Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 19:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa.exe
Resource
win7-20240708-en
windows7-x64
12 signatures
150 seconds
General
-
Target
02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa.exe
-
Size
163KB
-
MD5
79e258086567274b2cf22027f3dd2f63
-
SHA1
ea8f9980c0d1004a188cab89995e991c233296f5
-
SHA256
02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa
-
SHA512
f5faeb61d170ddc1ca8c907323705dd5732cc22c3b9429a673873f49404ba6bead1e25decf58e02c7cff2ebe7cdb03dbc476ae900a2e097791fbdf1216ff3363
-
SSDEEP
1536:Pjl3oP2bQ6XUvTV+sJjngLhQBZq3ZsA0k/VKexlProNVU4qNVUrk/9QbfBr+7Gw6:RaMyjngLNsONPxltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Iklfia32.exeHajfgnjc.exeKamlhl32.exeKbbakc32.exeNlohmonb.exeFamcbf32.exeLhlbbg32.exeMmndfnpl.exeAankkqfl.exeJoppeeif.exeJeaahk32.exeLgnjke32.exeNdfpnl32.exeJfagemej.exeEnneln32.exePflbpg32.exeAmhcad32.exeJgmjdaqb.exeAbgaeddg.exeIjfqfj32.exeAhhchk32.exeClfhml32.exeFbngfo32.exeHhoeii32.exeMhflcm32.exeEikimeff.exeGlpgibbn.exeFbkjap32.exeHdpehd32.exeMhalngad.exeEbknblho.exeLdpnoj32.exeCccdjl32.exeHlbpme32.exePdnkanfg.exeFaijggao.exeMcacochk.exeAebakp32.exeOggeokoq.exePpdfimji.exeCkhpejbf.exeHnppaill.exeQcmkhi32.exeMokkegmm.exeKjkbpp32.exeLmnhgjmp.exeMnhnfckm.exeEpqgopbi.exeHoimecmb.exeBihgmdih.exeHcjldp32.exeKpjhnfof.exeNoojdc32.exeAbinjdad.exeEcjgio32.exeGfcopl32.exeIdbnmgll.exeJmgfgham.exeMkfojakp.exeQaqlbmbn.exeAfgnkilf.exeGedbfimc.exeGipngg32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklfia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajfgnjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamlhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlohmonb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famcbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlbbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmndfnpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aankkqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joppeeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeaahk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfpnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfagemej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflbpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmjdaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijfqfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhchk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbngfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhoeii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhflcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glpgibbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbkjap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhalngad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebknblho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldpnoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccdjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlbpme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdnkanfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faijggao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcacochk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aebakp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggeokoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppdfimji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhpejbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnppaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcmkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokkegmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmnhgjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhnfckm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epqgopbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoimecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bihgmdih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjhnfof