Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-10-2024 14:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exe
Resource
win7-20241010-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exe
-
Size
96KB
-
MD5
d17e0b7ba9a445c24d8c20e0fbb4aad0
-
SHA1
d35a7fb35995efcdd05da6c1bab80af7479b0528
-
SHA256
58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3
-
SHA512
7d39d03b5a45e3d749ac0720bc07a39979b1745520d38846b0beb1c93a22338c85331125b02d355285fec8bf31307708fa1ab6d43d459b4a5c82582a94b45949
-
SSDEEP
1536:8oUkodPOVz3z3bIPyp9XKolnw4JySO+vcE0beJR3wdU2LN7RZObZUUWaegPYA:+kodPk3LckXILl2gtNClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gllnnc32.exeCfemdp32.exeKneflplf.exePcbookpp.exeGfcopl32.exeOqmokioh.exeLjbipolj.exeCjhckg32.exeEkddck32.exePogegeoj.exeFjaqhe32.exeKhjkiikl.exeMeojkide.exeNlocka32.exeIgioiacg.exeHqjfgb32.exeIejkhlip.exeEdjlgq32.exeEdpoeoea.exeGlongpao.exeOfqonp32.exeJcandb32.exeQbmhdp32.exeDbhbfmkd.exeMfamko32.exeDodahk32.exeCppakj32.exeNhljpmlm.exeEnqfco32.exeKgjelg32.exeLnlmmo32.exeIfoljn32.exeKjepaa32.exeIjampgde.exeNejdjf32.exePceqfl32.exeBgcdcjpf.exeLbgkhoml.exeKppldhla.exeJinfli32.exeFlkmokoa.exeFqnhcgma.exeNcnmhajo.exeInplqlng.exeOdckfb32.exeMibdcakk.exeJonqfq32.exeIadphghe.exePmoqfi32.exeAefaemqj.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gllnnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfemdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kneflplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbookpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmokioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbipolj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhckg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekddck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogegeoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaqhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khjkiikl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meojkide.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlocka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igioiacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqjfgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iejkhlip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjlgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpoeoea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glongpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofqonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbmhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbhbfmkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfamko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cppakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhljpmlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enqfco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnlmmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifoljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijampgde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejdjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pceqfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcdcjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgkhoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppldhla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jinfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flkmokoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqnhcgma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnmhajo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inplqlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odckfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mibdcakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jonqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iadphghe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoqfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefaemqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" -
