Analysis
-
max time kernel
45s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-10-2024 21:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exe
Resource
win7-20240729-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exe
-
Size
96KB
-
MD5
45a977e29d1de5de848210a0312033e0
-
SHA1
31061d3cebafe79ae9769f8f9a58e23b52e589b5
-
SHA256
c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4b
-
SHA512
c25907d6357058bb76e547c39088cc3e89679251827ca4964ac009e2724803e3c88de8dc0639dc1993501d4fca2f66f4bd83b0969d85e6191a288429378e73e4
-
SSDEEP
1536:PyJg09ML5vvLfupPCEHIc52LO7RZObZUUWaegPYA:PYqxvLfayOClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mpllpl32.exeCnogmk32.exeDpjfjalp.exeLlcfck32.exeEhjbaooe.exeFkdoii32.exeLihifhoq.exeOpbopn32.exeFcmdpcle.exePeaibajp.exeJadlgjjq.exePiiekp32.exeAjbdpblo.exeGgmldj32.exeAonjpp32.exeNbbhpegc.exeLpnobi32.exeIeaekdkn.exeKdjenkgh.exeNhdjdk32.exeNbljfdoh.exePhklcn32.exePmjaadjm.exeCemebcnf.exeDbcnpk32.exeCjhdgk32.exeBbjoki32.exeFlhkhnel.exeKjjnnbfj.exeEhdpcahk.exeMkqbhf32.exeNjaoeq32.exeMnjnolap.exeAnhdmh32.exeAgebam32.exePpmkilbp.exeGinefe32.exeJnncoini.exeLglnajjb.exeEolljk32.exeMpeebhhf.exeGmjbchnq.exeOfefqf32.exeDifplf32.exeEiocbd32.exeQhehmkqn.exeAlhaho32.exeGomjckqc.exeOncndnlq.exeOnggom32.exeIagchmjn.exeLppkgi32.exeQlnghj32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpllpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnogmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjfjalp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjbaooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkdoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihifhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opbopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmdpcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peaibajp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jadlgjjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piiekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdpblo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aonjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbbhpegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpnobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieaekdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdjenkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbljfdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phklcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaadjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cemebcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbcnpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flhkhnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjnnbfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peaibajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehdpcahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njaoeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjnolap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anhdmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agebam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppmkilbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnncoini.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglnajjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eolljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpeebhhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjbchnq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofefqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difplf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiocbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhehmkqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomjckqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oncndnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onggom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iagchmjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppkgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlnghj32.exe -