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noojdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbngfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abinjdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbnmgll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmgfgham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkfojakp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqlbmbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgnkilf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gedbfimc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipngg32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001d94e-1659.dat family_bruteratel behavioral1/files/0x0003000000020c42-5641.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Djicmk32.exeDmgoif32.exeDfpcblfp.exeDmjlof32.exeDbgdgm32.exeEloipb32.exeEnneln32.exeElaeeb32.exeEbknblho.exeEjfbfo32.exeEelgcg32.exeEcogodlk.exeEmgkhj32.exeEfppqoil.exeEmjhmipi.exeEbfqfpop.exeFmlecinf.exeFegjgkla.exeFicehj32.exeFbkjap32.exeFejfmk32.exeFlcojeak.exeFbngfo32.exeFigocipe.exeFenphjei.exeFlhhed32.exeGeqlnjcf.exeGdcmig32.exeGoiafp32.exeGpjmnh32.exeGkpakq32.exeGmnngl32.exeGgfbpaeo.exeGmqkml32.exeGgiofa32.exeGlfgnh32.exeGcppkbia.exeHijhhl32.exeHlhddh32.exeHofqpc32.exeHjlemlnk.exeHhoeii32.exeHoimecmb.exeHagianlf.exeHhaanh32.exeHkpnjd32.exeHajfgnjc.exeHdhbci32.exeHkbkpcpd.exeHnpgloog.exeHqochjnk.exeHhfkihon.exeHjggap32.exeHnbcaome.exeIqapnjli.exeIcplje32.exeIjidfpci.exeImhqbkbm.exeIdohdhbo.exeIfpelq32.exeIngmmn32.exeIqfiii32.exeIgpaec32.exeIfbaapfk.exepid Process 2808 Djicmk32.exe 2248 Dmgoif32.exe 2740 Dfpcblfp.exe 2588 Dmjlof32.exe 2172 Dbgdgm32.exe 1584 Eloipb32.exe 1216 Enneln32.exe 844 Elaeeb32.exe 2188 Ebknblho.exe 2892 Ejfbfo32.exe 1376 Eelgcg32.exe 2020 Ecogodlk.exe 532 Emgkhj32.exe 2348 Efppqoil.exe 1856 Emjhmipi.exe 2392 Ebfqfpop.exe 1792 Fmlecinf.exe 1032 Fegjgkla.exe 2412 Ficehj32.exe 2024 Fbkjap32.exe 1632 Fejfmk32.exe 2304 Flcojeak.exe 304 Fbngfo32.exe 2676 Figocipe.exe 2816 Fenphjei.exe 2832 Flhhed32.exe 2568 Geqlnjcf.exe 2196 Gdcmig32.exe 1044 Goiafp32.exe 1712 Gpjmnh32.exe 1688 Gkpakq32.exe 1316 Gmnngl32.exe 2240 Ggfbpaeo.exe 2864 Gmqkml32.exe 2192 Ggiofa32.exe 1788 Glfgnh32.exe 2368 Gcppkbia.exe 2160 Hijhhl32.exe 2244 Hlhddh32.exe 1968 Hofqpc32.exe 2064 Hjlemlnk.exe 2132 Hhoeii32.exe 660 Hoimecmb.exe 1728 Hagianlf.exe 1716 Hhaanh32.exe 3020 Hkpnjd32.exe 2060 Hajfgnjc.exe 812 Hdhbci32.exe 2976 Hkbkpcpd.exe 1072 Hnpgloog.exe 2128 Hqochjnk.exe 2712 Hhfkihon.exe 2756 Hjggap32.exe 2616 Hnbcaome.exe 1984 Iqapnjli.exe 2936 Icplje32.exe 1616 Ijidfpci.exe 1004 Imhqbkbm.exe 740 Idohdhbo.exe 1960 Ifpelq32.exe 2372 Ingmmn32.exe 1852 Iqfiii32.exe 2460 Igpaec32.exe 2960 Ifbaapfk.exe -
Loads dropped DLL 64 IoCs
Processes:
02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa.exeDjicmk32.exeDmgoif32.exeDfpcblfp.exeDmjlof32.exeDbgdgm32.exeEloipb32.exeEnneln32.exeElaeeb32.exeEbknblho.exeEjfbfo32.exeEelgcg32.exeEcogodlk.exeEmgkhj32.exeEfppqoil.exeEmjhmipi.exeEbfqfpop.exeFmlecinf.exeFegjgkla.exeFicehj32.exeFbkjap32.exeFejfmk32.exeFlcojeak.exeFbngfo32.exeFigocipe.exeFenphjei.exeFlhhed32.exeGeqlnjcf.exeGdcmig32.exeGoiafp32.exeGpjmnh32.exeGkpakq32.exepid Process 2028 02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa.exe 2028 02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa.exe 2808 Djicmk32.exe 2808 Djicmk32.exe 2248 Dmgoif32.exe 2248 Dmgoif32.exe 2740 Dfpcblfp.exe 2740 Dfpcblfp.exe 2588 Dmjlof32.exe 2588 Dmjlof32.exe 2172 Dbgdgm32.exe 2172 Dbgdgm32.exe 1584 Eloipb32.exe 1584 Eloipb32.exe 1216 Enneln32.exe 1216 Enneln32.exe 844 Elaeeb32.exe 844 Elaeeb32.exe 2188 Ebknblho.exe 2188 Ebknblho.exe 2892 Ejfbfo32.exe 2892 Ejfbfo32.exe 1376 Eelgcg32.exe 1376 Eelgcg32.exe 2020 Ecogodlk.exe 2020 Ecogodlk.exe 532 Emgkhj32.exe 532 Emgkhj32.exe 2348 Efppqoil.exe 2348 Efppqoil.exe 1856 Emjhmipi.exe 1856 Emjhmipi.exe 2392 Ebfqfpop.exe 2392 Ebfqfpop.exe 1792 Fmlecinf.exe 1792 Fmlecinf.exe 1032 Fegjgkla.exe 1032 