Analysis
-
max time kernel
94s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2024 21:45
Behavioral task
behavioral1
Sample
486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exe
-
Size
163KB
-
MD5
b814bb8e37cafa96cd0be136c841e13d
-
SHA1
5fd432c7da1ac38f15e156e6faee6ff37b6cfa96
-
SHA256
486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf
-
SHA512
c1b2a9e44faba92557d10f5457c428d142ef2a2377f8127ad6c9821cac8a2d173a0cdd73a5b7d55243d23f18b5c3f648cb09d396060ec62bca40ac13afd3165a
-
SSDEEP
1536:PTfmn6glEVKHg4vTuGW6mhjEtrT0lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:7fI3DT7ZrT0ltOrWKDBr+yJb
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fibhpbea.exeNdflak32.exeDooaoj32.exeGfeaopqo.exeLmaamn32.exeQhjmdp32.exeConanfli.exeOekiqccc.exeAkkffkhk.exeNgjbaj32.exeFiaael32.exeKdmqmc32.exeMmpdhboj.exeEfeihb32.exeHibjli32.exeKgninn32.exeLjhefhha.exeCdlqqcnl.exePllgnl32.exeOmjpeo32.exeOjbacd32.exeCnfaohbj.exeHlepcdoa.exeLlodgnja.exeLjeafb32.exePdjgha32.exeBmeandma.exeIggjga32.exeCaageq32.exeBdojjo32.exeGpqjglii.exeMokmdh32.exeFjadje32.exeEjchhgid.exeLjfhqh32.exeHehkajig.exeIlqoobdd.exeAmcehdod.exeEbjcajjd.exeNgjkfd32.exeIloidijb.exeNmigoagp.exeOpeiadfg.exePnifekmd.exePdmdnadc.exeGfokoelp.exeHdhedh32.exeBahkih32.exeDfiildio.exeEfgemb32.exeAakebqbj.exeHpofii32.exeNnicid32.exeQhmqdemc.exeBgpcliao.exeFimodc32.exeJpenfp32.exeJphkkpbp.exeQjfmkk32.exeBddcenpi.exeJjafok32.exeLkchelci.exeEnbjad32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndflak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dooaoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmaamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhjmdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Conanfli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekiqccc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akkffkhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaael32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmqmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpdhboj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efeihb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibjli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pllgnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjpeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbacd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlepcdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llodgnja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljeafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeandma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggjga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caageq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdojjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqjglii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokmdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejchhgid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljfhqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehkajig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcehdod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjcajjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iloidijb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnifekmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmdnadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfiildio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efgemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakebqbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpofii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnicid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmqdemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgpcliao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jphkkpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjfmkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddcenpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiildio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkchelci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbjad32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x0007000000023ee9-1950.dat family_bruteratel -
Gozi family
-
Executes dropped EXE 64 IoCs
Processes:
