Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2024 18:56
Behavioral task
behavioral1
Sample
7ba706d67406e10cc1537be0c83d0b9ea98af1376cd084ec828ca8bfbe8d933a.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
7ba706d67406e10cc1537be0c83d0b9ea98af1376cd084ec828ca8bfbe8d933a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
120 seconds
General
-
Target
7ba706d67406e10cc1537be0c83d0b9ea98af1376cd084ec828ca8bfbe8d933a.exe
-
Size
163KB
-
MD5
a9055caa7e11747361ccba5d17f67909
-
SHA1
368d7ba2e0a2ee13bafb8f7435070c754ee10c51
-
SHA256
7ba706d67406e10cc1537be0c83d0b9ea98af1376cd084ec828ca8bfbe8d933a
-
SHA512
37cceed3e5248c4548dcacfffd4cf314c665099ed506cea230f473e8fb2431de1403f2334de448169e5775c93846c0cb60ae874e21842ddd465acda6617b9589
-
SSDEEP
1536:PdOcprYXI0ET1xkcFLmWU4ZtyEslProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUA:rpyI0cXfLmWHCEsltOrWKDBr+yJbA
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Njhgbp32.exeAaenbd32.exeIiopca32.exeCancekeo.exeDkokcl32.exeFbjmhh32.exeBaadiiif.exeFinnef32.exeNoblkqca.exeDgbanq32.exeFmhdkknd.exeOjfcdnjc.exeCigkdmel.exeGjdaodja.exeGncchb32.exeGpbpbecj.exeLgibpf32.exeMqimikfj.exeAfcmfe32.exeEcdbop32.exeLnmkfh32.exePaelfmaf.exeGbnoiqdq.exeIgdgglfl.exeLpfgmnfp.exeEojiqb32.exeNqcejcha.exeOckdmmoj.exeGlldgljg.exeGimqajgh.exeHoclopne.exeBgbpaipl.exeChnlgjlb.exeHemmac32.exeJoqafgni.exeJnlbojee.exeOfmdio32.exeDggbcf32.exeEiekog32.exeBphqji32.exePalbgl32.exeNfcabp32.exeNcabfkqo.exeJinboekc.exeBajqda32.exeDqnjgl32.exeBipecnkd.exeOlanmgig.exeGpgind32.exeNpbceggm.exePfiddm32.exeCgnomg32.exeEaceghcg.exeJlgepanl.exeJlgoek32.exeIpoopgnf.exeNncccnol.exeFcneeo32.exeFmpqfq32.exeKqmkae32.exeOhkkhhmh.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaenbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiopca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cancekeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkokcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noblkqca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbanq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhdkknd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfcdnjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cigkdmel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdaodja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncchb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqimikfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecdbop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paelfmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnoiqdq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdgglfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpfgmnfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojiqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcejcha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ockdmmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glldgljg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimqajgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoclopne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgbpaipl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnlgjlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemmac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggbcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiekog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphqji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfcabp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glldgljg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinboekc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqnjgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bipecnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgind32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgibpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbceggm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaceghcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgepanl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipoopgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncccnol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcneeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmpqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqmkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohkkhhmh.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x00070000000240e2-3148.dat family_bruteratel -
