Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 18:15
Behavioral task
behavioral1
Sample
05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exe
-
Size
163KB
-
MD5
9c805c9228fe6939a860a5a78edb147a
-
SHA1
27682c790e4ceb0495669fb5e2fad9aeb4542924
-
SHA256
05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49
-
SHA512
5daa1327d6c78026e34d325b45ca8d000a4400b497641a16301fb814de1cd01c4553d77b3556c4c54e3eacacb43b6931cf223d694b544fe53af72299a2d1e2d6
-
SSDEEP
1536:PzLGrhGTdOeiohP6HTcvkLq/KlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:nGsTjiogHTcvJ/KltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ndpicm32.exeJdnmma32.exeBecnhgmg.exeLkgkoiqc.exeJcpkpe32.exeJabdql32.exePjnamh32.exeHjndlqal.exeFncpef32.exeFcmiod32.exeAgpcihcf.exeGgnmbn32.exeAncefgfd.exeBonoflae.exeHfbaql32.exeLbemfbdk.exeAkeijlfq.exeFdnolfon.exeEeaepd32.exeOgqaehak.exeKfbfkmeh.exeQiladcdh.exeHhpgpebh.exeOifdbb32.exePkifdd32.exePohfehdi.exeFolfoj32.exeBlaopqpo.exeGldmoepi.exeOanefo32.exeOmefkplm.exeAopahjll.exeAmfognic.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becnhgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgkoiqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcpkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjnamh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjndlqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnmbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ancefgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bonoflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbemfbdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akeijlfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnolfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeaepd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogqaehak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbfkmeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiladcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhpgpebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifdbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkifdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohfehdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blaopqpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldmoepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanefo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omefkplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopahjll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfognic.exe -
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Detect BruteRatel badger 9 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001dfa1-2964.dat family_bruteratel behavioral1/files/0x0003000000020899-4800.dat family_bruteratel behavioral1/files/0x0003000000020f05-6704.dat family_bruteratel behavioral1/files/0x0003000000020fe6-7186.dat family_bruteratel behavioral1/files/0x00030000000218da-11557.dat family_bruteratel behavioral1/files/0x0003000000021ce8-13196.dat family_bruteratel behavioral1/files/0x0003000000021cec-13207.dat family_bruteratel behavioral1/files/0x0003000000021e62-13756.dat family_bruteratel behavioral1/files/0x00030000000238ae-15946.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Oghopm32.exeOopfakpa.exeOancnfoe.exeOnecbg32.exeOgmhkmki.exePmjqcc32.exePjnamh32.exePmlmic32.exePgbafl32.exePqjfoa32.exePbkbgjcc.exePjbjhgde.exePiekcd32.exePbnoliap.exePihgic32.exePoapfn32.exeQijdocfj.exeQodlkm32.exeQiladcdh.exeAniimjbo.exeAniimjbo.exeAecaidjl.exeAnlfbi32.exeAmnfnfgg.exeAeenochi.exeAjbggjfq.exeAaloddnn.exeAmcpie32.exeApalea32.exeAjgpbj32.exeAlhmjbhj.exeAfnagk32.exeBmhideol.exeBbdallnd.exeBecnhgmg.exeBbgnak32.exeBonoflae.exeBehgcf32.exeBlaopqpo.exeBejdiffp.exeBfkpqn32.exeBmeimhdj.exeCdoajb32.exeCfnmfn32.exeCmgechbh.exeCpfaocal.exeCgpjlnhh.exeCmjbhh32.exeClmbddgp.exeCddjebgb.exeCgbfamff.exeCiqcmiei.exeCmlong32.exeCpkkjc32.exeCgdcgm32.exeCicpch32.exeClalod32.exeCpmhpbkc.exeCckdlnjg.exeCejphiik.exeCielhh32.exeChhldeho.exeDkgippgb.exeDcnqanhd.exepid Process 2596 Oghopm32.exe 3048 Oopfakpa.exe 2700 Oancnfoe.exe 2660 Onecbg32.exe 536 Ogmhkmki.exe 956 Pmjqcc32.exe 2140 Pjnamh32.exe 1968 Pmlmic32.exe 2568 Pgbafl32.exe 2992 Pqjfoa32.exe 3040 Pbkbgjcc.exe 1132 Pjbjhgde.exe 552 Piekcd32.exe 2792 Pbnoliap.exe 1080 Pihgic32.exe 1476 Poapfn32.exe 444 Qijdocfj.exe 2392 Qodlkm32.exe 2160 Qiladcdh.exe 1524 Aniimjbo.exe 