Leopnglc.exeMngegmbc.exeMaeachag.exeMahnhhod.exeMlmbfqoj.exeMnlnbl32.exeMnnkgl32.exeMicoed32.exeMlbkap32.exeMifljdjo.exeMldhfpib.exeNbnpcj32.exeNlfelogp.exeNijeec32.exeNliaao32.exeNafjjf32.exeNimbkc32.exeNhpbfpka.exeNeccpd32.exeNlnkmnah.exeNefped32.exeNlphbnoe.exeOidhlb32.exeOhghgodi.exeOekiqccc.exeOldamm32.exeOhkbbn32.exeOkjnnj32.exeOlijhmgj.exePllgnl32.exePahpfc32.exePolppg32.exePamiaboj.exePlbmokop.exePapfgbmg.exePhincl32.exePcobaedj.exeQlggjk32.exeQcaofebg.exeQljcoj32.exeAjndioga.exeAkoqpg32.exeAojlaeei.exeAaiimadl.exeAlnmjjdb.exeAchegd32.exeAakebqbj.exeAhenokjf.exeAjdjin32.exeAbponp32.exeAkhcfe32.exeAbbkcpma.exeBfngdn32.exeBoflmdkk.exeBohibc32.exeBbgeno32.exeBcfahbpo.exeBbiado32.exeBkafmd32.exeBblnindg.exeBkdcbd32.exeCjecpkcg.exeCcmgiaig.exeCbphdn32.exepid Process 844 Leopnglc.exe 3284 Mngegmbc.exe 2592 Maeachag.exe 3340 Mahnhhod.exe 4780 Mlmbfqoj.exe 4460 Mnlnbl32.exe 1496 Mnnkgl32.exe 3680 Micoed32.exe 2100 Mlbkap32.exe 2908 Mifljdjo.exe 212 Mldhfpib.exe 2800 Nbnpcj32.exe 4332 Nlfelogp.exe 3724 Nijeec32.exe 1068 Nliaao32.exe 4512 Nafjjf32.exe 5012 Nimbkc32.exe 3752 Nhpbfpka.exe 4676 Neccpd32.exe 3688 Nlnkmnah.exe 2368 Nefped32.exe 3888 Nlphbnoe.exe 1732 Oidhlb32.exe 2260 Ohghgodi.exe 2716 Oekiqccc.exe 4860 Oldamm32.exe 4812 Ohkbbn32.exe 2168 Okjnnj32.exe 3544 Olijhmgj.exe 4036 Pllgnl32.exe 5024 Pahpfc32.exe 3780 Polppg32.exe 1384 Pamiaboj.exe 2396 Plbmokop.exe 4588 Papfgbmg.exe 4384 Phincl32.exe 812 Pcobaedj.exe 2300 Qlggjk32.exe 4148 Qcaofebg.exe 2272 Qljcoj32.exe 2308 Ajndioga.exe 4640 Akoqpg32.exe 3364 Aojlaeei.exe 1372 Aaiimadl.exe 4204 Alnmjjdb.exe 3996 Achegd32.exe 3928 Aakebqbj.exe 2408 Ahenokjf.exe 3196 Ajdjin32.exe 4680 Abponp32.exe 916 Akhcfe32.exe 1672 Abbkcpma.exe 4516 Bfngdn32.exe 400 Boflmdkk.exe 4060 Bohibc32.exe 2292 Bbgeno32.exe 5008 Bcfahbpo.exe 184 Bbiado32.exe 1652 Bkafmd32.exe 2116 Bblnindg.exe 1360 Bkdcbd32.exe 5044 Cjecpkcg.exe 3968 Ccmgiaig.exe 4288 Cbphdn32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hlepcdoa.exeLcgpni32.exeMifljdjo.exeEiobceef.exeHdjbiheb.exeLjfhqh32.exeNjmhhefi.exeFlmqlg32.exeNcabfkqo.exePldcjeia.exeHpqldc32.exeIinjhh32.exePmpolgoi.exeAagkhd32.exeConanfli.exe486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exeNbnpcj32.exePamiaboj.exeGpqjglii.exeHpnoncim.exeMqafhl32.exeDnmaea32.exeAlnmjjdb.exeCioilg32.exeGfheof32.exeKmfhkf32.exePlkpcfal.exeAhmjjoig.exeBoldhf32.exeNlnkmnah.exeJcikgacl.exeLjclki32.exeBebjdgmj.exeLlmhaold.exePlpjoe32.exeJphkkpbp.exeLeopnglc.exeBbgeno32.exeBcfahbpo.exeMnmdme32.exeCglbhhga.exeBdmmeo32.exePahpfc32.exeAojlaeei.exeDjhimica.exeNccokk32.exeOeokal32.exePkpmdbfd.exeOhkbbn32.exeHildmn32.exeMjdebfnd.exeCkjbhmad.exeNlhkgi32.exeEiokinbk.exeKckqbj32.exeLopmii32.exeQacameaj.exeCgqlcg32.exeFiaael32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Hpqldc32.exe Hlepcdoa.exe File created C:\Windows\SysWOW64\Bfnikd32.dll Lcgpni32.exe File opened for modification C:\Windows\SysWOW64\Mldhfpib.exe Mifljdjo.exe File created C:\Windows\SysWOW64\Fhffdban.dll Eiobceef.exe File opened for modification C:\Windows\SysWOW64\Hginecde.exe Hdjbiheb.exe File opened for modification C:\Windows\SysWOW64\Lcnmin32.exe Ljfhqh32.exe File created C:\Windows\SysWOW64\Nnicid32.exe Njmhhefi.exe File opened for modification C:\Windows\SysWOW64\Ffceip32.exe Flmqlg32.exe File created C:\Windows\SysWOW64\Ehqkihfg.dll Ncabfkqo.exe File created C:\Windows\SysWOW64\Pkgcea32.exe Pldcjeia.exe File opened for modification C:\Windows\SysWOW64\Hmdlmg32.exe Hpqldc32.exe File created C:\Windows\SysWOW64\Imkbnf32.exe Iinjhh32.exe File created C:\Windows\SysWOW64\Pdjgha32.exe Pmpolgoi.exe File opened for modification C:\Windows\SysWOW64\Ahaceo32.exe Aagkhd32.exe File created C:\Windows\SysWOW64\Hnflfgji.dll Conanfli.exe File opened for modification C:\Windows\SysWOW64\Leopnglc.exe 486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exe File created C:\Windows\SysWOW64\Cbgpnkdm.dll Nbnpcj32.exe File opened for modification C:\Windows\SysWOW64\Plbmokop.exe Pamiaboj.exe File created C:\Windows\SysWOW64\Jbfadafe.dll Gpqjglii.exe File opened for modification C:\Windows\SysWOW64\Hoaojp32.exe Hpnoncim.exe File opened for modification C:\Windows\SysWOW64\Modgdicm.exe Mqafhl32.exe File created C:\Windows\SysWOW64\Ddgibkpc.exe Dnmaea32.exe File created C:\Windows\SysWOW64\Achegd32.exe Alnmjjdb.exe File created C:\Windows\SysWOW64\Mgdkaadn.dll Cioilg32.exe File opened for modification C:\Windows\SysWOW64\Glengm32.exe Gfheof32.exe File opened for modification C:\Windows\SysWOW64\Kdmqmc32.exe Kmfhkf32.exe File created C:\Windows\SysWOW64\Gmnala32.dll Plkpcfal.exe File opened for modification C:\Windows\SysWOW64\Akkffkhk.exe Ahmjjoig.exe File opened for modification C:\Windows\SysWOW64\Bajqda32.exe Boldhf32.exe File created C:\Windows\SysWOW64\Pkhnpc32.dll Nlnkmnah.exe File created C:\Windows\SysWOW64\Ijnmaj32.dll Pamiaboj.exe File created C:\Windows\SysWOW64\Hdjgko32.dll Jcikgacl.exe File created C:\Windows\SysWOW64\Lmbhgd32.exe Ljclki32.exe File created C:\Windows\SysWOW64\Hhhdjbno.dll Bebjdgmj.exe File created C:\Windows\SysWOW64\Lokdnjkg.exe Llmhaold.exe File created C:\Windows\SysWOW64\Dapnbcqo.dll Plpjoe32.exe File opened for modification C:\Windows\SysWOW64\Jedccfqg.exe Jphkkpbp.exe File