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Detect BruteRatel badger 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000002071d-4531.dat family_bruteratel behavioral1/files/0x000300000002100e-7303.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Joenaf32.exeJhnbklji.exeJpigonhd.exeKknklg32.exeKahciaog.exeKcipqi32.exeKkqhbf32.exeKnodnb32.exeKdilkllh.exeKgghgg32.exeKfjibdbf.exeKnaqcabh.exeKppmpmal.exeKgjelg32.exeKjhahb32.exeKlfndn32.exeKcqfahom.exeKjjnnbfj.exeKhmnio32.exeKkljfj32.exeKogffida.exeLbfcbdce.exeLddoopbi.exeLhpkoo32.exeLlkgpmck.exeLnmcge32.exeLbhphdab.exeLhbhdnio.exeLkqdajhc.exeLbjlnd32.exeLdihjo32.exeLggdfk32.exeLjeabf32.exeLqpiopdh.exeLkemli32.exeLjhngfkh.exeLdnbeokn.exeLglnajjb.exeLjjjmeie.exeMcbofk32.exeMfakbf32.exeMjmgbe32.exeMqfooonp.exeMcekkkmc.exeMbhlgg32.exeMjodhe32.exeMmmpdp32.exeMpllpl32.exeMcghajkq.exeMffdmfjd.exeMeidib32.exeMmpmjpba.exeMpnifkae.exeMbmebgpi.exeMfhabe32.exeMifmoa32.exeMginjnnp.exeMpqekkob.exeMncfgh32.exeMaabcc32.exeMemncbmj.exeNhljpmlm.exeNjjfli32.exeNnfbmgcj.exepid Process 1644 Joenaf32.exe 2188 Jhnbklji.exe 2708 Jpigonhd.exe 2832 Kknklg32.exe 2652 Kahciaog.exe 2676 Kcipqi32.exe 3044 Kkqhbf32.exe 2272 Knodnb32.exe 1624 Kdilkllh.exe 2492 Kgghgg32.exe 2644 Kfjibdbf.exe 3004 Knaqcabh.exe 1272 Kppmpmal.exe 1780 Kgjelg32.exe 2164 Kjhahb32.exe 2120 Klfndn32.exe 1764 Kcqfahom.exe 1584 Kjjnnbfj.exe 1980 Khmnio32.exe 2408 Kkljfj32.exe 2952 Kogffida.exe 708 Lbfcbdce.exe 2284 Lddoopbi.exe 1288 Lhpkoo32.exe 2324 Llkgpmck.exe 1592 Lnmcge32.exe 2756 Lbhphdab.exe 2896 Lhbhdnio.exe 1680 Lkqdajhc.exe 2668 Lbjlnd32.exe 2600 Ldihjo32.exe 1092 Lggdfk32.exe 2416 Ljeabf32.exe 2920 Lqpiopdh.exe 2872 Lkemli32.exe 2308 Ljhngfkh.exe 2976 Ldnbeokn.exe 2332 Lglnajjb.exe 2036 Ljjjmeie.exe 500 Mcbofk32.exe 2500 Mfakbf32.exe 308 Mjmgbe32.exe 2420 Mqfooonp.exe 780 Mcekkkmc.exe 1224 Mbhlgg32.exe 928 Mjodhe32.exe 1488 Mmmpdp32.exe 1588 Mpllpl32.exe 2196 Mcghajkq.exe 2604 Mffdmfjd.exe 1700 Meidib32.exe 540 Mmpmjpba.exe 2792 Mpnifkae.exe 2964 Mbmebgpi.exe 1688 Mfhabe32.exe 2608 Mifmoa32.exe 2388 Mginjnnp.exe 2152 Mpqekkob.exe 1648 Mncfgh32.exe 2504 Maabcc32.exe 1696 Memncbmj.exe 1744 Nhljpmlm.exe 2592 Njjfli32.exe 1548 Nnfbmgcj.exe -
Loads dropped DLL 64 IoCs
Processes:
c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exeJoenaf32.exeJhnbklji.exeJpigonhd.exeKknklg32.exeKahciaog.exeKcipqi32.exeKkqhbf32.exeKnodnb32.exeKdilkllh.exeKgghgg32.exeKfjibdbf.exeKnaqcabh.exeKppmpmal.exeKgjelg32.exeKjhahb32.exeKlfndn32.exeKcqfahom.exeKjjnnbfj.exeKhmnio32.exeKkljfj32.exeKogffida.exeLbfcbdce.exeLddoopbi.exeLhpkoo32.exeLlkgpmck.exeLnmcge32.exeLbhphdab.exeLhbhdnio.exeLkqdajhc.exeLbjlnd32.exeLdihjo32.exepid Process 2548 c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exe 2548 c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exe 1644 Joenaf32.exe 1644 Joenaf32.exe 2188 Jhnbklji.exe 2188 Jhnbklji.exe 2708 Jpigonhd.exe 2708 Jpigonhd.exe 2832 Kknklg32.exe 2832 Kknklg32.exe 2652 Kahciaog.exe 2652 Kahciaog.exe 2676 Kcipqi32.exe 2676 Kcipqi32.exe 3044 Kkqhbf32.exe 3044 Kkqhbf32.exe 2272 Knodnb32.exe 2272 Knodnb32.exe 1624 Kdilkllh.exe 1624 Kdilkllh.exe 2492 Kgghgg32.exe 2492 Kgghgg32.exe 2644 Kfjibdbf.exe 2644 Kfjibdbf.exe 3004 Knaqcabh.exe 3004 Knaqcabh.exe 1272 Kppmpmal.exe 1272 Kppmpmal.exe 1780 Kgjelg32.exe 1780 Kgjelg32.exe 2164 Kjhahb32.exe 2164 Kjhahb32.exe 2120 Klfndn32.exe 2120 Klfndn32.exe 1764 Kcqfahom.exe 1764 Kcqfahom.exe 1584 Kjjnnbfj.exe 1584 Kjjnnbfj.exe 1980 Khmnio32.exe 1980 Khmnio32.exe 2408 Kkljfj32.exe 2408 Kkljfj32.exe 2952 Kogffida.exe 2952 Kogffida.exe 708 Lbfcbdce.exe 708 Lbfcbdce.exe 2284 Lddoopbi.exe 2284 Lddoopbi.exe 1288 Lhpkoo32.exe 1288 Lhpkoo32.exe 2324 Llkgpmck.exe 2324 Llkgpmck.exe 1592 Lnmcge32.exe 1592 Lnmcge32.exe 2756 Lbhphdab.exe 2756 Lbhphdab.exe 2896 Lhbhdnio.exe 2896 Lhbhdnio.exe 1680 Lkqdajhc.exe 1680 Lkqdajhc.exe 2668 Lbjlnd32.exe 2668 Lbjlnd32.exe 2600 Ldihjo32.exe 2600 Ldihjo32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dghjmlnm.exeIlhnjfmi.exeLpnobi32.exeAkmgoehg.exeNidhfgpl.exeNkbdbbop.exeGohqhl32.exeBbapgknp.exeFcgdjmlo.exeKopikdgn.exeDeimaa32.exeMcghajkq.exeNbjpjm32.exeAkjham32.exeBhfhnofg.exeIgioiacg.exeFdjfmolo.exeGohnpcmd.exeGmjbchnq.exeBgagnjbi.exeEmilqb32.exeEolljk32.exeOfmgmhgh.exeQlbnja32.exeGghloe32.exeLlfcik32.exeAglhph32.exeBbdoec32.exeHancef32.exeOafhmf32.exePllhib32.exeQpocno32.exePnfkheap.exeNjjieace.exeCqlhlo32.exePgamgken.exeBigohejb.exeHpmdjf32.exeLjjjmeie.exeKgknpfdi.exeQkbkfh32.exeFigoefkf.exeJeblgodb.exeNkhhie32.exeKphbmp32.exeFkmhij32.exePddlggin.exeEmceag32.exeFbdpjgjf.exeMjodhe32.exeFebjmj32.exeDdnaonia.exeGgeiooea.exeDeedfacn.exeOdlnkmjg.exeDhggdcgh.exeDnmhogjo.exeMqhhbn32.exedescription