Gozi family
-
Executes dropped EXE 64 IoCs
Processes:
Fjohde32.exeFdglmkeg.exeFbjmhh32.exeFmpqfq32.exeGpnmbl32.exeGbmingjo.exeGjdaodja.exeGigaka32.exeGlengm32.exeGpqjglii.exeGbofcghl.exeGjfnedho.exeGmdjapgb.exeGlgjlm32.exeGdobnj32.exeGfmojenc.exeGkhkjd32.exeGmggfp32.exeGpecbk32.exeGfokoelp.exeGingkqkd.exeGlldgljg.exeGbfldf32.exeGkmdecbg.exeHmlpaoaj.exeHloqml32.exeHpjmnjqn.exeHdehni32.exeHbhijepa.exeHkpqkcpd.exeHibafp32.exeHmnmgnoh.exeHlambk32.exeHplicjok.exeHckeoeno.exeHgfapd32.exeHkbmqb32.exeHienlpel.exeHlcjhkdp.exeInlihl32.exeIciaqc32.exeIkpjbq32.exeInnfnl32.exeIdhnkf32.exeIggjga32.exeInqbclob.exeIpoopgnf.exeIcnklbmj.exeIkdcmpnl.exeJlfpdh32.exeJcphab32.exeJnelok32.exeJcbdgb32.exeJnhidk32.exeJcdala32.exeJklinohd.exeJddnfd32.exeJnlbojee.exeJcikgacl.exeKqmkae32.exeKjepjkhf.exeKdkdgchl.exeKjhloj32.exeKglmio32.exepid Process 872 Fjohde32.exe 4880 Fdglmkeg.exe 1988 Fbjmhh32.exe 1960 Fmpqfq32.exe 2412 Gpnmbl32.exe 4392 Gbmingjo.exe 2560 Gjdaodja.exe 2216 Gigaka32.exe 3496 Glengm32.exe 2700 Gpqjglii.exe 832 Gbofcghl.exe 2280 Gjfnedho.exe 4340 Gmdjapgb.exe 1416 Glgjlm32.exe 2712 Gdobnj32.exe 2348 Gfmojenc.exe 4468 Gkhkjd32.exe 2352 Gmggfp32.exe 1188 Gpecbk32.exe 4808 Gfokoelp.exe 1496 Gingkqkd.exe 920 Glldgljg.exe 4872 Gbfldf32.exe 4588 Gkmdecbg.exe 3320 Hmlpaoaj.exe 3084 Hloqml32.exe 4016 Hpjmnjqn.exe 2196 Hdehni32.exe 3540 Hbhijepa.exe 1804 Hkpqkcpd.exe 1964 Hibafp32.exe 3500 Hmnmgnoh.exe 3736 Hlambk32.exe 3716 Hplicjok.exe 3464 Hckeoeno.exe 1740 Hgfapd32.exe 5092 Hkbmqb32.exe 4364 Hienlpel.exe 4964 Hlcjhkdp.exe 3220 Inlihl32.exe 4888 Iciaqc32.exe 5088 Ikpjbq32.exe 4900 Innfnl32.exe 428 Idhnkf32.exe 2400 Iggjga32.exe 3188 Inqbclob.exe 3676 Ipoopgnf.exe 1040 Icnklbmj.exe 724 Ikdcmpnl.exe 1528 Jlfpdh32.exe 4916 Jcphab32.exe 2992 Jnelok32.exe 4648 Jcbdgb32.exe 2716 Jnhidk32.exe 2840 Jcdala32.exe 700 Jklinohd.exe 3600 Jddnfd32.exe 2564 Jnlbojee.exe 4860 Jcikgacl.exe 3296 Kqmkae32.exe 2220 Kjepjkhf.exe 1888 Kdkdgchl.exe 2136 Kjhloj32.exe 4420 Kglmio32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gpqjglii.exeKjepjkhf.exeLedepn32.exeLchfib32.exeNoblkqca.exeNjkkbehl.exeGmdcfidg.exeEkljpm32.exeGmggfp32.exeAdndoe32.exePafkgphl.exeMjnnbk32.exeNqoloc32.exeIpoopgnf.exeMnhkbfme.exeCklhcfle.exeEojiqb32.exeBfkbfd32.exeQfmmplad.exeJifecp32.exeQpcecb32.exeIpihpkkd.exeHpqldc32.exeChnlgjlb.exeDoccpcja.exeEqmlccdi.exeDfiildio.exeGnpphljo.exeKedlip32.exeLjclki32.exeMfbaalbi.exeLmgabcge.exeNccokk32.exeGkdpbpih.exeQjffpe32.exeAlpbecod.exeJimldogg.exeFgiaemic.exeDooaoj32.exeDkhnjk32.exeEehicoel.exeCdkifmjq.exeCpfcfmlp.exeJojdlfeo.exeCcmcgcmp.exeJnhidk32.exePlmmif32.exeGpnfge32.exeOjfcdnjc.exeOihmedma.exePcbkml32.exeAdepji32.exeLlodgnja.exeBpqjjjjl.exeCildom32.exeAknifq32.exeEbaplnie.exeEgaejeej.exeFncibg32.exeMgobel32.exeNceefd32.exeQfkqjmdg.exeGanldgib.exeHpkknmgd.exedescription ioc Process File created C:\Windows\SysWOW64\Gbofcghl.exe Gpqjglii.exe File opened for modification C:\Windows\SysWOW64\Kdkdgchl.exe Kjepjkhf.exe File opened for modification C:\Windows\SysWOW64\Lhcali32.exe Ledepn32.exe File created C:\Windows\SysWOW64\Amcpgoem.dll Lchfib32.exe File created C:\Windows\SysWOW64\Fpenlneh.dll Noblkqca.exe File created C:\Windows\SysWOW64\Oanjomjp.dll Njkkbehl.exe File created C:\Windows\SysWOW64\Gpbpbecj.exe Gmdcfidg.exe File created C:\Windows\SysWOW64\Ephbhd32.exe Ekljpm32.exe File created C:\Windows\SysWOW64\Gpecbk32.exe Gmggfp32.exe File created C:\Windows\SysWOW64\Lpamfo32.dll Adndoe32.exe File opened for modification C:\Windows\SysWOW64\Pfccogfc.exe Pafkgphl.exe File created C:\Windows\SysWOW64\Bcejdp32.dll Mjnnbk32.exe File created C:\Windows\SysWOW64\Noblkqca.exe Nqoloc32.exe File created C:\Windows\SysWOW64\Jhdnigno.dll Ipoopgnf.exe File created C:\Windows\SysWOW64\Mebcop32.exe Mnhkbfme.exe File opened for modification C:\Windows\SysWOW64\Cnjdpaki.exe Cklhcfle.exe File created C:\Windows\SysWOW64\Ebifmm32.exe Eojiqb32.exe File created C:\Windows\SysWOW64\Caaimlpo.dll Bfkbfd32.exe File created C:\Windows\SysWOW64\Hiebgmkm.dll Qfmmplad.exe