created C:\Windows\SysWOW64\Jhcnob32.dll 486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exe File created C:\Windows\SysWOW64\Cpchnbbb.dll Leopnglc.exe File created C:\Windows\SysWOW64\Bcfahbpo.exe Bbgeno32.exe File created C:\Windows\SysWOW64\Fdflahpe.dll Bcfahbpo.exe File opened for modification C:\Windows\SysWOW64\Ebjcajjd.exe Eiobceef.exe File opened for modification C:\Windows\SysWOW64\Mmpdhboj.exe Mnmdme32.exe File created C:\Windows\SysWOW64\Caageq32.exe Cglbhhga.exe File opened for modification C:\Windows\SysWOW64\Bgkiaj32.exe Bdmmeo32.exe File created C:\Windows\SysWOW64\Polppg32.exe Pahpfc32.exe File created C:\Windows\SysWOW64\Acigfpbp.dll Aojlaeei.exe File created C:\Windows\SysWOW64\Dlieda32.exe Djhimica.exe File created C:\Windows\SysWOW64\Ljhpog32.dll Nccokk32.exe File created C:\Windows\SysWOW64\Okkdic32.exe Oeokal32.exe File created C:\Windows\SysWOW64\Hnnhejgh.dll Pkpmdbfd.exe File opened for modification C:\Windows\SysWOW64\Okjnnj32.exe Ohkbbn32.exe File created C:\Windows\SysWOW64\Idahjg32.exe Hildmn32.exe File opened for modification C:\Windows\SysWOW64\Manmoq32.exe Mjdebfnd.exe File created C:\Windows\SysWOW64\Cohkokgj.exe Ckjbhmad.exe File opened for modification C:\Windows\SysWOW64\Njkkbehl.exe Nlhkgi32.exe File opened for modification C:\Windows\SysWOW64\Ekmhejao.exe Eiokinbk.exe File opened for modification C:\Windows\SysWOW64\Kgflcifg.exe Kckqbj32.exe File opened for modification C:\Windows\SysWOW64\Lckiihok.exe Lopmii32.exe File created C:\Windows\SysWOW64\Ahmjjoig.exe Qacameaj.exe File created C:\Windows\SysWOW64\Cnjdpaki.exe Cgqlcg32.exe File created C:\Windows\SysWOW64\Fnnjmbpm.exe Fiaael32.exe File created C:\Windows\SysWOW64\Fdahdiml.dll Iinjhh32.exe File opened for modification C:\Windows\SysWOW64\Lfeljd32.exe Lcgpni32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 11572 11360 WerFault.exe 595 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Lopmii32.exeNlnkmnah.exePapfgbmg.exeGjfnedho.exeDbicpfdk.exeDfiildio.exeDigehphc.exeEnpmld32.exeEleepoob.exeHlambk32.exeIkkpgafg.exeCbpajgmf.exeJgpmmp32.exeNjinmf32.exeGikkfqmf.exeQhkdof32.exeFpejlmcf.exeGdjibj32.exeGmafajfi.exeMnegbp32.exeCjecpkcg.exeKdmqmc32.exeLfgipd32.exeBahdob32.exeBblnindg.exeLdipha32.exeCamddhoi.exeHiiggoaf.exeNmkmjjaa.exeMnlnbl32.exeNclikl32.exePlpjoe32.exeImpliekg.exeNqbpojnp.exeJdfjld32.exeLmgabcge.exeBdojjo32.exeFflohaij.exeMaeachag.exeIepaaico.exePdenmbkk.exePanhbfep.exeCkilmcgb.exePnkbkk32.exeBddcenpi.exeGpqjglii.exeNhokljge.exeNdflak32.exeOmqmop32.exeOplfkeob.exeAmcehdod.exeBmeandma.exeOldjcg32.exeOffnhpfo.exeBgkiaj32.exeChdialdl.exeMahnhhod.exePhincl32.exeEjchhgid.exeFipkjb32.exeGlengm32.exeManmoq32.exeOkkdic32.exeGphphj32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnkmnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papfgbmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfnedho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbicpfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiildio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digehphc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eleepoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlambk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikkpgafg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njinmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikkfqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkdof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpejlmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmafajfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnegbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjecpkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmqmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgipd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahdob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblnindg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldipha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camddhoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiiggoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkmjjaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impliekg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbpojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgabcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fflohaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maeachag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iepaaico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdenmbkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panhbfep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmcgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkbkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddcenpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpqjglii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhokljge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndflak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqmop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplfkeob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmeandma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offnhpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdialdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahnhhod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phincl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejchhgid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glengm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manmoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphphj32.exe -
Modifies registry class 64 IoCs
Processes:
Hpnoncim.exeLopmii32.exeOpeiadfg.exePhincl32.exeEkmhejao.exeNapjdpcn.exeAnobgl32.exeEeelnp32.exeImkbnf32.exeLnldla32.exeAmcehdod.exeOhkbbn32.exeLmmolepp.exeJdmgfedl.exeLomqcjie.exeAokkahlo.exeBdojjo32.exePahpfc32.exeCjecpkcg.exeGmdjapgb.exeKlfaapbl.exeLnjgfb32.exeLmaamn32.exeAkkffkhk.exeNlnkmnah.exeBohibc32.exeBheplb32.exeGfeaopqo.exeCgqlcg32.exePcobaedj.exePkpmdbfd.exeCocacl32.exeGfodeohd.exeHolfoqcm.exeKfpcoefj.exePdfehh32.exeLjobpiql.exeQoelkp32.exeNqbpojnp.exeAdhdjpjf.exeDjelgied.exeNlhkgi32.exeNjkkbehl.exeGbeejp32.exeJmeede32.exeKpjgaoqm.exeNjmhhefi.exePlpjoe32.exeMnegbp32.exe486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exeAojlaeei.exeAlnmjjdb.exeBkdcbd32.exeCbpajgmf.exeKjjbjd32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnoncim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opeiadfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phincl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekmhejao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Napjdpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbdfl32.dll" Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imkbnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjecoi32.dll" Ohkbbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmmolepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aokkahlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amcehdod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pahpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfaapbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmaamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akkffkhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlnkmnah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnidloo.dll" Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgqlcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohkbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcobaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadhip32.dll" Cocacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdmimbf.dll" Gfodeohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmdlh32.dll" Holfoqcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpcoefj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pahpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbecoe32.dll" Qoelkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknhkd32.dll" Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnldla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqbpojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnpamkc.dll" Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djelgied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flafeh32.dll" Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehcdm32.dll" Nlhkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhffmd32.dll" Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfonlkp.dll" Jmeede32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjecpkcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djelgied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjgaoqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmhhefi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plpjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpkbnj32.dll" Mnegbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnmjjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkdcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhlpmmgb.dll" Kjjbjd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exeLeopnglc.exeMngegmbc.exeMaeachag.exeMahnhhod.exeMlmbfqoj.exeMnlnbl32.exeMnnkgl32.exeMicoed32.exeMlbkap32.exeMifljdjo.exeMldhfpib.exeNbnpcj32.exeNlfelogp.exeNijeec32.exeNliaao32.exeNafjjf32.exeNimbkc32.exeNhpbfpka.exeNeccpd32.exeNlnkmnah.exeNefped32.exedescription pid Process procid_target PID 3164 wrote to memory of 844 3164 