Fegjgkla.exe 2412 Ficehj32.exe 2412 Ficehj32.exe 2024 Fbkjap32.exe 2024 Fbkjap32.exe 1632 Fejfmk32.exe 1632 Fejfmk32.exe 2304 Flcojeak.exe 2304 Flcojeak.exe 304 Fbngfo32.exe 304 Fbngfo32.exe 2676 Figocipe.exe 2676 Figocipe.exe 2816 Fenphjei.exe 2816 Fenphjei.exe 2832 Flhhed32.exe 2832 Flhhed32.exe 2568 Geqlnjcf.exe 2568 Geqlnjcf.exe 2196 Gdcmig32.exe 2196 Gdcmig32.exe 1044 Goiafp32.exe 1044 Goiafp32.exe 1712 Gpjmnh32.exe 1712 Gpjmnh32.exe 1688 Gkpakq32.exe 1688 Gkpakq32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ockinl32.exeLcedne32.exeFaijggao.exeKbmafngi.exeNedifo32.exePkhdnh32.exePnfpjc32.exeLeegbnan.exeDdkgbc32.exeOhjkcile.exePbblkaea.exePiohgbng.exeAaflgb32.exeMlgkbi32.exeNljhhi32.exeEikimeff.exeFappgflg.exeQhkkim32.exeIkjjda32.exeKgocid32.exeLjbipolj.exeOpccallb.exeQcmkhi32.exeJkfpjf32.exeKflafbak.exeLidilk32.exeNaimepkp.exeDhklna32.exeDqinhcoc.exeMcggef32.exeDjafaf32.exeLilomj32.exeHnmcli32.exeIemalkgd.exeDnfhqi32.exeFakglf32.exeIlemce32.exeIcoepohq.exeKenjgi32.exeLpldcfmd.exeGmqkml32.exeMpkhoj32.exePcmoie32.exeAhpddmia.exeJkopndcb.exePjbjjc32.exeCapdpcge.exeLijiaabk.exeNjchfc32.exeHibgkjee.exeNpechhgd.exeOjpaeq32.exeAmmmlcgi.exeBhpqcpkm.exeMdojnm32.exePlpqim32.exePlndcmmj.exeHhfkihon.exeJcikog32.exeAbbhje32.exeNpfjbn32.exeIklfia32.exeCccdjl32.exedescription ioc Process File created C:\Windows\SysWOW64\Oggeokoq.exe Ockinl32.exe File opened for modification C:\Windows\SysWOW64\Lfdpjp32.exe Lcedne32.exe File opened for modification C:\Windows\SysWOW64\Fedfgejh.exe Faijggao.exe File created C:\Windows\SysWOW64\Kapaaj32.exe Kbmafngi.exe File opened for modification C:\Windows\SysWOW64\Nipefmkb.exe Nedifo32.exe File created C:\Windows\SysWOW64\Egikbd32.dll Pkhdnh32.exe File opened for modification C:\Windows\SysWOW64\Pbblkaea.exe Pnfpjc32.exe File opened for modification C:\Windows\SysWOW64\Ldhgnk32.exe Leegbnan.exe File created C:\Windows\SysWOW64\Pdkooael.dll Ddkgbc32.exe File opened for modification C:\Windows\SysWOW64\Okhgod32.exe Ohjkcile.exe File created C:\Windows\SysWOW64\Peqhgmdd.exe Pbblkaea.exe File opened for modification C:\Windows\SysWOW64\Plndcmmj.exe Piohgbng.exe File opened for modification C:\Windows\SysWOW64\Addhcn32.exe Aaflgb32.exe File created C:\Windows\SysWOW64\Mdoccg32.exe Mlgkbi32.exe File created C:\Windows\SysWOW64\Npechhgd.exe Nljhhi32.exe File created C:\Windows\SysWOW64\Epeajo32.exe Eikimeff.exe File opened for modification C:\Windows\SysWOW64\Fdnlcakk.exe Fappgflg.exe File created C:\Windows\SysWOW64\Offqpg32.dll Qhkkim32.exe File created C:\Windows\SysWOW64\Akkiob32.dll Ikjjda32.exe File opened for modification C:\Windows\SysWOW64\Kjmoeo32.exe Kgocid32.exe File opened for modification C:\Windows\SysWOW64\Lidilk32.exe Ljbipolj.exe File created C:\Windows\SysWOW64\Ohjkcile.exe Opccallb.exe File opened for modification C:\Windows\SysWOW64\Qghgigkn.exe Qcmkhi32.exe File created C:\Windows\SysWOW64\Jnemfa32.exe Jkfpjf32.exe File opened for modification C:\Windows\SysWOW64\Kijmbnpo.exe Kflafbak.exe File created C:\Windows\SysWOW64\Pdleiobf.dll Lidilk32.exe File created C:\Windows\SysWOW64\Nedifo32.exe Naimepkp.exe File opened for modification C:\Windows\SysWOW64\Djmiejji.exe Dhklna32.exe File created C:\Windows\SysWOW64\Egcfdn32.exe Dqinhcoc.exe File created C:\Windows\SysWOW64\Bmhdihjd.dll Mcggef32.exe File created C:\Windows\SysWOW64\Bafmhm32.dll Djafaf32.exe File opened for modification C:\Windows\SysWOW64\Lkmldbcj.exe Lilomj32.exe File created C:\Windows\SysWOW64\Aengebaf.dll Hnmcli32.exe File created C:\Windows\SysWOW64\Ijimli32.exe Iemalkgd.exe File opened for modification C:\Windows\SysWOW64\Ddppmclb.exe Dnfhqi32.exe File created C:\Windows\SysWOW64\Ghefgc32.dll Fakglf32.exe File opened for modification C:\Windows\SysWOW64\Iocioq32.exe Ilemce32.exe File created C:\Windows\SysWOW64\Iemalkgd.exe Icoepohq.exe File created C:\Windows\SysWOW64\Klhbdclg.exe Kenjgi32.exe File created C:\Windows\SysWOW64\Nkgmej32.dll Lpldcfmd.exe