File created C:\Windows\SysWOW64\Hfibla32.dll Jifecp32.exe File created C:\Windows\SysWOW64\Qfmmplad.exe Qpcecb32.exe File opened for modification C:\Windows\SysWOW64\Ibgdlg32.exe Ipihpkkd.exe File created C:\Windows\SysWOW64\Hoclopne.exe Hpqldc32.exe File created C:\Windows\SysWOW64\Biafno32.dll Chnlgjlb.exe File opened for modification C:\Windows\SysWOW64\Ebaplnie.exe Doccpcja.exe File created C:\Windows\SysWOW64\Ofjljj32.dll Eqmlccdi.exe File created C:\Windows\SysWOW64\Dbpjaeoc.exe Dfiildio.exe File created C:\Windows\SysWOW64\Gnobcjlg.dll Gnpphljo.exe File opened for modification C:\Windows\SysWOW64\Kiphjo32.exe Kedlip32.exe File created C:\Windows\SysWOW64\Lclpdncg.exe Ljclki32.exe File created C:\Windows\SysWOW64\Mjnnbk32.exe Mfbaalbi.exe File created C:\Windows\SysWOW64\Mkhapk32.exe Lmgabcge.exe File opened for modification C:\Windows\SysWOW64\Nmlddqem.exe Nccokk32.exe File created C:\Windows\SysWOW64\Gihpkd32.exe Gkdpbpih.exe File created C:\Windows\SysWOW64\Lgidjfjk.dll Qjffpe32.exe File created C:\Windows\SysWOW64\Eobkhf32.dll Alpbecod.exe File opened for modification C:\Windows\SysWOW64\Jllhpkfk.exe Jimldogg.exe File opened for modification C:\Windows\SysWOW64\Fncibg32.exe Fgiaemic.exe File created C:\Windows\SysWOW64\Egljbmnm.dll Dooaoj32.exe File created C:\Windows\SysWOW64\Mhjmpfcl.dll Dkhnjk32.exe File opened for modification C:\Windows\SysWOW64\Eejeiocj.exe Eehicoel.exe File created C:\Windows\SysWOW64\Okhbek32.dll Cdkifmjq.exe File opened for modification C:\Windows\SysWOW64\Chnlgjlb.exe Cpfcfmlp.exe File opened for modification C:\Windows\SysWOW64\Jbepme32.exe Jojdlfeo.exe File opened for modification C:\Windows\SysWOW64\Cigkdmel.exe Ccmcgcmp.exe File created C:\Windows\SysWOW64\Nfamlc32.dll Jnhidk32.exe File opened for modification C:\Windows\SysWOW64\Poliea32.exe Plmmif32.exe File created C:\Windows\SysWOW64\Gblbca32.exe Gpnfge32.exe File created C:\Windows\SysWOW64\Mnokgcbe.dll Ojfcdnjc.exe File opened for modification C:\Windows\SysWOW64\Opbean32.exe Oihmedma.exe File created C:\Windows\SysWOW64\Iheocj32.dll Pcbkml32.exe File opened for modification C:\Windows\SysWOW64\Afcmfe32.exe Adepji32.exe File created C:\Windows\SysWOW64\Oonnoglh.dll Llodgnja.exe File opened for modification C:\Windows\SysWOW64\Bfkbfd32.exe Bpqjjjjl.exe File created C:\Windows\SysWOW64\Cpfmlghd.exe Cildom32.exe File created C:\Windows\SysWOW64\Anmfbl32.exe Aknifq32.exe File opened for modification C:\Windows\SysWOW64\Ehlhih32.exe Ebaplnie.exe File created C:\Windows\SysWOW64\Npdhdlin.dll Egaejeej.exe File created C:\Windows\SysWOW64\Fboecfii.exe Fncibg32.exe File opened for modification C:\Windows\SysWOW64\Mnhkbfme.exe Mgobel32.exe File created C:\Windows\SysWOW64\Nfcabp32.exe Nceefd32.exe File opened for modification C:\Windows\SysWOW64\Qmeigg32.exe Qfkqjmdg.exe File created C:\Windows\SysWOW64\Mdhbbnba.dll Ganldgib.exe File created C:\Windows\SysWOW64\Odlkfe32.dll Hpkknmgd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 13972 13684 WerFault.exe 737 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Adndoe32.exeGfodeohd.exeJepjhg32.exeKfpcoefj.exeNfjola32.exeIamamcop.exeNjljch32.exeOkkdic32.exeDdnfmqng.exeHemdlj32.exeJleijb32.exeJlgepanl.exeLopmii32.exeEgcaod32.exePpdbgncl.exeHloqml32.exeDkceokii.exeNjkkbehl.exeAefjii32.exeHpchib32.exeJngbjd32.exeDggbcf32.exeDhgonidg.exeHbihjifh.exeIciaqc32.exeOflmnh32.exeQmepam32.exePmblagmf.exeHckeoeno.exeDkokcl32.exeDbbffdlq.exeEnkdaepb.exeLjeafb32.exeNqbpojnp.exeAbcgjg32.exeApggckbf.exeHmlpaoaj.exeHpnoncim.exeNfohgqlg.exeOmbcji32.exeGkdpbpih.exeJaonbc32.exeJaajhb32.exeCbdjeg32.exeLmgabcge.exeJbepme32.exeAfcmfe32.exeFnjocf32.exeFdglmkeg.exeCienon32.exeChglab32.exeMjaabq32.exeOfhknodl.exeDkekjdck.exeNjinmf32.exeLndagg32.exeMqfpckhm.exePmiikh32.exeJcphab32.exeOlanmgig.exeDnpdegjp.exeDkhnjk32.exeEecphp32.exeFndpmndl.