486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exe 82 PID 3164 wrote to memory of 844 3164 486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exe 82 PID 3164 wrote to memory of 844 3164 486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exe 82 PID 844 wrote to memory of 3284 844 Leopnglc.exe 83 PID 844 wrote to memory of 3284 844 Leopnglc.exe 83 PID 844 wrote to memory of 3284 844 Leopnglc.exe 83 PID 3284 wrote to memory of 2592 3284 Mngegmbc.exe 84 PID 3284 wrote to memory of 2592 3284 Mngegmbc.exe 84 PID 3284 wrote to memory of 2592 3284 Mngegmbc.exe 84 PID 2592 wrote to memory of 3340 2592 Maeachag.exe 85 PID 2592 wrote to memory of 3340 2592 Maeachag.exe 85 PID 2592 wrote to memory of 3340 2592 Maeachag.exe 85 PID 3340 wrote to memory of 4780 3340 Mahnhhod.exe 86 PID 3340 wrote to memory of 4780 3340 Mahnhhod.exe 86 PID 3340 wrote to memory of 4780 3340 Mahnhhod.exe 86 PID 4780 wrote to memory of 4460 4780 Mlmbfqoj.exe 87 PID 4780 wrote to memory of 4460 4780 Mlmbfqoj.exe 87 PID 4780 wrote to memory of 4460 4780 Mlmbfqoj.exe 87 PID 4460 wrote to memory of 1496 4460 Mnlnbl32.exe 88 PID 4460 wrote to memory of 1496 4460 Mnlnbl32.exe 88 PID 4460 wrote to memory of 1496 4460 Mnlnbl32.exe 88 PID 1496 wrote to memory of 3680 1496 Mnnkgl32.exe 89 PID 1496 wrote to memory of 3680 1496 Mnnkgl32.exe 89 PID 1496 wrote to memory of 3680 1496 Mnnkgl32.exe 89 PID 3680 wrote to memory of 2100 3680 Micoed32.exe 90 PID 3680 wrote to memory of 2100 3680 Micoed32.exe 90 PID 3680 wrote to memory of 2100 3680 Micoed32.exe 90 PID 2100 wrote to memory of 2908 2100 Mlbkap32.exe 91 PID 2100 wrote to memory of 2908 2100 Mlbkap32.exe 91 PID 2100 wrote to memory of 2908 2100 Mlbkap32.exe 91 PID 2908 wrote to memory of 212 2908 Mifljdjo.exe 92 PID 2908 wrote to memory of 212 2908 Mifljdjo.exe 92 PID 2908 wrote to memory of 212 2908 Mifljdjo.exe 92 PID 212 wrote to memory of 2800 212 Mldhfpib.exe 93 PID 212 wrote to memory of 2800 212 Mldhfpib.exe 93 PID 212 wrote to memory of 2800 212 Mldhfpib.exe 93 PID 2800 wrote to memory of 4332 2800 Nbnpcj32.exe 94 PID 2800 wrote to memory of 4332 2800 Nbnpcj32.exe 94 PID 2800 wrote to memory of 4332 2800 Nbnpcj32.exe 94 PID 4332 wrote to memory of 3724 4332 Nlfelogp.exe 95 PID 4332 wrote to memory of 3724 4332 Nlfelogp.exe 95 PID 4332 wrote to memory of 3724 4332 Nlfelogp.exe 95 PID 3724 wrote to memory of 1068 3724 Nijeec32.exe 96 PID 3724 wrote to memory of 1068 3724 Nijeec32.exe 96 PID 3724 wrote to memory of 1068 3724 Nijeec32.exe 96 PID 1068 wrote to memory of 4512 1068 Nliaao32.exe 97 PID 1068 wrote to memory of 4512 1068 Nliaao32.exe 97 PID 1068 wrote to memory of 4512 1068 Nliaao32.exe 97 PID 4512 wrote to memory of 5012 4512 Nafjjf32.exe 98 PID 4512 wrote to memory of 5012 4512 Nafjjf32.exe 98 PID 4512 wrote to memory of 5012 4512 Nafjjf32.exe 98 PID 5012 wrote to memory of 3752 5012 Nimbkc32.exe 99 PID 5012 wrote to memory of 3752 5012 Nimbkc32.exe 99 PID 5012 wrote to memory of 3752 5012 Nimbkc32.exe 99 PID 3752 wrote to memory of 4676 3752 Nhpbfpka.exe 100 PID 3752 wrote to memory of 4676 3752 Nhpbfpka.exe 100 PID 3752 wrote to memory of 4676 3752 Nhpbfpka.exe 100 PID 4676 wrote to memory of 3688 4676 Neccpd32.exe 101 PID 4676 wrote to memory of 3688 4676 Neccpd32.exe 101 PID 4676 wrote to memory of 3688 4676 Neccpd32.exe 101 PID 3688 wrote to memory of 2368 3688 Nlnkmnah.exe 102 PID 3688 wrote to memory of 2368 3688 Nlnkmnah.exe 102 PID 3688 wrote to memory of 2368 3688 Nlnkmnah.exe 102 PID 2368 wrote to memory of 3888 2368 Nefped32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exe"C:\Users\Admin\AppData\Local\Temp\486ec3d5c829c7ed63e3be2e198c5845ce823a6a7457280dcbc1a68ac3abafdf.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe23⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe24⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe25⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe27⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4812 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe29⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe30⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5024 -