File opened for modification C:\Windows\SysWOW64\Ggiofa32.exe Gmqkml32.exe File created C:\Windows\SysWOW64\Monhjgkj.exe Mpkhoj32.exe File created C:\Windows\SysWOW64\Nnbaaioa.dll Pcmoie32.exe File opened for modification C:\Windows\SysWOW64\Aiaqle32.exe Ahpddmia.exe File opened for modification C:\Windows\SysWOW64\Jojloc32.exe Jkopndcb.exe File created C:\Windows\SysWOW64\Pnnfkb32.exe Pjbjjc32.exe File opened for modification C:\Windows\SysWOW64\Ciglaa32.exe Capdpcge.exe File opened for modification C:\Windows\SysWOW64\Laaabo32.exe Lijiaabk.exe File opened for modification C:\Windows\SysWOW64\Nnodgbed.exe Njchfc32.exe File created C:\Windows\SysWOW64\Laoekk32.dll Hibgkjee.exe File opened for modification C:\Windows\SysWOW64\Nohddd32.exe Npechhgd.exe File opened for modification C:\Windows\SysWOW64\Oqjibkek.exe Ojpaeq32.exe File created C:\Windows\SysWOW64\Egfdjljo.dll Ammmlcgi.exe File opened for modification C:\Windows\SysWOW64\Blkmdodf.exe Bhpqcpkm.exe File opened for modification C:\Windows\SysWOW64\Mgnfji32.exe Mdojnm32.exe File created C:\Windows\SysWOW64\Pnnmeh32.exe Plpqim32.exe File created C:\Windows\SysWOW64\Pcdldknm.exe Plndcmmj.exe File opened for modification C:\Windows\SysWOW64\Hjggap32.exe Hhfkihon.exe File created C:\Windows\SysWOW64\Jhfhec32.dll Jcikog32.exe File opened for modification C:\Windows\SysWOW64\Ajipkb32.exe Abbhje32.exe File opened for modification C:\Windows\SysWOW64\Nhmbdl32.exe Npfjbn32.exe File created C:\Windows\SysWOW64\Iohbjpkb.exe Iklfia32.exe File created C:\Windows\SysWOW64\Endjeihi.dll Cccdjl32.exe File created C:\Windows\SysWOW64\Cpokpklp.dll Dqinhcoc.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kjmoeo32.exeObhpad32.exeHocmpm32.exeGidhbgag.exeHadfah32.exeOoofcg32.exeJgpndg32.exeAjjgei32.exePegnglnm.exeFcichb32.exeGpjfcali.exeKpoejbhe.exeOqgmmk32.exeBfbjdf32.exeElaeeb32.exeFlcojeak.exeMneaacno.exeKenjgi32.exeHhfkihon.exeLaaabo32.exeAinmlomf.exeEfmlqigc.exeMdjihgef.exeFjhdpk32.exeJcfoihhp.exeNnjklb32.exeKimjhnnl.exeBoobki32.exeKgjjndeq.exeApclnj32.exeBldpiifb.exeGoiafp32.exeJngilalk.exeInplqlng.exeAilqfooi.exeDjafaf32.exeGllnnc32.exeLijiaabk.exeNdfpnl32.exeIadbqlmh.exeLpoaheja.exeBbikig32.exeJnemfa32.exeJahbmlil.exeMoenkf32.exeFappgflg.exeGbhcpmkm.exeNhcebj32.exeQanolm32.exeBodhjdcc.exeJkimpfmg.exeKamlhl32.exeDnfhqi32.exeEcjgio32.exeFfjljmla.exeHhnnnbaj.exeOfiopaap.exeAlofnj32.exeDmgoif32.exeAmhcad32.exeDdmchcnd.exeEclcon32.exeCniajdkg.exeFejfmk32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmoeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hocmpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidhbgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadfah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooofcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpndg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjgei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegnglnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcichb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjfcali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoejbhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqgmmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbjdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcojeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneaacno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenjgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfkihon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laaabo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainmlomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmlqigc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdjihgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhdpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfoihhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimjhnnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boobki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjjndeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apclnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldpiifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngilalk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inplqlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailqfooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djafaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllnnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijiaabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfpnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadbqlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpoaheja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbikig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnemfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jahbmlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moenkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fappgflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhcpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qanolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bodhjdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimpfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamlhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfhqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjgio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffjljmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhnnnbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofiopaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alofnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmchcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclcon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cniajdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejfmk32.exe -
Modifies registry class 64 IoCs
Processes:
Jkfpjf32.exeQldjdlgb.exeLlcehg32.exeOngckp32.exeBhjpnj32.exeNflfad32.exePlpqim32.exeMpqjmh32.exeGgfbpaeo.exeHhoeii32.exeChggdoee.exeKlhbdclg.exeJkimpfmg.exeQmcclolh.exeDklepmal.exeAankkqfl.exeMclqqeaq.exeMaanab32.exeBnofaf32.exeCdpdnpif.exeEbockkal.exeIdekbgji.exeJfmnkn32.exeApclnj32.exeBobleeef.exePjhnqfla.exeBpboinpd.exeDdmchcnd.exeKapaaj32.exePlbmom32.exeHhaanh32.exeNjchfc32.exePadccpal.exeAmmmlcgi.exeAjamfh32.exeKffqqm32.exePflbpg32.exeCbjnqh32.exeHganjo32.exeHnmcli32.exeLeegbnan.exeKpoejbhe.exeKelmbifm.exeEmjhmipi.exeJgpndg32.exeDhklna32.exeEmpomd32.exeGlpgibbn.exeGhidcceo.exeIhbdhepp.exeJfddkmch.exeMllhne32.exeMpkhoj32.exeBhkghqpb.exeCcqhdmbc.exeDmmbge32.exeElaeeb32.exeKlhioioc.exeMdojnm32.exeFcichb32.exeMmbnam32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maflig32.dll" Jkfpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qldjdlgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llcehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njhhcpnk.dll" Ongckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhjpnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nflfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llcehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhgp32.dll" Mpqjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcmlh32.dll" Ggfbpaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfljkiok.dll" Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chggdoee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klhbdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoaeb32.dll" Jkimpfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmcclolh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dklepmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aankkqfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mclqqeaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maanab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedoacoi.dll" Bnofaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjdobp.dll" Ebockkal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idekbgji