1712 Aniimjbo.exe 1704 Aecaidjl.exe 2012 Anlfbi32.exe 2672 Amnfnfgg.exe 2432 Aeenochi.exe 2856 Ajbggjfq.exe 2632 Aaloddnn.exe 2760 Amcpie32.exe 2368 Apalea32.exe 2420 Ajgpbj32.exe 2916 Alhmjbhj.exe 556 Afnagk32.exe 2536 Bmhideol.exe 1960 Bbdallnd.exe 2984 Becnhgmg.exe 2688 Bbgnak32.exe 680 Bonoflae.exe 1892 Behgcf32.exe 1820 Blaopqpo.exe 1500 Bejdiffp.exe 2356 Bfkpqn32.exe 2172 Bmeimhdj.exe 1004 Cdoajb32.exe 1376 Cfnmfn32.exe 1328 Cmgechbh.exe 1816 Cpfaocal.exe 1716 Cgpjlnhh.exe 2428 Cmjbhh32.exe 2272 Clmbddgp.exe 2192 Cddjebgb.exe 2896 Cgbfamff.exe 2600 Ciqcmiei.exe 1920 Cmlong32.exe 2988 Cpkkjc32.exe 2512 Cgdcgm32.exe 2572 Cicpch32.exe 2860 Clalod32.exe 2300 Cpmhpbkc.exe 2780 Cckdlnjg.exe 2556 Cejphiik.exe 1508 Cielhh32.exe 1940 Chhldeho.exe 1000 Dkgippgb.exe 1908 Dcnqanhd.exe -
Loads dropped DLL 64 IoCs
Processes:
05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exeOghopm32.exeOopfakpa.exeOancnfoe.exeOnecbg32.exeOgmhkmki.exePmjqcc32.exePjnamh32.exePmlmic32.exePgbafl32.exePqjfoa32.exePbkbgjcc.exePjbjhgde.exePiekcd32.exePbnoliap.exePihgic32.exePoapfn32.exeQijdocfj.exeQodlkm32.exeQiladcdh.exeAniimjbo.exeAniimjbo.exeAecaidjl.exeAnlfbi32.exeAmnfnfgg.exeAeenochi.exeAjbggjfq.exeAaloddnn.exeAmcpie32.exeApalea32.exeAjgpbj32.exeAlhmjbhj.exepid Process 2884 05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exe 2884 05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exe 2596 Oghopm32.exe 2596 Oghopm32.exe 3048 Oopfakpa.exe 3048 Oopfakpa.exe 2700 Oancnfoe.exe 2700 Oancnfoe.exe 2660 Onecbg32.exe 2660 Onecbg32.exe 536 Ogmhkmki.exe 536 Ogmhkmki.exe 956 Pmjqcc32.exe 956 Pmjqcc32.exe 2140 Pjnamh32.exe 2140 Pjnamh32.exe 1968 Pmlmic32.exe 1968 Pmlmic32.exe 2568 Pgbafl32.exe 2568 Pgbafl32.exe 2992 Pqjfoa32.exe 2992 Pqjfoa32.exe 3040 Pbkbgjcc.exe 3040 Pbkbgjcc.exe 1132 Pjbjhgde.exe 1132 Pjbjhgde.exe 552 Piekcd32.exe 552 Piekcd32.exe 2792 Pbnoliap.exe 2792 Pbnoliap.exe 1080 Pihgic32.exe 1080 Pihgic32.exe 1476 Poapfn32.exe 1476 Poapfn32.exe 444 Qijdocfj.exe 444 Qijdocfj.exe 2392 Qodlkm32.exe 2392 Qodlkm32.exe 2160 Qiladcdh.exe 2160 Qiladcdh.exe 1524 Aniimjbo.exe 1524 Aniimjbo.exe 1712 Aniimjbo.exe 1712 Aniimjbo.exe 1704 Aecaidjl.exe 1704 Aecaidjl.exe 2012 Anlfbi32.exe 2012 Anlfbi32.exe 2672 Amnfnfgg.exe 2672 Amnfnfgg.exe 2432 Aeenochi.exe 2432 Aeenochi.exe 2856 Ajbggjfq.exe 2856 Ajbggjfq.exe 2632 Aaloddnn.exe 2632 Aaloddnn.exe 2760 Amcpie32.exe 2760 Amcpie32.exe 2368 Apalea32.exe 2368 Apalea32.exe 2420 Ajgpbj32.exe 2420 Ajgpbj32.exe 2916 Alhmjbhj.exe 2916 Alhmjbhj.exe -
Drops file in System32 directory 64 IoCs
Processes:
Eapfagno.exeAmfognic.exeChfbgn32.exeFkpjnkig.exeAgdmdg32.exeLbackc32.exeOhkaco32.exeCfnmfn32.exeDjqoll32.exeAekqmbod.exeIfgpnmom.exeBmhideol.exeHafock32.exeIajemnia.exeOifdbb32.exeDhplhc32.exeQgjqjjll.exeAbhkfg32.exeBagkmb32.exeJagnlkjd.exeOoicid32.exeJkbfdfbm.exeOpnpimdf.exeKfpifm32.exeJcbhee32.exeLpgajgeg.exeDacpkc32.exeIflmjihl.exeIppdgc32.exeDmhdkdlg.exeBccjdnbi.exeQgmfchei.exedescription ioc Process File created C:\Windows\SysWOW64\Ibkhnd32.dll File created C:\Windows\SysWOW64\Hailie32.dll File opened for modification C:\Windows\SysWOW64\Ednbncmb.exe Eapfagno.exe File created C:\Windows\SysWOW64\Dognqkje.dll Amfognic.exe File created C:\Windows\SysWOW64\Clbnhmjo.exe Chfbgn32.exe File created C:\Windows\SysWOW64\Folfoj32.exe Fkpjnkig.exe File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe File created C:\Windows\SysWOW64\Ajcipc32.exe Agdmdg32.exe File created C:\Windows\SysWOW64\Kglehp32.exe File opened for modification C:\Windows\SysWOW64\Aakjdo32.exe File created C:\Windows\SysWOW64\Llmmpcfe.exe File created C:\Windows\SysWOW64\Kalhln32.dll File created C:\Windows\SysWOW64\Mildmcdo.dll Lbackc32.exe File opened for modification C:\Windows\SysWOW64\Pkjmoj32.exe Ohkaco32.exe File created C:\Windows\SysWOW64\Oippjl32.exe File created C:\Windows\SysWOW64\Obobnb32.dll File created C:\Windows\SysWOW64\Gnnffg32.dll Cfnmfn32.exe File created C:\Windows\SysWOW64\Ckkpbj32.dll Djqoll32.exe File opened for modification C:\Windows\SysWOW64\Aigmnqgm.exe Aekqmbod.exe File created C:\Windows\SysWOW64\Ioohokoo.exe Ifgpnmom.exe File opened for modification C:\Windows\SysWOW64\Ngealejo.exe File created C:\Windows\SysWOW64\Lcofio32.exe File opened for modification C:\Windows\SysWOW64\Mjhjdm32.exe File created C:\Windows\SysWOW64\Olmela32.exe