ioc Process File created C:\Windows\SysWOW64\Eqbamj32.dll Dghjmlnm.exe File created C:\Windows\SysWOW64\Infjfblm.exe Ilhnjfmi.exe File created C:\Windows\SysWOW64\Eipnnj32.dll Lpnobi32.exe File created C:\Windows\SysWOW64\Ajpgkb32.exe Akmgoehg.exe File opened for modification C:\Windows\SysWOW64\Nkbdbbop.exe Nidhfgpl.exe File created C:\Windows\SysWOW64\Ooghbhgn.dll Nkbdbbop.exe File created C:\Windows\SysWOW64\Cfemdp32.exe File created C:\Windows\SysWOW64\Lilmmghh.dll File opened for modification C:\Windows\SysWOW64\Gcdmikma.exe Gohqhl32.exe File opened for modification C:\Windows\SysWOW64\Beplcfmd.exe Bbapgknp.exe File created C:\Windows\SysWOW64\Efpdbdcc.dll Fcgdjmlo.exe File created C:\Windows\SysWOW64\Oidqcdjh.dll Kopikdgn.exe File created C:\Windows\SysWOW64\Bkfenkcq.dll Deimaa32.exe File created C:\Windows\SysWOW64\Cjllgppm.dll Mcghajkq.exe File opened for modification C:\Windows\SysWOW64\Ndhlfh32.exe Nbjpjm32.exe File opened for modification C:\Windows\SysWOW64\Anhdmh32.exe Akjham32.exe File opened for modification C:\Windows\SysWOW64\Bjgdfg32.exe Bhfhnofg.exe File created C:\Windows\SysWOW64\Incgfl32.exe Igioiacg.exe File created C:\Windows\SysWOW64\Fhfbmn32.exe Fdjfmolo.exe File created C:\Windows\SysWOW64\Pmghcf32.dll Gohnpcmd.exe File created C:\Windows\SysWOW64\Elfcoj32.dll Gmjbchnq.exe File opened for modification C:\Windows\SysWOW64\Bohoogbk.exe Bgagnjbi.exe File created C:\Windows\SysWOW64\Hpipeaaf.dll Emilqb32.exe File opened for modification C:\Windows\SysWOW64\Ebghkjjc.exe Eolljk32.exe File created C:\Windows\SysWOW64\Oepghe32.exe Ofmgmhgh.exe File created C:\Windows\SysWOW64\Fofkbnkh.dll Qlbnja32.exe File created C:\Windows\SysWOW64\Anggfg32.dll Gghloe32.exe File created C:\Windows\SysWOW64\Ndagjbio.dll Llfcik32.exe File opened for modification C:\Windows\SysWOW64\Ajjeld32.exe Aglhph32.exe File opened for modification C:\Windows\SysWOW64\Bfpkfb32.exe Bbdoec32.exe File created C:\Windows\SysWOW64\Mbenmb32.dll Hancef32.exe File created C:\Windows\SysWOW64\Mkmmce32.dll Oafhmf32.exe File opened for modification C:\Windows\SysWOW64\Pgamgken.exe Pllhib32.exe File created C:\Windows\SysWOW64\Pdhbhf32.dll Qpocno32.exe File opened for modification C:\Windows\SysWOW64\Ppegdapd.exe Pnfkheap.exe File opened for modification C:\Windows\SysWOW64\Nbaafocg.exe Njjieace.exe File created C:\Windows\SysWOW64\Ccjehkek.exe Cqlhlo32.exe File created C:\Windows\SysWOW64\Pjpicfdb.exe Pgamgken.exe File opened for modification C:\Windows\SysWOW64\Bqngjcje.exe Bigohejb.exe File created C:\Windows\SysWOW64\Hfflfp32.exe Hpmdjf32.exe File opened for modification C:\Windows\SysWOW64\Djffihmp.exe Dghjmlnm.exe File opened for modification C:\Windows\SysWOW64\Mcbofk32.exe Ljjjmeie.exe File opened for modification C:\Windows\SysWOW64\Kobfqc32.exe Kgknpfdi.exe File created C:\Windows\SysWOW64\Qnagbc32.exe Qkbkfh32.exe File created C:\Windows\SysWOW64\Qkbefj32.dll Figoefkf.exe File created C:\Windows\SysWOW64\Bambjnfn.exe File created C:\Windows\SysWOW64\Djffihmp.exe Dghjmlnm.exe File created C:\Windows\SysWOW64\Jhahcjcf.exe Jeblgodb.exe File opened for modification C:\Windows\SysWOW64\Njjieace.exe Nkhhie32.exe File created C:\Windows\SysWOW64\Mjhlmifm.dll Kphbmp32.exe File created C:\Windows\SysWOW64\Fbdpjgjf.exe Fkmhij32.exe File created C:\Windows\SysWOW64\Plkchdiq.exe Pddlggin.exe File opened for modification C:\Windows\SysWOW64\Qmomelml.exe File created C:\Windows\SysWOW64\Blndhdgi.dll Emceag32.exe File created C:\Windows\SysWOW64\Fkkdedfm.dll Fbdpjgjf.exe File opened for modification C:\Windows\SysWOW64\Mmmpdp32.exe Mjodhe32.exe File opened for modification C:\Windows\SysWOW64\Fgcgebhd.exe Febjmj32.exe File created C:\Windows\SysWOW64\Hplped32.dll Ddnaonia.exe File created C:\Windows\SysWOW64\Immbmp32.dll Ggeiooea.exe File opened for modification C:\Windows\SysWOW64\Dpjhcj32.exe Deedfacn.exe File opened for modification C:\Windows\SysWOW64\Obonfj32.exe Odlnkmjg.exe File opened for modification C:\Windows\SysWOW64\Dbmlal32.exe Dhggdcgh.exe File created C:\Windows\SysWOW64\Degqka32.exe Dnmhogjo.exe File opened for modification C:\Windows\SysWOW64\Mhopcl32.exe Mqhhbn32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 