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfmnkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apclnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhjdb32.dll" Bobleeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afiganaa.dll" Pjhnqfla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmnfa32.dll" Kapaaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heiebkoj.dll" Plbmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdbgnmd.dll" Njchfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lldpji32.dll" Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ammmlcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajamfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kffqqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pflbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgqnf32.dll" Hganjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnmcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmqgkiq.dll" Leegbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjmoammm.dll" Kffqqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpoejbhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kelmbifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emjhmipi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgpndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnenhc32.dll" Empomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glpgibbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinefnpo.dll" Ghidcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbgjc32.dll" Ihbdhepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfddkmch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mllhne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpkhoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkghqpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccqhdmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elaeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klhioioc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najnhfnn.dll" Fcichb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmock32.dll" Mmbnam32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa.exeDjicmk32.exeDmgoif32.exeDfpcblfp.exeDmjlof32.exeDbgdgm32.exeEloipb32.exeEnneln32.exeElaeeb32.exeEbknblho.exeEjfbfo32.exeEelgcg32.exeEcogodlk.exeEmgkhj32.exeEfppqoil.exeEmjhmipi.exedescription pid Process procid_target PID 2028 wrote to memory of 2808 2028 02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa.exe 30 PID 2028 wrote to memory of 2808 2028 02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa.exe 30 PID 2028 wrote to memory of 2808 2028 02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa.exe 30 PID 2028 wrote to memory of 2808 2028 02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa.exe 30 PID 2808 wrote to memory of 2248 2808 Djicmk32.exe 31 PID 2808 wrote to memory of 2248 2808 Djicmk32.exe 31 PID 2808 wrote to memory of 2248 2808 Djicmk32.exe 31 PID 2808 wrote to memory of 2248 2808 Djicmk32.exe 31 PID 2248 wrote to memory of 2740 2248 Dmgoif32.exe 32 PID 2248 wrote to memory of 2740 2248 Dmgoif32.exe 32 PID 2248 wrote to memory of 2740 2248 Dmgoif32.exe 32 PID 2248 wrote to memory of 2740 2248 Dmgoif32.exe 32 PID 2740 wrote to memory of 2588 2740 Dfpcblfp.exe 33 PID 2740 wrote to memory of 2588 2740 Dfpcblfp.exe 33 PID 2740 wrote to memory of 2588 2740 Dfpcblfp.exe 33 PID 2740 wrote to memory of 2588 2740 Dfpcblfp.exe 33 PID 2588 wrote to memory of 2172 2588 Dmjlof32.exe 34 PID 2588 wrote to memory of 2172 2588 Dmjlof32.exe 34 PID 2588 wrote to memory of 2172 2588 Dmjlof32.exe 34 PID 2588 wrote to memory of 2172 2588 Dmjlof32.exe 34 PID 2172 wrote to memory of 1584 2172 Dbgdgm32.exe 35 PID 2172 wrote to memory of 1584 2172 Dbgdgm32.exe 35 PID 2172 wrote to memory of 1584 2172 Dbgdgm32.exe 35 PID 2172 wrote to memory of 1584 2172 Dbgdgm32.exe 35 PID 1584 wrote to memory of 1216 1584 Eloipb32.exe 36 PID 1584 wrote to memory of 1216 1584 Eloipb32.exe 36 PID 1584 wrote to memory of 1216 1584 Eloipb32.exe 36 PID 1584 wrote to memory of 1216 1584 Eloipb32.exe 36 PID 1216 wrote to memory of 844 1216 Enneln32.exe 37 PID 1216 wrote to memory of 844 1216 Enneln32.exe 37 PID 1216 wrote to memory of 844 1216 Enneln32.exe 37 PID 1216 wrote to memory of 844 1216 Enneln32.exe 37 PID 844 wrote to memory of 2188 844 Elaeeb32.exe 38 PID 844 wrote to memory of 2188 844 Elaeeb32.exe 38 PID 844 wrote to memory of 2188 844 Elaeeb32.exe 38 PID 844 wrote to memory of 2188 844 Elaeeb32.exe 38 PID 2188 wrote to memory of 2892 2188 Ebknblho.exe 39 PID 2188 wrote to memory of 2892 2188 Ebknblho.exe 39 PID 2188 wrote to memory of 2892 2188 Ebknblho.exe 39 PID 2188 wrote to memory of 2892 2188 Ebknblho.exe 39 PID 2892 wrote to memory of 1376 2892 Ejfbfo32.exe 40 PID 2892 wrote to memory of 1376 2892 Ejfbfo32.exe 40 PID 2892 wrote to memory of 1376 2892 Ejfbfo32.exe 40 PID 2892 wrote to memory of 1376 2892 Ejfbfo32.exe 40 PID 1376 wrote to memory of 2020 1376 Eelgcg32.exe 41 PID 1376 wrote to memory of 2020 1376 Eelgcg32.exe 41 PID 1376 wrote to memory of 2020 1376 Eelgcg32.exe 41 PID 1376 wrote to memory of 2020 1376 Eelgcg32.exe 41 PID 2020 wrote to memory of 532 2020 Ecogodlk.exe 42 PID 2020 wrote to memory of 532 2020 Ecogodlk.exe 42 PID 2020 wrote to memory of 532 2020 Ecogodlk.exe 42 PID 2020 wrote to memory of 532 2020 Ecogodlk.exe 42 PID 532 wrote to memory of 2348 532 Emgkhj32.exe 43 PID 532 wrote to memory of 2348 532 Emgkhj32.exe 43 PID 532 wrote to memory of 2348 532 Emgkhj32.exe 43 PID 532 wrote to memory of 2348 532 Emgkhj32.exe 43 PID 2348 wrote to memory of 1856 2348 Efppqoil.exe 44 PID 2348 wrote to memory of 1856 2348 Efppqoil.exe 44 PID 2348 wrote to memory of 1856 2348 Efppqoil.exe 44 PID 2348 wrote to memory of 1856 2348 Efppqoil.exe 44 PID 1856 wrote to memory of 2392 1856 Emjhmipi.exe 45 PID 1856 wrote to memory of 2392 1856 Emjhmipi.exe 45 PID 1856 wrote to memory of 2392 1856 Emjhmipi.exe 45 PID 1856 wrote to memory of 2392 1856 Emjhmipi.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa.exe"C:\Users\Admin\AppData\Local\Temp\02a02f614d7c7f76b2af8d12613ea0779eed076bfbc9dcee4143e7025a3a58fa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Djicmk32.exeC:\Windows\system32\Djicmk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Eloipb32.exeC:\Windows\system32\Eloipb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Emgkhj32.exeC:\Windows\system32\Emgkhj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Emjhmipi.exeC:\Windows\system32\Emjhmipi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Flcojeak.exeC:\Windows\system32\Flcojeak.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Gdcmig32.exeC:\Windows\system32\Gdcmig32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\Gpjmnh32.exeC:\Windows\system32\Gpjmnh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Gkpakq32.exeC:\Windows\system32\Gkpakq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe33⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Ggiofa32.exeC:\Windows\system32\Ggiofa32.exe36⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe37⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe38⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe39⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Hlhddh32.exeC:\Windows\system32\Hlhddh32.exe40⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe41⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Hjlemlnk.exeC:\Windows\system32\Hjlemlnk.exe42⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Hhoeii32.exeC:\Windows\system32\Hhoeii32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Hoimecmb.exeC:\Windows\system32\Hoimecmb.