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe33⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe35⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4384 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe39⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe40⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe41⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe42⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe43⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3364 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe45⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4204 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe47⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe49⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe50⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe51⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe52⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe53⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe54⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe55⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5008 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe59⤵
- Executes dropped EXE
PID:184 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe60⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5044 -
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe64⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe65⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe66⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe67⤵PID:3552
-
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe68⤵PID:3168
-
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe69⤵
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe70⤵PID:948
-
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe71⤵PID:4584
-
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe72⤵PID:3620
-
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe73⤵PID:4896
-
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe74⤵PID:3768
-
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe75⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe76⤵
- Drops file in System32 directory
PID:4852 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe77⤵PID:1952
-
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe78⤵PID:4496
-
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe79⤵
- Drops file in System32 directory
PID:3360 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe81⤵PID:1244
-
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3160 -
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe83⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe84⤵PID:4732
-
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe85⤵PID:4220
-
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe86⤵
- System Location Discovery: System Language Discovery
PID:4372 -
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe88⤵PID:3696
-
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe90⤵PID:680
-
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:552 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe92⤵PID:1088
-
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3584 -
C:\Windows\SysWOW64\Fideeaco.exeC:\Windows\system32\Fideeaco.exe94⤵PID:3312
-
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe95⤵
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe96⤵
- Drops file in System32 directory
PID:3712 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe99⤵
- System Location Discovery: System Language Discovery
PID:4224 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe100⤵
- Modifies registry class
PID:3456 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe101⤵PID:1456
-
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe102⤵
- System Location Discovery: System Language Discovery
PID:3912 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe103⤵PID:4392
-
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1300 -
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe105⤵PID:4072
-
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe106⤵
- System Location Discovery: System Language Discovery
PID:3148 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe107⤵PID:4608
-
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe108⤵PID:4296
-
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe109⤵PID:2420
-
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe110⤵PID:4152
-
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe111⤵PID:216
-
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3548 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe114⤵PID:5144
-
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Hdjbiheb.exeC:\Windows\system32\Hdjbiheb.exe116⤵
- Drops file in System32 directory
PID:5232 -
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe117⤵PID:5276
-
C:\Windows\SysWOW64\Hlegnjbm.exeC:\Windows\system32\Hlegnjbm.exe118⤵PID:5320
-
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe119⤵PID:5364
-
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe120⤵
- System Location Discovery: System Language Discovery
PID:5408 -
C:\Windows\SysWOW64\Hlhccj32.exeC:\Windows\system32\Hlhccj32.exe121⤵PID:5452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-