File created C:\Windows\SysWOW64\Bbdallnd.exe Bmhideol.exe File created C:\Windows\SysWOW64\Hddlof32.exe Hafock32.exe File created C:\Windows\SysWOW64\Iefamlak.exe Iajemnia.exe File opened for modification C:\Windows\SysWOW64\Ohidmoaa.exe Oifdbb32.exe File opened for modification C:\Windows\SysWOW64\Dpgcip32.exe Dhplhc32.exe File created C:\Windows\SysWOW64\Bdkhjgeh.exe File created C:\Windows\SysWOW64\Fdekgjno.exe File created C:\Windows\SysWOW64\Flapkmlj.exe File opened for modification C:\Windows\SysWOW64\Dncibp32.exe File opened for modification C:\Windows\SysWOW64\Qjhmfekp.exe Qgjqjjll.exe File created C:\Windows\SysWOW64\Gmejgd32.dll Abhkfg32.exe File created C:\Windows\SysWOW64\Ocgcbd32.dll Bagkmb32.exe File created C:\Windows\SysWOW64\Jebpihab.dll Jagnlkjd.exe File opened for modification C:\Windows\SysWOW64\Oagoep32.exe Ooicid32.exe File created C:\Windows\SysWOW64\Glcgij32.dll File opened for modification C:\Windows\SysWOW64\Qmhahkdj.exe File opened for modification C:\Windows\SysWOW64\Bdkhjgeh.exe File created C:\Windows\SysWOW64\Jcjnfdbp.exe Jkbfdfbm.exe File opened for modification C:\Windows\SysWOW64\Ooqpdj32.exe Opnpimdf.exe File created C:\Windows\SysWOW64\Ekaggl32.dll Kfpifm32.exe File created C:\Windows\SysWOW64\Fnbkfl32.dll File opened for modification C:\Windows\SysWOW64\Ehhdaj32.exe File created C:\Windows\SysWOW64\Eabepp32.exe File opened for modification C:\Windows\SysWOW64\Mkfclo32.exe File created C:\Windows\SysWOW64\Meoaif32.dll File opened for modification C:\Windows\SysWOW64\Jeadap32.exe Jcbhee32.exe File opened for modification C:\Windows\SysWOW64\Lnjafd32.exe Lpgajgeg.exe File opened for modification C:\Windows\SysWOW64\Ddblgn32.exe Dacpkc32.exe File opened for modification C:\Windows\SysWOW64\Iikifegp.exe Iflmjihl.exe File created C:\Windows\SysWOW64\Mlfbgb32.dll Ippdgc32.exe File opened for modification C:\Windows\SysWOW64\Icifjk32.exe File opened for modification C:\Windows\SysWOW64\Dacpkc32.exe Dmhdkdlg.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe File created C:\Windows\SysWOW64\Glgcpc32.dll File created C:\Windows\SysWOW64\Pdbampij.dll File created C:\Windows\SysWOW64\Nhpfip32.dll File created C:\Windows\SysWOW64\Bfagpiam.exe Bccjdnbi.exe File created C:\Windows\SysWOW64\Qododfek.exe Qgmfchei.exe File created C:\Windows\SysWOW64\Gmoloenf.dll File created C:\Windows\SysWOW64\Bgaebe32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Piekcd32.exeAoohekal.exeMhilph32.exeOhnaik32.exeIbhndp32.exeEogmcjef.exeMeabakda.exeFpoolael.exeHanogipc.exeCcdmnj32.exeEpbpbnan.exeJlbboiip.exeLghlndfa.exeQhmcmk32.exeAjqljc32.exeCemjae32.exeIphecepe.exeNmnclmoj.exeNdnlnm32.exeAababceh.exeIlabmedg.exeMacilmnk.exeQqbecp32.exeGfcnegnk.exe05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exeBlaopqpo.exeMfoiqe32.exePcghof32.exeNianhplq.exeEabcggll.exeGjlgfaco.exeJjdofm32.exeMpamde32.exeJaeafklf.exeKkgopf32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piekcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoohekal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhilph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogmcjef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meabakda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoolael.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hanogipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbpbnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbboiip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghlndfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhmcmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajqljc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphecepe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnclmoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnlnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aababceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilabmedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macilmnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqbecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcnegnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blaopqpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfoiqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcghof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nianhplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabcggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjlgfaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdofm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpamde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeafklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgopf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Ajqljc32.exeDoecog32.exeEogmcjef.exeBmibgd32.exeAgpcihcf.exePopeif32.exeLflplbpi.exeOcohkh32.exeCcbphk32.exeCakqgeoi.exeIdcacc32.exeBjallg32.exeHfmddp32.exeHfedqagp.exeMabphn32.exePhnnho32.exeJpogbgmi.exePlmpblnb.exePldebkhj.exeIflmjihl.exeIahhgnkd.exeOmkjbb32.exeBbjmpcab.exePckajebj.exeBiaign32.exeAmohfo32.exeDdblgn32.exeEcfldoph.exeGkomjo32.exeNnkcpq32.exeIppdgc32.exeDkgippgb.exeIbhndp32.exePohfehdi.exeJgfcja32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddjiql.dll" Ajqljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doecog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eogmcjef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgkc32.dll" Bmibgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpcihcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Popeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lflplbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqenoohi.dll" Ocohkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goembl32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbclbi32.dll" Cakqgeoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idcacc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibemb32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefggi32.dll" Bjallg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfmddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adqaqk32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfedqagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mabphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfmdj32.dll" Phnnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbodaa32.dll" Jpogbgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncocffdb.dll" Pldebkhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iflmjihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iahhgnkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omkjbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnaae32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pondgbkk.dll" Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcicglo.dll" Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biaign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncobd32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amohfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhnop32.dll" Ddblgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecfldoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkomjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnkcpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ippdgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmkck32.dll" Dkgippgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhndp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kecdbl32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onipnblf.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pohfehdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhjijha.dll" Jgfcja32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exeOghopm32.exeOopfakpa.exeOancnfoe.exeOnecbg32.exeOgmhkmki.exePmjqcc32.exePjnamh32.exePmlmic32.exePgbafl32.exePqjfoa32.exePbkbgjcc.exePjbjhgde.exePiekcd32.exePbnoliap.exePihgic32.exedescription pid Process procid_target PID 2884 wrote to memory of 2596 2884 05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exe 30 PID 2884 wrote to memory of 2596 2884 05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exe 30 PID 2884 wrote to memory of 2596 2884 05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exe 30 PID 2884 wrote to memory of 2596 2884 05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exe 30 PID 2596 wrote to memory of 3048 2596 Oghopm32.exe 31 PID 2596 wrote to memory of 3048 2596 Oghopm32.exe 31 PID 2596 wrote to memory of 3048 2596 Oghopm32.exe 31 PID 2596 wrote to memory of 3048 2596 Oghopm32.exe 31 PID 3048 wrote to memory of 2700 3048 Oopfakpa.exe 32 PID 3048 wrote to memory of 2700 3048 Oopfakpa.exe 32 PID 3048 wrote to memory of 2700 3048 Oopfakpa.exe 