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Detect BruteRatel badger 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001dbfb-2643.dat family_bruteratel behavioral1/files/0x0003000000020efb-8485.dat family_bruteratel behavioral1/files/0x00030000000215d5-12669.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Flabdecn.exeFejfmk32.exeFpokjd32.exeFbpclofe.exeGgbieb32.exeGkpakq32.exeGkbnap32.exeGcmcebkc.exeHijhhl32.exeHaemloni.exeHcdifa32.exeHajfgnjc.exeHgiked32.exeIjidfpci.exeIjlaloaf.exeIfbaapfk.exeIjqjgo32.exeIomcpe32.exeIejkhlip.exeJnbpqb32.exeJfjhbo32.exeJoblkegc.exeJkimpfmg.exeJeaahk32.exeJnifaajh.exeJpmooind.exeKppldhla.exeKjepaa32.exeKlfmijae.exeKmficl32.exeKeango32.exeKjpceebh.exeLdhgnk32.exeLmalgq32.exeLmcilp32.exeLhimji32.exeLgnjke32.exeLpfnckhe.exeMpikik32.exeMeecaa32.exeMiclhpjp.exeNqmqcmdh.exeOddphp32.exeOehicoom.exeOnamle32.exeOqojhp32.exePflbpg32.exePimkbbpi.exePcbookpp.exePmkdhq32.exePbglpg32.exePefhlcdk.exePnnmeh32.exePehebbbh.exeQnqjkh32.exeQldjdlgb.exeQdpohodn.exeAnecfgdc.exeAhngomkd.exeAjldkhjh.exeAhpddmia.exeAiaqle32.exeAahimb32.exeAjamfh32.exepid Process 2848 Flabdecn.exe 2896 Fejfmk32.exe 2904 Fpokjd32.exe 2636 Fbpclofe.exe 2252 Ggbieb32.exe 1072 Gkpakq32.exe 2176 Gkbnap32.exe 1680 Gcmcebkc.exe 1236 Hijhhl32.exe 1484 Haemloni.exe 1916 Hcdifa32.exe 544 Hajfgnjc.exe 2172 Hgiked32.exe 2392 Ijidfpci.exe 2444 Ijlaloaf.exe 388 Ifbaapfk.exe 952 Ijqjgo32.exe 856 Iomcpe32.exe 1336 Iejkhlip.exe 1764 Jnbpqb32.exe 328 Jfjhbo32.exe 1304 Joblkegc.exe 1996 Jkimpfmg.exe 2352 Jeaahk32.exe 2364 Jnifaajh.exe 992 Jpmooind.exe 3028 Kppldhla.exe 3064 Kjepaa32.exe 2796 Klfmijae.exe 2632 Kmficl32.exe 2108 Keango32.exe 2932 Kjpceebh.exe 1308 Ldhgnk32.exe 1728 Lmalgq32.exe 2440 Lmcilp32.exe 2096 Lhimji32.exe 2936 Lgnjke32.exe 824 Lpfnckhe.exe 2084 Mpikik32.exe 1300 Meecaa32.exe 2476 Miclhpjp.exe 956 Nqmqcmdh.exe 1672 Oddphp32.exe 2536 Oehicoom.exe 2556 Onamle32.exe 928 Oqojhp32.exe 1804 Pflbpg32.exe 1028 Pimkbbpi.exe 1252 Pcbookpp.exe 292 Pmkdhq32.exe 2860 Pbglpg32.exe 3044 Pefhlcdk.exe 2060 Pnnmeh32.exe 2680 Pehebbbh.exe 1740 Qnqjkh32.exe 2608 Qldjdlgb.exe 1148 Qdpohodn.exe 2928 Anecfgdc.exe 264 Ahngomkd.exe 2452 Ajldkhjh.exe 1088 Ahpddmia.exe 2572 Aiaqle32.exe 872 Aahimb32.exe 848 Ajamfh32.exe -
Loads dropped DLL 64 IoCs
Processes:
58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exeFlabdecn.exeFejfmk32.exeFpokjd32.exeFbpclofe.exeGgbieb32.exeGkpakq32.exeGkbnap32.exeGcmcebkc.exeHijhhl32.exeHaemloni.exeHcdifa32.exeHajfgnjc.exeHgiked32.exeIjidfpci.exeIjlaloaf.exeIfbaapfk.exeIjqjgo32.exeIomcpe32.exeIejkhlip.exeJnbpqb32.exeJfjhbo32.exeJoblkegc.exeJkimpfmg.exeJeaahk32.exeJnifaajh.exeKiecgo32.exeKppldhla.exeKjepaa32.exeKlfmijae.exeKmficl32.exeKeango32.exepid Process 2496 58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exe 2496 58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exe 2848 Flabdecn.exe 2848 Flabdecn.exe 2896 Fejfmk32.exe 2896 Fejfmk32.exe 2904 Fpokjd32.exe 2904 Fpokjd32.exe 2636 Fbpclofe.exe 2636 Fbpclofe.exe 2252 Ggbieb32.exe 2252 Ggbieb32.exe 1072 Gkpakq32.exe 1072 Gkpakq32.exe 2176 Gkbnap32.exe 2176 Gkbnap32.exe 1680 Gcmcebkc.exe 1680 Gcmcebkc.exe 1236 Hijhhl32.exe 1236 Hijhhl32.exe 1484 Haemloni.exe 1484 Haemloni.exe 1916 Hcdifa32.exe 1916 Hcdifa32.exe 544 Hajfgnjc.exe 544 Hajfgnjc.exe 2172 Hgiked32.exe 2172 Hgiked32.exe 2392 Ijidfpci.exe 2392 Ijidfpci.exe 2444 Ijlaloaf.exe 2444 Ijlaloaf.exe 388 Ifbaapfk.exe 388 Ifbaapfk.exe 952 Ijqjgo32.exe 952 Ijqjgo32.exe 856 Iomcpe32.exe 856 Iomcpe32.exe 1336 Iejkhlip.exe 1336 Iejkhlip.exe 1764 Jnbpqb32.exe 1764 Jnbpqb32.exe 328 Jfjhbo32.exe 328 Jfjhbo32.exe 1304 Joblkegc.exe 1304 Joblkegc.exe 1996 Jkimpfmg.exe 1996 Jkimpfmg.exe 2352 Jeaahk32.exe 2352 Jeaahk32.exe 2364 Jnifaajh.exe 2364 Jnifaajh.exe 2180 Kiecgo32.exe 2180 Kiecgo32.exe 3028 Kppldhla.exe 3028 Kppldhla.exe 3064 Kjepaa32.exe 3064 Kjepaa32.exe 2796 Klfmijae.exe 2796 Klfmijae.exe 2632 Kmficl32.exe 2632 Kmficl32.exe 2108 Keango32.exe 2108 Keango32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bfjkphjd.exeIcoepohq.exeOmbhgljn.exePikkfilp.exeBogljj32.exeCbfhjfdk.exeIijdfc32.exeNhljpmlm.exeLcnqin32.exeKccbgh32.exeNbaomf32.exeFladmn32.exeGkimff32.exeBmgifa32.exeOllljo32.exeGdkebolm.exeCkijdm32.exeKcajceke.exeNnkekfkd.exeGoodpb32.exePldknmhd.exeHklhca32.exeAkmgoehg.exeGokmnlcf.exeHechkfkc.exeLjbkig32.exeHikobfgj.exeOfehiocd.exeQidckjae.exeEbofcd32.exePlneoace.exeBedene32.exeJoepjokm.exePbcfie32.exeLicpki32.exeNhmbfhfd.exeFmfdppia.exeDcmpcjcf.exeHmdnme32.exeGegbpe32.exeLmjbphod.exeOehicoom.exeJqnhmgmk.exeKppohf32.exeLdfgbb32.exeHghdjn32.exedescription ioc Process File created C:\Windows\SysWOW64\Blgcio32.exe Bfjkphjd.exe File created C:\Windows\SysWOW64\Fcckjb32.exe File created C:\Windows\SysWOW64\Mdehcgni.dll Icoepohq.exe File created C:\Windows\SysWOW64\Qenpjecb.dll Ombhgljn.exe File opened for modification C:\Windows\SysWOW64\Pngcnpkg.exe Pikkfilp.exe File created C:\Windows\SysWOW64\Cefllkej.dll Bogljj32.exe File opened for modification C:\Windows\SysWOW64\Dmllgo32.exe Cbfhjfdk.exe File opened for modification