2592 4088 1189 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bfqaph32.exeEmlhfb32.exeMpqekkob.exeNnfbmgcj.exeBgfdjfkh.exeFmholgpj.exeMhgpgjoj.exeJkdalb32.exeGeeekf32.exeKiojqfdp.exeLckdcn32.exePjndca32.exeNplhooec.exeQoonqmqf.exeKlapha32.exeObonfj32.exeLcnhcdkp.exeNjcibgcf.exePlbaafak.exeFaimkd32.exeFkdoii32.exeKjhahb32.exeIcnbic32.exeIniglajj.exeGcljdpke.exeOmbhgljn.exePiiekp32.exeEpmahmcm.exeLiqcei32.exeOlnipn32.exeIbmmkaik.exeMgdpnqfn.exeNfbmlckg.exeOafclh32.exeAcplpjpj.exeBbjoki32.exeHnomkloi.exeGinefe32.exeNfnfjmgp.exeKfjibdbf.exeOpbopn32.exeMognco32.exeMhopcl32.exeOpfdim32.exePfhlie32.exeHappkf32.exeHiehbl32.exeCeanmc32.exeFhfbmn32.exeOemfahcn.exeLlkgpmck.exeFijolbfh.exePeaibajp.exeHqkmahpp.exeEmnelbdi.exeNblaajbd.exeQefihg32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqaph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emlhfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqekkob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfbmgcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgfdjfkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmholgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgpgjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geeekf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiojqfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckdcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjndca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplhooec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoonqmqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klapha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obonfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnhcdkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njcibgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbaafak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faimkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdoii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhahb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnbic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniglajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcljdpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombhgljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piiekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmahmcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqcei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olnipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmmkaik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgdpnqfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfbmlckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oafclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acplpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjoki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnomkloi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnfjmgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfjibdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbopn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mognco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhopcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfdim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhlie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Happkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiehbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceanmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemfahcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkgpmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijolbfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peaibajp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkmahpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnelbdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nblaajbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qefihg32.exe -
Modifies registry class 64 IoCs
Processes:
Henjnica.exeBfpkfb32.exeHimkgf32.exeFhfihd32.exeEpmahmcm.exePdljjplb.exeIeligmho.exeKdlbckee.exeLcqdidim.exeBgcdcjpf.exeKmeiei32.exeQoonqmqf.exeAgebam32.exeHiehbl32.exeBqffna32.exeLcnhcdkp.exeFkbadifn.exeKobfqc32.exePiiekp32.exeEhjbaooe.exeMcekkkmc.exeCjhdgk32.exeElgioe32.exeBnhqll32.exeAdhohapp.exeCnogmk32.exeEjpipf32.exeBqilfp32.exeLbfcbdce.exeDifplf32.exeOjdlkp32.exeLdlghhde.exePjlgna32.exeNaihdb32.exeMjpmkdpp.exeMbhlgg32.exeIionacad.exeJjimpj32.exeJmggcmgg.exeCqqbgoba.exeEpakcm32.exeAogmdk32.exePnbjca32.exeOheieo32.exeIilocklc.exeMjgclcjh.exeLohiob32.exeBiakbc32.exeGacgli32.exeBcpiombe.exeMcendc32.exeEdkahbmo.exeHqkmahpp.exeGinefe32.exeBgnaekil.exeQamleagn.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oocqlibj.dll" Henjnica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpkfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkjjogi.dll" Himkgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghhpkmjg.dll" Fhfihd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epmahmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdljjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieligmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdlbckee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcqdidim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcdcjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogeeme32.dll" Kmeiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalga32.dll" Qoonqmqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agebam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmohome.dll" Hiehbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqffna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giiinjlg.dll" Lcnhcdkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkbadifn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaonn32.dll" Kobfqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piiekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbbgfli.dll" Ehjbaooe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcekkkmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjhdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elgioe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnhqll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adhohapp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnogmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejpipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqilfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migbkglj.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfcbdce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpeack32.dll" Ojdlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdldjnpc.dll" Ldlghhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjlgna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naihdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjpmkdpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbhlgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iionacad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnalqca.dll" Jjimpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcchheoq.dll" Jmggcmgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqqbgoba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epakcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aogmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjaimek.dll" Pnbjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oheieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iilocklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjgclcjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biakbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cebplg32.dll" Gacgli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpaknfnf.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcpiombe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcendc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bklhjo32.dll" Edkahbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojdod32.dll" Hqkmahpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ginefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qamleagn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exeJoenaf32.exeJhnbklji.exeJpigonhd.exeKknklg32.exeKahciaog.exeKcipqi32.exeKkqhbf32.exeKnodnb32.exeKdilkllh.exeKgghgg32.exeKfjibdbf.exeKnaqcabh.exeKppmpmal.exeKgjelg32.exeKjhahb32.exedescription pid Process procid_target PID 2548 wrote to memory of 1644 2548 c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exe 29 PID 2548 wrote to memory of 1644 2548 c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exe 29 