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adndoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfodeohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepjhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpcoefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamamcop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njljch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfmqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jleijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgepanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppdbgncl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hloqml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkceokii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkkbehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefjii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpchib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggbcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgonidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbihjifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckeoeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkokcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbffdlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdaepb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeafb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbpojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcgjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apggckbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlpaoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnoncim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfohgqlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdpbpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaonbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaajhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdjeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgabcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbepme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcmfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjocf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdglmkeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cienon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chglab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaabq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhknodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkekjdck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njinmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfpckhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olanmgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpdegjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fndpmndl.exe -
Modifies registry class 64 IoCs
Processes:
Mgobel32.exeKpcjgnhb.exeBipecnkd.exeDajbaika.exeJddnfd32.exeBajqda32.exeCgifbhid.exeKheekkjl.exeNjgqhicg.exeOmqmop32.exePhdnngdn.exePonfka32.exeQmgelf32.exeJihbip32.exeGnpphljo.exeHpmhdmea.exeBbdpad32.exeCnahdi32.exeChiigadc.exeGpnfge32.exeJifecp32.exeNbnlaldg.exeCmedjl32.exeGbmingjo.exeEehicoel.exeIlcldb32.exeIpbaol32.exeFcneeo32.exeGpqjglii.exeInlihl32.exeIpoopgnf.exePlmmif32.exeGmdcfidg.exeJblmgf32.exeCbdjeg32.exeJlgepanl.exeJcdjbk32.exeOifppdpd.exeEkgqennl.exeFdglmkeg.exeNjjdho32.exeFcekfnkb.exeHbhijepa.exeKiphjo32.exeOiagde32.exeAogbfi32.exeOonlfo32.exeOaqbkn32.exeCildom32.exeHpjmnjqn.exeJmbhoeid.exeNabfjpak.exeAkglloai.exeGblbca32.exeNfjola32.exeDoojec32.exeKocgbend.exeFkgillpj.exeFnffhgon.exeKjmfjj32.exeGfodeohd.exeBpkdjofm.exeFajbjh32.exeJlbejloe.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeccjdie.dll" Kpcjgnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bipecnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcblekh.dll" Dajbaika.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jddnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll" Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll" Cgifbhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhqamj.dll" Njgqhicg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omqmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copdgb32.dll" Phdnngdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ponfka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafkmp32.dll" Jihbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnpphljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefgjq32.dll" Hpmhdmea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnahdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chiigadc