C:\Windows\SysWOW64\Ingmoj32.exe Iijdfc32.exe File created C:\Windows\SysWOW64\Nkeaemik.dll File opened for modification C:\Windows\SysWOW64\Iomhkgkb.exe File created C:\Windows\SysWOW64\Hpckee32.exe File created C:\Windows\SysWOW64\Llkido32.dll Nhljpmlm.exe File created C:\Windows\SysWOW64\Qiaikl32.dll Lcnqin32.exe File opened for modification C:\Windows\SysWOW64\Knldaf32.exe File opened for modification C:\Windows\SysWOW64\Lkngkj32.exe Kccbgh32.exe File opened for modification C:\Windows\SysWOW64\Ncbkenba.exe Nbaomf32.exe File opened for modification C:\Windows\SysWOW64\Mhbhecjc.exe File created C:\Windows\SysWOW64\Ffghjg32.exe Fladmn32.exe File opened for modification C:\Windows\SysWOW64\Gngiba32.exe Gkimff32.exe File created C:\Windows\SysWOW64\Qogcek32.dll File opened for modification C:\Windows\SysWOW64\Nceeaikk.exe File created C:\Windows\SysWOW64\Bhmmcjjd.exe Bmgifa32.exe File opened for modification C:\Windows\SysWOW64\Fidmniqa.exe File created C:\Windows\SysWOW64\Obfdgiji.exe Ollljo32.exe File created C:\Windows\SysWOW64\Goompeid.dll File created C:\Windows\SysWOW64\Haenec32.dll Gdkebolm.exe File created C:\Windows\SysWOW64\Ionqcpbl.dll Ckijdm32.exe File created C:\Windows\SysWOW64\Pmidlkkk.dll Fladmn32.exe File created C:\Windows\SysWOW64\Eikcigkl.dll Kcajceke.exe File opened for modification C:\Windows\SysWOW64\Niaihojk.exe Nnkekfkd.exe File created C:\Windows\SysWOW64\Dccbefif.dll Goodpb32.exe File opened for modification C:\Windows\SysWOW64\Pbnckg32.exe Pldknmhd.exe File created C:\Windows\SysWOW64\Lgpbhg32.dll Hklhca32.exe File opened for modification C:\Windows\SysWOW64\Ankckagj.exe Akmgoehg.exe File created C:\Windows\SysWOW64\Okipcb32.dll Gokmnlcf.exe File created C:\Windows\SysWOW64\Emdpcf32.dll Hechkfkc.exe File opened for modification C:\Windows\SysWOW64\Lkcgapjl.exe Ljbkig32.exe File created C:\Windows\SysWOW64\Eeqpjn32.dll Hikobfgj.exe File opened for modification C:\Windows\SysWOW64\Pmoqfi32.exe Ofehiocd.exe File created C:\Windows\SysWOW64\Fjnkac32.exe File created C:\Windows\SysWOW64\Onelbfab.exe File opened for modification C:\Windows\SysWOW64\Qbmhdp32.exe Qidckjae.exe File opened for modification C:\Windows\SysWOW64\Ekhjlioa.exe Ebofcd32.exe File created C:\Windows\SysWOW64\Qchmll32.exe Plneoace.exe File created C:\Windows\SysWOW64\Jokjjgme.dll Bedene32.exe File opened for modification C:\Windows\SysWOW64\Jephgi32.exe Joepjokm.exe File created C:\Windows\SysWOW64\Degdgl32.dll Pbcfie32.exe File created C:\Windows\SysWOW64\Chghodgj.exe File opened for modification C:\Windows\SysWOW64\Lpmhgc32.exe Licpki32.exe File created C:\Windows\SysWOW64\Bngdkkof.dll Nhmbfhfd.exe File created C:\Windows\SysWOW64\Gmgejpfh.dll Fmfdppia.exe File created C:\Windows\SysWOW64\Lafgagdb.dll File created C:\Windows\SysWOW64\Qgdiqn32.dll Dcmpcjcf.exe File opened for modification C:\Windows\SysWOW64\Hikobfgj.exe Hmdnme32.exe File opened for modification C:\Windows\SysWOW64\Hkdkhl32.exe Gegbpe32.exe File created C:\Windows\SysWOW64\Lbgkhoml.exe Lmjbphod.exe File opened for modification C:\Windows\SysWOW64\Onamle32.exe Oehicoom.exe File opened for modification C:\Windows\SysWOW64\Ckoblapc.exe File opened for modification C:\Windows\SysWOW64\Jjgbbc32.exe File created C:\Windows\SysWOW64\Jghqia32.exe Jqnhmgmk.exe File created C:\Windows\SysWOW64\Kbokda32.exe Kppohf32.exe File created C:\Windows\SysWOW64\Acoacabb.dll Ldfgbb32.exe File opened for modification C:\Windows\SysWOW64\Lakqoe32.exe File created C:\Windows\SysWOW64\Ihiabfhk.exe Hghdjn32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 2392 936 1358 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fllaopcg.exeOikcicfl.exeGemfghek.exeFaedpdcc.exeGcmcebkc.exeIjidfpci.exeJkimpfmg.exeChmibmlo.exeQifpqi32.exeKgjlgm32.exeHjcoaeol.exeLcieef32.exeGbeaip32.exeNiaihojk.exeCjhckg32.exeLfhiepbn.exeJmejmm32.exeOqojhp32.exeOlgpff32.exeNnkekfkd.exeJaopcbga.exeKhkdmh32.exeLicpki32.exeFlpkll32.exeIjopjhfh.exeMpimbcnf.exeCfgehn32.exeEnhaeldn.exeDdpbfl32.exeOcihgo32.exeHkfeec32.exeLbpolb32.exePqbifhjb.exeMqfooonp.exeDeikhhhe.exeJoblkegc.exeOfehiocd.exePikkfilp.exeBpengf32.exeDeiipp32.exeKacakgip.exeKbokda32.exePkmmigjo.exeCeickb32.exeHfookk32.exeMcacochk.exeLdikbhfh.exeMjofanld.exeLfilnh32.exeMpnifkae.exeNqamaeii.exeDgiomabc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikcicfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemfghek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faedpdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmcebkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijidfpci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimpfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmibmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifpqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjlgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcoaeol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcieef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niaihojk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhckg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhiepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmejmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqojhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgpff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkekfkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaopcbga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licpki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpkll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijopjhfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpimbcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfgehn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhaeldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddpbfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocihgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqbifhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfooonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deikhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joblkegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofehiocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikkfilp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpengf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deiipp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kacakgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbokda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmmigjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceickb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfookk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcacochk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldikbhfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjofanld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfilnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnifkae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqamaeii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiomabc.exe -
Modifies registry class 64 IoCs
Processes:
Qldjdlgb.exeJaonji32.exeFjfllm32.exeDdfjak32.exeKcajceke.exeIeqbbl32.exeIkbndqnc.exeKhpaidpk.exeEmailhfb.exeMoikinib.exeMkohjbah.exeKabobo32.exeJemkai32.exeFabmmejd.exeCppakj32.exeJhfepfme.exeJanihlcf.exePbnfdpge.exeGfcopl32.exeKbncof32.exeBphdpe32.exeFjqhef32.exeOahbjmjp.exeOkqgcb32.exeNdiaem32.exeNmjicn32.exePogaeg32.exeNcbfcq32.exeOcfiif32.exeJfpndkel.exeDpmgao32.exeKneflplf.exeConbmfif.exeQpocno32.exeDihmae32.exeDijjgegh.exeCfekkgla.exeEjmljg32.exeOikcicfl.exeOjjnioae.exeDopkai32.exeLjcbcngi.exeGkimff32.exeDmgmbj32.exeKhhndi32.exeModano32.exeDfjcncak.exeGgbieb32.exeGmnlog32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcpccaf.dll" Qldjdlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bphgedjk.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihqjiej.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaonji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjfllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genifa32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddfjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikcigkl.dll" Kcajceke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caoflo32.dll" Ieqbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbndqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khpaidpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emailhfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moikinib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Monmegdp.dll" Mkohjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnbqeoe.dll" Kabobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jemkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fabmmejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfkjibh.dll" Jhfepfme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Janihlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbnfdpge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfcopl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbncof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdegpplg.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphdpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjqhef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oahbjmjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okqgcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbljhig.dll" Ndiaem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmjicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pogaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegjbnaa.dll" Ncbfcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocfiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpfnnd.dll" Jfpndkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijpjlh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfapl32.dll" Dpmgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnffkn32.dll" Kneflplf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Conbmfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmchhqaf.dll" Qpocno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eneehhmp.dll" Dihmae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dijjgegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkgnh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfekkgla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejmljg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oikcicfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpocno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoclfip.dll" Ojjnioae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dopkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlqbf32.dll" Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdjelc32.dll" Gkimff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmgmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khhndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coledgje.dll" Modano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfjcncak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggbieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmnlog32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exeFlabdecn.exeFejfmk32.exeFpokjd32.exeFbpclofe.exeGgbieb32.exeGkpakq32.exeGkbnap32.exeGcmcebkc.exeHijhhl32.exeHaemloni.exeHcdifa32.exeHajfgnjc.exeHgiked32.exeIjidfpci.exeIjlaloaf.exedescription pid Process procid_target PID 2496 wrote to memory of 2848 2496 58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exe 30 PID 2496 wrote to memory of 2848 2496 58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exe 30 PID 2496 wrote to memory of 2848 2496 58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exe 30 PID 2496 wrote to memory of 2848 2496 58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exe 30 PID 2848 wrote to memory of 2896 2848 Flabdecn.exe 31 PID 2848 wrote to memory of 2896 2848 Flabdecn.exe 31 PID 2848 wrote to memory of 2896 2848 Flabdecn.exe 31 PID 2848 wrote to memory of 2896 2848 Flabdecn.exe 31 PID 2896 wrote to memory of 2904 2896 Fejfmk32.exe 32 PID 2896 wrote to memory of 2904 2896 Fejfmk32.exe 32 PID 2896 wrote to memory of 2904 2896 Fejfmk32.exe 32 PID 2896 wrote to memory of 2904 2896 Fejfmk32.exe 32 PID 2904 wrote to memory of 2636 2904 Fpokjd32.exe 33 PID 2904 wrote to memory of 2636 2904 Fpokjd32.exe 33 PID 2904 wrote to memory of 2636 2904 Fpokjd32.exe 33 PID 2904 wrote to memory of 2636 2904 Fpokjd32.exe 33 PID 2636 wrote to memory of 2252 2636 Fbpclofe.exe 34 PID 2636 wrote to memory of 2252 2636 Fbpclofe.exe 34 PID 2636 wrote to memory of 2252 2636 Fbpclofe.exe 34 PID 2636 wrote to memory of 2252 2636 Fbpclofe.exe 34 PID 2252 wrote to memory of 1072 2252 Ggbieb32.exe 35 PID 2252 wrote to memory of 1072 2252 Ggbieb32.exe 35 PID 2252 wrote to memory of 1072 2252 Ggbieb32.exe 35 PID 2252 wrote to memory of 1072 2252 Ggbieb32.exe 35 PID 1072 wrote to memory of 2176 1072 Gkpakq32.exe 36 PID 1072 wrote to memory of 2176 1072 Gkpakq32.exe 36 PID 1072 wrote to memory of 2176 1072 Gkpakq32.exe 36 PID 1072 wrote to memory of 2176 1072 Gkpakq32.exe 36 PID 2176 wrote to memory of 1680 2176 Gkbnap32.exe 37 PID 2176 wrote to memory of 1680 2176 Gkbnap32.exe 37 PID 2176 wrote to memory of 1680 2176 Gkbnap32.exe 37 PID 2176 wrote to memory of 1680 2176 Gkbnap32.exe 37 PID 1680 wrote to memory of 1236 1680 Gcmcebkc.exe 38 PID 1680 wrote to memory of 1236 1680 Gcmcebkc.exe 38 PID 1680 wrote to memory of 1236 1680 Gcmcebkc.exe 38 PID 1680 wrote to memory of 1236 1680 Gcmcebkc.exe 38 PID 