PID 2548 wrote to memory of 1644 2548 c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exe 29 PID 2548 wrote to memory of 1644 2548 c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exe 29 PID 1644 wrote to memory of 2188 1644 Joenaf32.exe 30 PID 1644 wrote to memory of 2188 1644 Joenaf32.exe 30 PID 1644 wrote to memory of 2188 1644 Joenaf32.exe 30 PID 1644 wrote to memory of 2188 1644 Joenaf32.exe 30 PID 2188 wrote to memory of 2708 2188 Jhnbklji.exe 31 PID 2188 wrote to memory of 2708 2188 Jhnbklji.exe 31 PID 2188 wrote to memory of 2708 2188 Jhnbklji.exe 31 PID 2188 wrote to memory of 2708 2188 Jhnbklji.exe 31 PID 2708 wrote to memory of 2832 2708 Jpigonhd.exe 32 PID 2708 wrote to memory of 2832 2708 Jpigonhd.exe 32 PID 2708 wrote to memory of 2832 2708 Jpigonhd.exe 32 PID 2708 wrote to memory of 2832 2708 Jpigonhd.exe 32 PID 2832 wrote to memory of 2652 2832 Kknklg32.exe 33 PID 2832 wrote to memory of 2652 2832 Kknklg32.exe 33 PID 2832 wrote to memory of 2652 2832 Kknklg32.exe 33 PID 2832 wrote to memory of 2652 2832 Kknklg32.exe 33 PID 2652 wrote to memory of 2676 2652 Kahciaog.exe 34 PID 2652 wrote to memory of 2676 2652 Kahciaog.exe 34 PID 2652 wrote to memory of 2676 2652 Kahciaog.exe 34 PID 2652 wrote to memory of 2676 2652 Kahciaog.exe 34 PID 2676 wrote to memory of 3044 2676 Kcipqi32.exe 35 PID 2676 wrote to memory of 3044 2676 Kcipqi32.exe 35 PID 2676 wrote to memory of 3044 2676 Kcipqi32.exe 35 PID 2676 wrote to memory of 3044 2676 Kcipqi32.exe 35 PID 3044 wrote to memory of 2272 3044 Kkqhbf32.exe 36 PID 3044 wrote to memory of 2272 3044 Kkqhbf32.exe 36 PID 3044 wrote to memory of 2272 3044 Kkqhbf32.exe 36 PID 3044 wrote to memory of 2272 3044 Kkqhbf32.exe 36 PID 2272 wrote to memory of 1624 2272 Knodnb32.exe 37 PID 2272 wrote to memory of 1624 2272 Knodnb32.exe 37 PID 2272 wrote to memory of 1624 2272 Knodnb32.exe 37 PID 2272 wrote to memory of 1624 2272 Knodnb32.exe 37 PID 1624 wrote to memory of 2492 1624 Kdilkllh.exe 38 PID 1624 wrote to memory of 2492 1624 Kdilkllh.exe 38 PID 1624 wrote to memory of 2492 1624 Kdilkllh.exe 38 PID 1624 wrote to memory of 2492 1624 Kdilkllh.exe 38 PID 2492 wrote to memory of 2644 2492 Kgghgg32.exe 39 PID 2492 wrote to memory of 2644 2492 Kgghgg32.exe 39 PID 2492 wrote to memory of 2644 2492 Kgghgg32.exe 39 PID 2492 wrote to memory of 2644 2492 Kgghgg32.exe 39 PID 2644 wrote to memory of 3004 2644 Kfjibdbf.exe 40 PID 2644 wrote to memory of 3004 2644 Kfjibdbf.exe 40 PID 2644 wrote to memory of 3004 2644 Kfjibdbf.exe 40 PID 2644 wrote to memory of 3004 2644 Kfjibdbf.exe 40 PID 3004 wrote to memory of 1272 3004 Knaqcabh.exe 41 PID 3004 wrote to memory of 1272 3004 Knaqcabh.exe 41 PID 3004 wrote to memory of 1272 3004 Knaqcabh.exe 41 PID 3004 wrote to memory of 1272 3004 Knaqcabh.exe 41 PID 1272 wrote to memory of 1780 1272 Kppmpmal.exe 42 PID 1272 wrote to memory of 1780 1272 Kppmpmal.exe 42 PID 1272 wrote to memory of 1780 1272 Kppmpmal.exe 42 PID 1272 wrote to memory of 1780 1272 Kppmpmal.exe 42 PID 1780 wrote to memory of 2164 1780 Kgjelg32.exe 43 PID 1780 wrote to memory of 2164 1780 Kgjelg32.exe 43 PID 1780 wrote to memory of 2164 1780 Kgjelg32.exe 43 PID 1780 wrote to memory of 2164 1780 Kgjelg32.exe 43 PID 2164 wrote to memory of 2120 2164 Kjhahb32.exe 44 PID 2164 wrote to memory of 2120 2164 Kjhahb32.exe 44 PID 2164 wrote to memory of 2120 2164 Kjhahb32.exe 44 PID 2164 wrote to memory of 2120 2164 Kjhahb32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exe"C:\Users\Admin\AppData\Local\Temp\c82d6e76812cb5318561a72e441fe79a3cc5b7d9fa468f5d357e24a4b52daf4bN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Jhnbklji.exeC:\Windows\system32\Jhnbklji.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Jpigonhd.exeC:\Windows\system32\Jpigonhd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Kknklg32.exeC:\Windows\system32\Kknklg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Kahciaog.exeC:\Windows\system32\Kahciaog.