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibla32.dll" Jifecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmcnoekk.dll" Ilcldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipbaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll" Fcneeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejomj32.dll" Gpqjglii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipoopgnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plmmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmdcfidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkdqh32.dll" Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnnlj32.dll" Cbdjeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlgepanl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcdjbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekgqennl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfibje32.dll" Fdglmkeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njjdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcekfnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjnppabn.dll" Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhlclpe.dll" Kiphjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiagde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll" Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll" Oonlfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cildom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gblbca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfjola32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doojec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphnbpql.dll" Kocgbend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimkcjf.dll" Fkgillpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnffhgon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmfjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfodeohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll" Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlbejloe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7ba706d67406e10cc1537be0c83d0b9ea98af1376cd084ec828ca8bfbe8d933a.exeFjohde32.exeFdglmkeg.exeFbjmhh32.exeFmpqfq32.exeGpnmbl32.exeGbmingjo.exeGjdaodja.exeGigaka32.exeGlengm32.exeGpqjglii.exeGbofcghl.exeGjfnedho.exeGmdjapgb.exeGlgjlm32.exeGdobnj32.exeGfmojenc.exeGkhkjd32.exeGmggfp32.exeGpecbk32.exeGfokoelp.exeGingkqkd.exedescription pid Process procid_target PID 3316 wrote to memory of 872 3316 7ba706d67406e10cc1537be0c83d0b9ea98af1376cd084ec828ca8bfbe8d933a.exe 85 PID 3316 wrote to memory of 872 3316 7ba706d67406e10cc1537be0c83d0b9ea98af1376cd084ec828ca8bfbe8d933a.exe 85 PID 3316 wrote to memory of 872 3316 7ba706d67406e10cc1537be0c83d0b9ea98af1376cd084ec828ca8bfbe8d933a.exe 85 PID 872 wrote to memory of 4880 872 Fjohde32.exe 86 PID 872 wrote to memory of 4880 872 Fjohde32.exe 86 PID 872 wrote to memory of 4880 872 Fjohde32.exe 86 PID 4880 wrote to memory of 1988 4880 Fdglmkeg.exe 87 PID 4880 wrote to memory of 1988 4880 Fdglmkeg.exe 87 PID 4880 wrote to memory of 1988 4880 Fdglmkeg.exe 87 PID 1988 wrote to memory of 1960 1988 Fbjmhh32.exe 88 PID 1988 wrote to memory of 1960 1988 Fbjmhh32.exe 88 PID 1988 wrote to memory of 1960 1988 Fbjmhh32.exe 88 PID 1960 wrote to memory of 2412 1960 Fmpqfq32.exe 89 PID 1960 wrote to memory of 2412 1960 Fmpqfq32.exe 89 PID 1960 wrote to memory of 2412 1960 Fmpqfq32.exe 89 PID 2412 wrote to memory of 4392 2412 Gpnmbl32.exe 90 PID 2412 wrote to memory of 4392 2412 Gpnmbl32.exe 90 PID 2412 wrote to memory of 4392 2412 Gpnmbl32.exe 90 PID 4392 wrote to memory of 2560 4392 Gbmingjo.exe 91 PID 4392 wrote to memory of 2560 4392 Gbmingjo.exe 91 PID 4392 wrote to memory of 2560 4392 Gbmingjo.exe 91 PID 2560 wrote to memory of 2216 2560 Gjdaodja.exe 92 PID 2560 wrote to memory of 2216 2560 Gjdaodja.exe 92 PID 2560 wrote to memory of 2216 2560 Gjdaodja.exe 92 PID 2216 wrote to memory of 3496 2216 Gigaka32.exe 93 PID 2216 wrote to memory of 3496 2216 Gigaka32.exe 93 PID 2216 wrote to memory of 3496 2216 Gigaka32.exe 93 PID 3496 wrote to memory of 2700 3496 Glengm32.exe 94 PID 3496 wrote to memory of 2700 3496 Glengm32.exe 94 PID 3496 wrote to memory of 2700 3496 Glengm32.exe 94 PID 2700 wrote to memory of 