.exe File opened for modification C:\Windows\SysWOW64\Fmkqpkla.exe Ffqhcq32.exe File created C:\Windows\SysWOW64\Jlgepanl.exe Jocefm32.exe File opened for modification C:\Windows\SysWOW64\Nbfeoohe.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 10944 10832 1758 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Acdioc32.exeHgpibdam.exeHhfpbpdo.exeLgibpf32.exeDggkipii.exePmeoqlpl.exeBkoigdom.exeOikjkc32.exeJcgnbaeo.exeDdhomdje.exeLmlpjdgo.exeGfeaopqo.exeOdjmdocp.exePiaiqlak.exeBmagch32.exeJpfepf32.exeFefedmil.exeGlhimp32.exeHaodle32.exeFpkibf32.exeLhmafcnf.exeJcaeea32.exeJcphab32.exeOmfekbdh.exePiapkbeg.exeEpaemojk.exeDodjjimm.exePfepdg32.exeCildom32.exeKnqepc32.exeOcgbld32.exeBpfkpp32.exeCicqja32.exeHefnkkkj.exeIecmhlhb.exeDeokja32.exeGhcbohpp.exeGpqjglii.exeNhmofj32.exeFajbjh32.exeInebjihf.exeBiedhclh.exeLnldla32.exeFkhpfbce.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdioc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpibdam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfpbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgibpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggkipii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmeoqlpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkoigdom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikjkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgnbaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhomdje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlpjdgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaopqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjmdocp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piaiqlak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmagch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfepf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefedmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glhimp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haodle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmafcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaeea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfekbdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piapkbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epaemojk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfepdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cildom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfkpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicqja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefnkkkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecmhlhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcbohpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpqjglii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inebjihf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biedhclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnldla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhpfbce.exe -
Modifies registry class 64 IoCs
Processes:
Mnhkbfme.exeObfhmd32.exeGddqejni.exeKdhlepkl.exeIlnbicff.exeHhfpbpdo.exePofhbgmn.exeBkoigdom.exeKekbjo32.exeDnajppda.exeIplkpa32.exeFifomlap.exeDimcppgm.exeMepfiq32.exeFefedmil.exeLnldla32.exeBckkca32.exePjcikejg.exeHodqlq32.exeBddjpd32.exePfmlok32.exeQhekaejj.exeFgiaemic.exePdeffgff.exeHkpqkcpd.exeBedgjgkg.exeBbaclegm.exeGomkkagl.exeOkolfj32.exePbgqdb32.exeJmpgghoo.exeFcaqka32.exeLjaoeini.exeDfdpad32.exeHecjke32.exeAfkknogn.exeFdqfll32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnhkbfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmhc32.dll" Obfhmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddqejni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knipeblj.dll" Kdhlepkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfidbo32.dll" Ilnbicff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhfpbpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmole32.dll" Pofhbgmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhpoieid.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichelm32.dll" Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajmenjo.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbfbm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhmjaaq.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnajppda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iplkpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fifomlap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acemjd32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dimcppgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklmbbeg.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnbpa32.dll" Mepfiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefedmil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnldla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqpiiqce.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bckkca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcikejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmddajlf.dll" Hodqlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ianfdf32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bddjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfmlok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhekaejj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgiaemic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enccibdi.dll" Pdeffgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flebpn32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpgoecp.dll" Hkpqkcpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbaclegm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gomkkagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilhllpbm.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okolfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbgqdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbgom32.dll" Jmpgghoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpcnhngo.dll" Fcaqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnblldi.dll" Hecjke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negcig32.dll" Afkknogn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdqfll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9139ab42b2950a6c3bb7cb9028b6cf021bb784fa8256cf2a91292f2894c507be.exeAeddnp32.exeAhcajk32.exeAakebqbj.exeAfgacokc.exeAjbmdn32.exeAanbhp32.exeAlcfei32.exeAfkknogn.exeAkhcfe32.exeAbbkcpma.exeBjicdmmd.exeBlhpqhlh.exeBjlpjm32.exeBkmmaeap.exeBfbaonae.exeBkoigdom.exeBbiado32.exeBfendmoc.exeBkafmd32.exeBblnindg.exeBheffh32.exedescription pid Process procid_target PID 3304 wrote to memory of 828 3304 9139ab42b2950a6c3bb7cb9028b6cf021bb784fa8256cf2a91292f2894c507be.exe 82 PID 3304 wrote to memory of 828 3304 9139ab42b2950a6c3bb7cb9028b6cf021bb784fa8256cf2a91292f2894c507be.exe 82 PID 3304 wrote to memory of 828 3304 9139ab42b2950a6c3bb7cb9028b6cf021bb784fa8256cf2a91292f2894c507be.exe 82 PID 828 wrote to memory of 2400 828 Aeddnp32.exe 83 PID 828 wrote to memory of 2400 828 Aeddnp32.exe 83 PID 828 wrote to memory of 2400 828 Aeddnp32.exe 83 PID 2400 wrote to memory of 1096 2400 Ahcajk32.exe 84 PID 2400 wrote to memory of 1096 2400 Ahcajk32.exe 84 PID 2400 wrote to memory of 1096 2400 Ahcajk32.exe 84 PID 1096 wrote to memory of 3688 1096 Aakebqbj.exe 85 PID 1096 wrote to memory of 3688 1096 Aakebqbj.exe 85 PID 1096 wrote to memory of 3688 1096 Aakebqbj.exe 85 PID 3688 wrote to memory of 4936 3688 Afgacokc.exe 86 PID 3688 wrote to memory of 4936 3688 Afgacokc.exe 86 PID 3688 wrote to memory of 4936 3688 Afgacokc.exe 86 PID 4936 wrote to memory of 1452 4936 Ajbmdn32.exe 87 PID 4936 wrote to memory of 1452 4936 Ajbmdn32.exe 87 PID 4936 wrote to memory of 1452 4936 Ajbmdn32.exe 87 PID 1452 wrote to memory of 4128 1452 Aanbhp32.exe 88 PID 1452 wrote to memory of 4128 1452 Aanbhp32.exe 88 PID 1452 wrote to memory of 4128 1452 Aanbhp32.exe 88 PID 4128 wrote to memory of 2172 4128 Alcfei32.exe 89 PID 4128 wrote to memory of 2172 4128 Alcfei32.exe 89 PID 4128 wrote to memory of 2172 4128 Alcfei32.exe 89 PID 2172 wrote to memory of 3692 2172 Afkknogn.exe 90 PID 2172 wrote to memory of 3692 2172 Afkknogn.exe 90 PID 2172 wrote to memory of 3692 2172 Afkknogn.exe 90 PID 3692 wrote to memory of 4912 3692 Akhcfe32.exe 91 PID 3692 wrote to memory of 4912 3692 Akhcfe32.exe 91 PID 3692 wrote to memory of 4912 3692 Akhcfe32.exe 91 PID 4912 wrote to memory of 4680 4912 Abbkcpma.exe 92 PID 4912 wrote to memory of 4680 4912 Abbkcpma.exe 92 PID 4912 wrote to memory of 4680 4912 Abbkcpma.exe 92 PID 4680 wrote to memory of 4220 4680 Bjicdmmd.exe 93 PID 4680 wrote to memory of 4220 4680 Bjicdmmd.exe 93 PID 4680 wrote to memory of 4220 4680 Bjicdmmd.exe 93 PID 4220 wrote to memory of 5056 4220 Blhpqhlh.exe 94 PID 4220 wrote to memory of 5056 4220 Blhpqhlh.exe 94 PID 4220 wrote to memory of 5056 4220 Blhpqhlh.exe 94 PID 5056 wrote to memory of 5068 5056 Bjlpjm32.exe 95 PID 5056 wrote to memory of 5068 5056 Bjlpjm32.exe 95 PID 5056 wrote to memory of 5068 5056 Bjlpjm32.exe 95 PID 5068 wrote to memory of 4296 5068 Bkmmaeap.exe 96 PID 5068 wrote to memory of 4296 5068 Bkmmaeap.exe 96 PID 5068 wrote to memory of 4296 5068 Bkmmaeap.exe 96 PID 4296 wrote to memory of 4260 4296 Bfbaonae.exe 97 PID 4296 wrote to memory of 4260 4296 Bfbaonae.exe 97 PID 4296 wrote to memory of 4260 4296 Bfbaonae.exe 97 PID 4260 wrote to memory of 4092 4260 Bkoigdom.exe 98 PID 4260 wrote to memory of 4092 4260 Bkoigdom.exe 98 PID 4260 wrote to memory of 4092 4260 Bkoigdom.exe 98 PID 4092 wrote to memory of 2456 4092 Bbiado32.exe 99 PID 4092 wrote to memory of 2456 4092 Bbiado32.exe 99 PID 4092 wrote to memory of 2456 4092 Bbiado32.exe 99 PID 2456 wrote to memory of 3224 2456 Bfendmoc.exe 100 PID 2456 wrote to memory of 3224 2456 Bfendmoc.exe 100 PID 2456 wrote to memory of 3224 2456 Bfendmoc.exe 100 PID 3224 wrote to memory of 1100 3224 Bkafmd32.exe 101 PID 3224 wrote to memory of 1100 3224 Bkafmd32.exe 101 PID 3224 wrote to memory of 1100 3224 Bkafmd32.exe 101 PID 1100 wrote to memory of 3892 1100 Bblnindg.exe 102 PID 1100 wrote to memory of 3892 1100 Bblnindg.exe 102 PID 1100 wrote to memory of 3892 1100 Bblnindg.exe 102 PID 3892 wrote to memory of 2348 3892 Bheffh32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9139ab42b2950a6c3bb7cb9028b6cf021bb784fa8256cf2a91292f2894c507be.exe"C:\Users\Admin\AppData\Local\Temp\9139ab42b2950a6c3bb7cb9028b6cf021bb784fa8256cf2a91292f2894c507be.