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Kcipqi32.exeC:\Windows\system32\Kcipqi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Kkqhbf32.exeC:\Windows\system32\Kkqhbf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Knodnb32.exeC:\Windows\system32\Knodnb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Kdilkllh.exeC:\Windows\system32\Kdilkllh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Kgghgg32.exeC:\Windows\system32\Kgghgg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Kfjibdbf.exeC:\Windows\system32\Kfjibdbf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Kppmpmal.exeC:\Windows\system32\Kppmpmal.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Kgjelg32.exeC:\Windows\system32\Kgjelg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Kjhahb32.exeC:\Windows\system32\Kjhahb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Klfndn32.exeC:\Windows\system32\Klfndn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Kcqfahom.exeC:\Windows\system32\Kcqfahom.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Khmnio32.exeC:\Windows\system32\Khmnio32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Kkljfj32.exeC:\Windows\system32\Kkljfj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Kogffida.exeC:\Windows\system32\Kogffida.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Lbfcbdce.exeC:\Windows\system32\Lbfcbdce.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:708 -
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Lhpkoo32.exeC:\Windows\system32\Lhpkoo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Lbhphdab.exeC:\Windows\system32\Lbhphdab.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Lkqdajhc.exeC:\Windows\system32\Lkqdajhc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Lbjlnd32.exeC:\Windows\system32\Lbjlnd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Ldihjo32.exeC:\Windows\system32\Ldihjo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Lggdfk32.exeC:\Windows\system32\Lggdfk32.exe33⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Ljeabf32.exeC:\Windows\system32\Ljeabf32.exe34⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Lqpiopdh.exeC:\Windows\system32\Lqpiopdh.exe35⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Lkemli32.exeC:\Windows\system32\Lkemli32.exe36⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Ljhngfkh.exeC:\Windows\system32\Ljhngfkh.exe37⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ldnbeokn.exeC:\Windows\system32\Ldnbeokn.exe38⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Lglnajjb.exeC:\Windows\system32\Lglnajjb.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Ljjjmeie.exeC:\Windows\system32\Ljjjmeie.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Mcbofk32.exeC:\Windows\system32\Mcbofk32.exe41⤵
- Executes dropped EXE
PID:500 -
C:\Windows\SysWOW64\Mfakbf32.exeC:\Windows\system32\Mfakbf32.exe42⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Mjmgbe32.exeC:\Windows\system32\Mjmgbe32.exe43⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Mqfooonp.exeC:\Windows\system32\Mqfooonp.exe44⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Mbhlgg32.exeC:\Windows\system32\Mbhlgg32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Mjodhe32.exeC:\Windows\system32\Mjodhe32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Mmmpdp32.exeC:\Windows\system32\Mmmpdp32.exe48⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Mpllpl32.exeC:\Windows\system32\Mpllpl32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Mffdmfjd.exeC:\Windows\system32\Mffdmfjd.exe51⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe52⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Mmpmjpba.exeC:\Windows\system32\Mmpmjpba.exe53⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Mpnifkae.exeC:\Windows\system32\Mpnifkae.exe54⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe55⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Mfhabe32.exeC:\Windows\system32\Mfhabe32.exe56⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe57⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Mginjnnp.exeC:\Windows\system32\Mginjnnp.exe58⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Mpqekkob.exeC:\Windows\system32\Mpqekkob.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Mncfgh32.exeC:\Windows\system32\Mncfgh32.exe60⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Maabcc32.exeC:\Windows\system32\Maabcc32.exe61⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Memncbmj.exeC:\Windows\system32\Memncbmj.exe62⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe63⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Njjfli32.exeC:\Windows\system32\Njjfli32.exe64⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Nadoiccn.exeC:\Windows\system32\Nadoiccn.exe66⤵PID:1928