832 2700 Gpqjglii.exe 95 PID 2700 wrote to memory of 832 2700 Gpqjglii.exe 95 PID 2700 wrote to memory of 832 2700 Gpqjglii.exe 95 PID 832 wrote to memory of 2280 832 Gbofcghl.exe 96 PID 832 wrote to memory of 2280 832 Gbofcghl.exe 96 PID 832 wrote to memory of 2280 832 Gbofcghl.exe 96 PID 2280 wrote to memory of 4340 2280 Gjfnedho.exe 97 PID 2280 wrote to memory of 4340 2280 Gjfnedho.exe 97 PID 2280 wrote to memory of 4340 2280 Gjfnedho.exe 97 PID 4340 wrote to memory of 1416 4340 Gmdjapgb.exe 98 PID 4340 wrote to memory of 1416 4340 Gmdjapgb.exe 98 PID 4340 wrote to memory of 1416 4340 Gmdjapgb.exe 98 PID 1416 wrote to memory of 2712 1416 Glgjlm32.exe 99 PID 1416 wrote to memory of 2712 1416 Glgjlm32.exe 99 PID 1416 wrote to memory of 2712 1416 Glgjlm32.exe 99 PID 2712 wrote to memory of 2348 2712 Gdobnj32.exe 100 PID 2712 wrote to memory of 2348 2712 Gdobnj32.exe 100 PID 2712 wrote to memory of 2348 2712 Gdobnj32.exe 100 PID 2348 wrote to memory of 4468 2348 Gfmojenc.exe 101 PID 2348 wrote to memory of 4468 2348 Gfmojenc.exe 101 PID 2348 wrote to memory of 4468 2348 Gfmojenc.exe 101 PID 4468 wrote to memory of 2352 4468 Gkhkjd32.exe 102 PID 4468 wrote to memory of 2352 4468 Gkhkjd32.exe 102 PID 4468 wrote to memory of 2352 4468 Gkhkjd32.exe 102 PID 2352 wrote to memory of 1188 2352 Gmggfp32.exe 103 PID 2352 wrote to memory of 1188 2352 Gmggfp32.exe 103 PID 2352 wrote to memory of 1188 2352 Gmggfp32.exe 103 PID 1188 wrote to memory of 4808 1188 Gpecbk32.exe 104 PID 1188 wrote to memory of 4808 1188 Gpecbk32.exe 104 PID 1188 wrote to memory of 4808 1188 Gpecbk32.exe 104 PID 4808 wrote to memory of 1496 4808 Gfokoelp.exe 105 PID 4808 wrote to memory of 1496 4808 Gfokoelp.exe 105 PID 4808 wrote to memory of 1496 4808 Gfokoelp.exe 105 PID 1496 wrote to memory of 920 1496 Gingkqkd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ba706d67406e10cc1537be0c83d0b9ea98af1376cd084ec828ca8bfbe8d933a.exe"C:\Users\Admin\AppData\Local\Temp\7ba706d67406e10cc1537be0c83d0b9ea98af1376cd084ec828ca8bfbe8d933a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\Gjdaodja.exeC:\Windows\system32\Gjdaodja.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe24⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe25⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3320 -
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3084 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4016 -
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe29⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe31⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe32⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Hmnmgnoh.exeC:\Windows\system32\Hmnmgnoh.exe33⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe34⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe35⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3464 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe37⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe38⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe39⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe40⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Inlihl32.exeC:\Windows\system32\Inlihl32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4888 -
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe43⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe44⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe45⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe46⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe47⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe49⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe50⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe51⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4916 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe53⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe54⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe56⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe57⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3600 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Jcikgacl.exeC:\Windows\system32\Jcikgacl.exe60⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Kqmkae32.exeC:\Windows\system32\Kqmkae32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Kdkdgchl.exeC:\Windows\system32\Kdkdgchl.exe63⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe64⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe65⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Kdpmbc32.exeC:\Windows\system32\Kdpmbc32.exe66⤵PID:964