1236 wrote to memory of 1484 1236 Hijhhl32.exe 39 PID 1236 wrote to memory of 1484 1236 Hijhhl32.exe 39 PID 1236 wrote to memory of 1484 1236 Hijhhl32.exe 39 PID 1236 wrote to memory of 1484 1236 Hijhhl32.exe 39 PID 1484 wrote to memory of 1916 1484 Haemloni.exe 40 PID 1484 wrote to memory of 1916 1484 Haemloni.exe 40 PID 1484 wrote to memory of 1916 1484 Haemloni.exe 40 PID 1484 wrote to memory of 1916 1484 Haemloni.exe 40 PID 1916 wrote to memory of 544 1916 Hcdifa32.exe 41 PID 1916 wrote to memory of 544 1916 Hcdifa32.exe 41 PID 1916 wrote to memory of 544 1916 Hcdifa32.exe 41 PID 1916 wrote to memory of 544 1916 Hcdifa32.exe 41 PID 544 wrote to memory of 2172 544 Hajfgnjc.exe 42 PID 544 wrote to memory of 2172 544 Hajfgnjc.exe 42 PID 544 wrote to memory of 2172 544 Hajfgnjc.exe 42 PID 544 wrote to memory of 2172 544 Hajfgnjc.exe 42 PID 2172 wrote to memory of 2392 2172 Hgiked32.exe 43 PID 2172 wrote to memory of 2392 2172 Hgiked32.exe 43 PID 2172 wrote to memory of 2392 2172 Hgiked32.exe 43 PID 2172 wrote to memory of 2392 2172 Hgiked32.exe 43 PID 2392 wrote to memory of 2444 2392 Ijidfpci.exe 44 PID 2392 wrote to memory of 2444 2392 Ijidfpci.exe 44 PID 2392 wrote to memory of 2444 2392 Ijidfpci.exe 44 PID 2392 wrote to memory of 2444 2392 Ijidfpci.exe 44 PID 2444 wrote to memory of 388 2444 Ijlaloaf.exe 45 PID 2444 wrote to memory of 388 2444 Ijlaloaf.exe 45 PID 2444 wrote to memory of 388 2444 Ijlaloaf.exe 45 PID 2444 wrote to memory of 388 2444 Ijlaloaf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exe"C:\Users\Admin\AppData\Local\Temp\58df225ce2710cbd56c33356eea58a052987e41270b4a04ccf44a63fa80dcaf3N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Flabdecn.exeC:\Windows\system32\Flabdecn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Fbpclofe.exeC:\Windows\system32\Fbpclofe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ggbieb32.exeC:\Windows\system32\Ggbieb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Gkpakq32.exeC:\Windows\system32\Gkpakq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Hcdifa32.exeC:\Windows\system32\Hcdifa32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Ifbaapfk.exeC:\Windows\system32\Ifbaapfk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:388 -
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Windows\SysWOW64\Jnbpqb32.exeC:\Windows\system32\Jnbpqb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Joblkegc.exeC:\Windows\system32\Joblkegc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Jpmooind.exeC:\Windows\system32\Jpmooind.exe27⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe28⤵
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Kjepaa32.exeC:\Windows\system32\Kjepaa32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Keango32.exeC:\Windows\system32\Keango32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe34⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe35⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe36⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe37⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe38⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Lgnjke32.exeC:\Windows\system32\Lgnjke32.exe39⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe40⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Mpikik32.exeC:\Windows\system32\Mpikik32.exe41⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Meecaa32.exeC:\Windows\system32\Meecaa32.exe42⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Miclhpjp.exeC:\Windows\system32\Miclhpjp.exe43⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe44⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Oddphp32.exeC:\Windows\system32\Oddphp32.exe45⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Oehicoom.exeC:\Windows\system32\Oehicoom.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe47⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe49⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe50⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Pcbookpp.exeC:\Windows\system32\Pcbookpp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Pmkdhq32.exeC:\Windows\system32\Pmkdhq32.exe52⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Pbglpg32.exeC:\Windows\system32\Pbglpg32.exe53⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe54⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe55⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Pehebbbh.exeC:\Windows\system32\Pehebbbh.exe56⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe57⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe59⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe60⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ahngomkd.exeC:\Windows\system32\Ahngomkd.exe61⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe62⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe63⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe64⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Aahimb32.exeC:\Windows\system32\Aahimb32.exe65⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe66⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Adiaommc.exeC:\Windows\system32\Adiaommc.exe67⤵PID:2460
-
C:\Windows\SysWOW64\Aifjgdkj.exeC:\Windows\system32\Aifjgdkj.exe68⤵PID:1376
-
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe69⤵
- Drops file in System32 directory
PID:648 -
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe70⤵PID:1548
-
C:\Windows\SysWOW64\Beogaenl.exeC:\Windows\system32\Beogaenl.exe71⤵PID:2220
-
C:\Windows\SysWOW64\Bogljj32.exeC:\Windows\system32\Bogljj32.exe72⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe73⤵PID:2852
-
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe74⤵PID:2776
-
C:\Windows\SysWOW64\Bakaaepk.exeC:\Windows\system32\Bakaaepk.exe75⤵PID:2824
-
C:\Windows\SysWOW64\Bhdjno32.exeC:\Windows\system32\Bhdjno32.exe76⤵PID:2668
-
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe77⤵PID:820
-
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe79⤵PID:3024
-
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe80⤵PID:844
-
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe81⤵PID:1748
-
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe82⤵PID:2144
-
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe83⤵PID:2560
-
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe84⤵PID:932
-
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe85⤵PID:580
-
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe86⤵PID:640
-
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe87⤵PID:2264
-
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe88⤵PID:1316
-
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe89⤵PID:2748
-
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe90⤵PID:2724
-
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe91⤵PID:1736
-
C:\Windows\SysWOW64\Dqfabdaf.exeC:\Windows\system32\Dqfabdaf.exe92⤵PID:2424
-
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe93⤵PID:2224
-
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe94⤵PID:980
-
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe95⤵PID:2000
-
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe96⤵PID:2168
-
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe97⤵PID:1700
-
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe98⤵PID:1360
-
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe99⤵PID:1960
-
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe100⤵PID:1852
-
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe101⤵PID:2104
-
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe102⤵
- System Location Discovery: System Language Discovery
PID:744 -
C:\Windows\SysWOW64\Fllaopcg.exeC:\Windows\system32\Fllaopcg.exe103⤵
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe104⤵PID:2784
-
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe105⤵PID:2648
-
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe106⤵PID:2196
-
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe107⤵PID:432
-
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe108⤵PID:2892
-
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe109⤵PID:1640
-
C:\Windows\SysWOW64\Fpbqcb32.exeC:\Windows\system32\Fpbqcb32.exe110⤵PID:2072
-
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe111⤵PID:2076
-
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe112⤵
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe113⤵PID:1800
-
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2280 -
C:\Windows\SysWOW64\Gfabkl32.exeC:\Windows\system32\Gfabkl32.exe115⤵PID:2768
-
C:\Windows\SysWOW64\Glnkcc32.exeC:\Windows\system32\Glnkcc32.exe116⤵PID:2744
-
C:\Windows\SysWOW64\Gfcopl32.exeC:\Windows\system32\Gfcopl32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe118⤵PID:2128
-
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe119⤵PID:1480
-
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe120⤵PID:2160
-
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe121⤵PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-