-
C:\Windows\SysWOW64\Nepkia32.exeC:\Windows\system32\Nepkia32.exe67⤵PID:1672
-
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe68⤵PID:1508
-
C:\Windows\SysWOW64\Njlcah32.exeC:\Windows\system32\Njlcah32.exe69⤵PID:3036
-
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe70⤵PID:2432
-
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe71⤵PID:2424
-
C:\Windows\SysWOW64\Nebgoa32.exeC:\Windows\system32\Nebgoa32.exe72⤵PID:1868
-
C:\Windows\SysWOW64\Ndehjnpo.exeC:\Windows\system32\Ndehjnpo.exe73⤵PID:2096
-
C:\Windows\SysWOW64\Nfcdfiob.exeC:\Windows\system32\Nfcdfiob.exe74⤵PID:1992
-
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe75⤵PID:1436
-
C:\Windows\SysWOW64\Nnjlhg32.exeC:\Windows\system32\Nnjlhg32.exe76⤵PID:2068
-
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe77⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe78⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Nhbqqlfe.exeC:\Windows\system32\Nhbqqlfe.exe79⤵PID:1932
-
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe80⤵PID:3008
-
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe81⤵PID:2296
-
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe82⤵PID:2960
-
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe83⤵PID:2292
-
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe84⤵PID:1968
-
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe85⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Nfhmai32.exeC:\Windows\system32\Nfhmai32.exe86⤵PID:1692
-
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe87⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Nmbenc32.exeC:\Windows\system32\Nmbenc32.exe88⤵PID:2752
-
C:\Windows\SysWOW64\Nlefjpid.exeC:\Windows\system32\Nlefjpid.exe89⤵PID:2072
-
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe90⤵
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe91⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe92⤵PID:1656
-
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe93⤵PID:1940
-
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe94⤵PID:2844
-
C:\Windows\SysWOW64\Opbopn32.exeC:\Windows\system32\Opbopn32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe96⤵PID:3060
-
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe97⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe98⤵PID:2736
-
C:\Windows\SysWOW64\Oafhmf32.exeC:\Windows\system32\Oafhmf32.exe99⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe100⤵PID:268
-
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe101⤵PID:2024
-
C:\Windows\SysWOW64\Obfdgiji.exeC:\Windows\system32\Obfdgiji.exe102⤵PID:1964
-
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe103⤵PID:2972
-
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe104⤵
- System Location Discovery: System Language Discovery
PID:544 -
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe105⤵PID:936
-
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe106⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe107⤵PID:1628
-
C:\Windows\SysWOW64\Pmabmf32.exeC:\Windows\system32\Pmabmf32.exe108⤵PID:1804
-
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe109⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Pgjfflkf.exeC:\Windows\system32\Pgjfflkf.exe110⤵PID:2328
-
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe111⤵PID:1860
-
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe112⤵PID:992
-
C:\Windows\SysWOW64\Pglclk32.exeC:\Windows\system32\Pglclk32.exe113⤵PID:344
-
C:\Windows\SysWOW64\Pnfkheap.exeC:\Windows\system32\Pnfkheap.exe114⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Ppegdapd.exeC:\Windows\system32\Ppegdapd.exe115⤵PID:1996
-
C:\Windows\SysWOW64\Pccdqloh.exeC:\Windows\system32\Pccdqloh.exe116⤵PID:2632
-
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe117⤵PID:2768
-
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe118⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe119⤵
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe120⤵PID:2464
-
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe121⤵PID:2280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-