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Bheffh32.exeC:\Windows\system32\Bheffh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe24⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe25⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe26⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe27⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe28⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe29⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe30⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe31⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe32⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe33⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe34⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe35⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe36⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe37⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe38⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe40⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe41⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe42⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe43⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe45⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe46⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe47⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe48⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe49⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe50⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe51⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe53⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe54⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe55⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe56⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe57⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe58⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe59⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe60⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe61⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe62⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe63⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe64⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe66⤵PID:2868
-
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe67⤵PID:648
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe68⤵PID:4436
-
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe69⤵PID:3564
-
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe70⤵PID:2824
-
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe71⤵PID:3912
-
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe72⤵PID:2664
-
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe73⤵PID:3820
-
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe74⤵PID:1956
-
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5016 -
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe76⤵PID:2200
-
C:\Windows\SysWOW64\Idkkpf32.exeC:\Windows\system32\Idkkpf32.exe77⤵PID:4336
-
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe78⤵PID:4512
-
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe80⤵PID:3568
-
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe81⤵PID:2852
-
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe83⤵PID:1656
-
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe84⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe85⤵PID:1612
-
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4880 -
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe87⤵PID:4196
-
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe88⤵PID:560
-
C:\Windows\SysWOW64\Kdkdgchl.exeC:\Windows\system32\Kdkdgchl.exe89⤵PID:4836
-
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe90⤵PID:4524
-
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe91⤵PID:1548
-
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe92⤵PID:2268
-
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe93⤵PID:1084
-
C:\Windows\SysWOW64\Kmieae32.exeC:\Windows\system32\Kmieae32.exe94⤵PID:1636
-
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe95⤵PID:1324
-
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:732 -
C:\Windows\SysWOW64\Kcejco32.exeC:\Windows\system32\Kcejco32.exe97⤵PID:2088
-
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4916 -
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe99⤵PID:2980
-
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe100⤵
- Drops file in System32 directory
PID:3496 -
C:\Windows\SysWOW64\Ljaoeini.exeC:\Windows\system32\Ljaoeini.exe101⤵
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe102⤵PID:4448
-
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe103⤵PID:1464
-
C:\Windows\SysWOW64\Ljclki32.exeC:\Windows\system32\Ljclki32.exe104⤵PID:2896
-
C:\Windows\SysWOW64\Ldipha32.exeC:\Windows\system32\Ldipha32.exe105⤵PID:3472
-
C:\Windows\SysWOW64\Lggldm32.exeC:\Windows\system32\Lggldm32.exe106⤵PID:4600
-
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe107⤵PID:5152
-
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe108⤵PID:5196
-
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe109⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe110⤵PID:5284
-
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe111⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Mjmoag32.exeC:\Windows\system32\Mjmoag32.exe112⤵PID:5376
-
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe113⤵
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe114⤵PID:5464
-
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe115⤵PID:5508
-
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe116⤵PID:5552
-
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe117⤵PID:5596
-
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe118⤵PID:5640
-
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe119⤵PID:5684
-
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe120⤵
- Drops file in System32 directory
PID:5728 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe121⤵PID:5772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-