32 PID 3048 wrote to memory of 2700 3048 Oopfakpa.exe 32 PID 2700 wrote to memory of 2660 2700 Oancnfoe.exe 33 PID 2700 wrote to memory of 2660 2700 Oancnfoe.exe 33 PID 2700 wrote to memory of 2660 2700 Oancnfoe.exe 33 PID 2700 wrote to memory of 2660 2700 Oancnfoe.exe 33 PID 2660 wrote to memory of 536 2660 Onecbg32.exe 34 PID 2660 wrote to memory of 536 2660 Onecbg32.exe 34 PID 2660 wrote to memory of 536 2660 Onecbg32.exe 34 PID 2660 wrote to memory of 536 2660 Onecbg32.exe 34 PID 536 wrote to memory of 956 536 Ogmhkmki.exe 35 PID 536 wrote to memory of 956 536 Ogmhkmki.exe 35 PID 536 wrote to memory of 956 536 Ogmhkmki.exe 35 PID 536 wrote to memory of 956 536 Ogmhkmki.exe 35 PID 956 wrote to memory of 2140 956 Pmjqcc32.exe 36 PID 956 wrote to memory of 2140 956 Pmjqcc32.exe 36 PID 956 wrote to memory of 2140 956 Pmjqcc32.exe 36 PID 956 wrote to memory of 2140 956 Pmjqcc32.exe 36 PID 2140 wrote to memory of 1968 2140 Pjnamh32.exe 37 PID 2140 wrote to memory of 1968 2140 Pjnamh32.exe 37 PID 2140 wrote to memory of 1968 2140 Pjnamh32.exe 37 PID 2140 wrote to memory of 1968 2140 Pjnamh32.exe 37 PID 1968 wrote to memory of 2568 1968 Pmlmic32.exe 38 PID 1968 wrote to memory of 2568 1968 Pmlmic32.exe 38 PID 1968 wrote to memory of 2568 1968 Pmlmic32.exe 38 PID 1968 wrote to memory of 2568 1968 Pmlmic32.exe 38 PID 2568 wrote to memory of 2992 2568 Pgbafl32.exe 39 PID 2568 wrote to memory of 2992 2568 Pgbafl32.exe 39 PID 2568 wrote to memory of 2992 2568 Pgbafl32.exe 39 PID 2568 wrote to memory of 2992 2568 Pgbafl32.exe 39 PID 2992 wrote to memory of 3040 2992 Pqjfoa32.exe 40 PID 2992 wrote to memory of 3040 2992 Pqjfoa32.exe 40 PID 2992 wrote to memory of 3040 2992 Pqjfoa32.exe 40 PID 2992 wrote to memory of 3040 2992 Pqjfoa32.exe 40 PID 3040 wrote to memory of 1132 3040 Pbkbgjcc.exe 41 PID 3040 wrote to memory of 1132 3040 Pbkbgjcc.exe 41 PID 3040 wrote to memory of 1132 3040 Pbkbgjcc.exe 41 PID 3040 wrote to memory of 1132 3040 Pbkbgjcc.exe 41 PID 1132 wrote to memory of 552 1132 Pjbjhgde.exe 42 PID 1132 wrote to memory of 552 1132 Pjbjhgde.exe 42 PID 1132 wrote to memory of 552 1132 Pjbjhgde.exe 42 PID 1132 wrote to memory of 552 1132 Pjbjhgde.exe 42 PID 552 wrote to memory of 2792 552 Piekcd32.exe 43 PID 552 wrote to memory of 2792 552 Piekcd32.exe 43 PID 552 wrote to memory of 2792 552 Piekcd32.exe 43 PID 552 wrote to memory of 2792 552 Piekcd32.exe 43 PID 2792 wrote to memory of 1080 2792 Pbnoliap.exe 44 PID 2792 wrote to memory of 1080 2792 Pbnoliap.exe 44 PID 2792 wrote to memory of 1080 2792 Pbnoliap.exe 44 PID 2792 wrote to memory of 1080 2792 Pbnoliap.exe 44 PID 1080 wrote to memory of 1476 1080 Pihgic32.exe 45 PID 1080 wrote to memory of 1476 1080 Pihgic32.exe 45 PID 1080 wrote to memory of 1476 1080 Pihgic32.exe 45 PID 1080 wrote to memory of 1476 1080 Pihgic32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exe"C:\Users\Admin\AppData\Local\Temp\05d5beeae9d9f5cb4588b0df434d92ac49d6002e327de77be5fd615ca8f47c49.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Oopfakpa.exeC:\Windows\system32\Oopfakpa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Pbnoliap.exeC:\Windows\system32\Pbnoliap.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444 -
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Anlfbi32.exeC:\Windows\system32\Anlfbi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe33⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe35⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe37⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe39⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe41⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe42⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe43⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe44⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe46⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe47⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe48⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe49⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe50⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe51⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe52⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe53⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe54⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe55⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe56⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe57⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe58⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe59⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe60⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe61⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe62⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe63⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe65⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe66⤵PID:1808