-
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe67⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Kqfngd32.exeC:\Windows\system32\Kqfngd32.exe68⤵PID:2172
-
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe69⤵PID:5000
-
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe70⤵PID:760
-
C:\Windows\SysWOW64\Lgccinoe.exeC:\Windows\system32\Lgccinoe.exe71⤵PID:384
-
C:\Windows\SysWOW64\Lnmkfh32.exeC:\Windows\system32\Lnmkfh32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3764 -
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe73⤵PID:2340
-
C:\Windows\SysWOW64\Ljclki32.exeC:\Windows\system32\Ljclki32.exe74⤵
- Drops file in System32 directory
PID:3100 -
C:\Windows\SysWOW64\Lclpdncg.exeC:\Windows\system32\Lclpdncg.exe75⤵PID:4644
-
C:\Windows\SysWOW64\Lkchelci.exeC:\Windows\system32\Lkchelci.exe76⤵PID:2036
-
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe77⤵PID:1580
-
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe78⤵
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe80⤵PID:840
-
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe81⤵PID:2492
-
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe82⤵PID:2652
-
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe84⤵
- Drops file in System32 directory
PID:244 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe85⤵PID:4836
-
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe86⤵PID:1220
-
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe87⤵PID:3688
-
C:\Windows\SysWOW64\Mnmdme32.exeC:\Windows\system32\Mnmdme32.exe88⤵PID:1312
-
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe89⤵PID:4388
-
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe90⤵PID:2480
-
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe91⤵PID:2224
-
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe92⤵PID:4932
-
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe93⤵PID:1056
-
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe94⤵
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe95⤵
- Modifies registry class
PID:3532 -
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe98⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe99⤵PID:4944
-
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe100⤵PID:3480
-
C:\Windows\SysWOW64\Njpdnedf.exeC:\Windows\system32\Njpdnedf.exe101⤵PID:3620
-
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe102⤵PID:3488
-
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe103⤵
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Olanmgig.exeC:\Windows\system32\Olanmgig.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe105⤵PID:536
-
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe106⤵PID:1180
-
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe107⤵PID:1228
-
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe108⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Ohkkhhmh.exeC:\Windows\system32\Ohkkhhmh.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5136 -
C:\Windows\SysWOW64\Omgcpokp.exeC:\Windows\system32\Omgcpokp.exe110⤵PID:5176
-
C:\Windows\SysWOW64\Odalmibl.exeC:\Windows\system32\Odalmibl.exe111⤵PID:5216
-
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe112⤵
- System Location Discovery: System Language Discovery
PID:5260 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300 -
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe114⤵PID:5348
-
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe115⤵PID:5396
-
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe117⤵PID:5476
-
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe118⤵PID:5520
-
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe119⤵
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe120⤵PID:5640
-
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe121⤵
- Modifies registry class
PID:5688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-