-
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe67⤵PID:2380
-
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe68⤵PID:2516
-
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe69⤵PID:3068
-
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe70⤵PID:2612
-
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe71⤵PID:2584
-
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe72⤵PID:796
-
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe73⤵PID:2924
-
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe74⤵PID:2080
-
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe75⤵PID:3024
-
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe76⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe77⤵PID:2944
-
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe78⤵PID:1064
-
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe79⤵PID:1756
-
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe80⤵PID:1628
-
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe81⤵PID:1056
-
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe82⤵PID:1724
-
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe83⤵PID:2268
-
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe84⤵PID:2040
-
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe85⤵PID:1556
-
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe86⤵PID:3020
-
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe87⤵PID:1984
-
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe88⤵PID:2404
-
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe89⤵PID:2508
-
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe90⤵PID:2920
-
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe91⤵PID:2768
-
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe92⤵PID:2004
-
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe93⤵PID:2324
-
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe94⤵PID:1904
-
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe95⤵PID:1528
-
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe96⤵PID:852
-
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe97⤵PID:616
-
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe98⤵PID:1796
-
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe99⤵PID:2756
-
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe100⤵PID:2328
-
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe101⤵PID:1048
-
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe102⤵PID:3000
-
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe103⤵PID:2868
-
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe104⤵PID:2240
-
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe105⤵PID:1156
-
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe106⤵PID:2264
-
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe107⤵PID:2056
-
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe108⤵PID:1608
-
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe110⤵PID:1260
-
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe111⤵PID:2120
-
C:\Windows\SysWOW64\Fmfnhj32.exeC:\Windows\system32\Fmfnhj32.exe112⤵PID:996
-
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe113⤵PID:1584
-
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe114⤵PID:2812
-
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe115⤵PID:380
-
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe116⤵PID:320
-
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe117⤵PID:2108
-
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe118⤵PID:2864
-
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe119⤵PID:2908
-
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe120⤵PID:2252
-
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe121⤵PID:2032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-