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Hagianlf.exeC:\Windows\system32\Hagianlf.exe45⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Hkpnjd32.exeC:\Windows\system32\Hkpnjd32.exe47⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Hdhbci32.exeC:\Windows\system32\Hdhbci32.exe49⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe50⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Hnpgloog.exeC:\Windows\system32\Hnpgloog.exe51⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe52⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Hhfkihon.exeC:\Windows\system32\Hhfkihon.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe54⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe55⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Iqapnjli.exeC:\Windows\system32\Iqapnjli.exe56⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Icplje32.exeC:\Windows\system32\Icplje32.exe57⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe58⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe59⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe60⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Ifpelq32.exeC:\Windows\system32\Ifpelq32.exe61⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe62⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe63⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Igpaec32.exeC:\Windows\system32\Igpaec32.exe64⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ifbaapfk.exeC:\Windows\system32\Ifbaapfk.exe65⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe66⤵PID:1436
-
C:\Windows\SysWOW64\Iokfjf32.exeC:\Windows\system32\Iokfjf32.exe67⤵PID:684
-
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe68⤵PID:2504
-
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe69⤵PID:2800
-
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe70⤵PID:2888
-
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe71⤵PID:3044
-
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe72⤵PID:2500
-
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe73⤵PID:816
-
C:\Windows\SysWOW64\Joppeeif.exeC:\Windows\system32\Joppeeif.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Jnbpqb32.exeC:\Windows\system32\Jnbpqb32.exe75⤵PID:1916
-
C:\Windows\SysWOW64\Jelhmlgm.exeC:\Windows\system32\Jelhmlgm.exe76⤵PID:1740
-
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe77⤵PID:1136
-
C:\Windows\SysWOW64\Jkfpjf32.exeC:\Windows\system32\Jkfpjf32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe80⤵PID:596
-
C:\Windows\SysWOW64\Jeoeclek.exeC:\Windows\system32\Jeoeclek.exe81⤵PID:2596
-
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe83⤵
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe86⤵PID:2104
-
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe87⤵PID:2576
-
C:\Windows\SysWOW64\Jahbmlil.exeC:\Windows\system32\Jahbmlil.exe88⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Jcfoihhp.exeC:\Windows\system32\Jcfoihhp.exe89⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Jjpgfbom.exeC:\Windows\system32\Jjpgfbom.exe90⤵PID:1620
-
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe91⤵PID:1332
-
C:\Windows\SysWOW64\Jcikog32.exeC:\Windows\system32\Jcikog32.exe92⤵
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe93⤵PID:2380
-
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe94⤵PID:1160
-
C:\Windows\SysWOW64\Kamlhl32.exeC:\Windows\system32\Kamlhl32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe96⤵PID:624
-
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe97⤵PID:1464
-
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe98⤵PID:2692
-
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe99⤵PID:2612
-
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe100⤵PID:1932
-
C:\Windows\SysWOW64\Kcmdjgbh.exeC:\Windows\system32\Kcmdjgbh.exe101⤵PID:2736
-
C:\Windows\SysWOW64\Kflafbak.exeC:\Windows\system32\Kflafbak.exe102⤵
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe103⤵PID:1548
-
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe104⤵PID:1612
-
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe105⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:604 -
C:\Windows\SysWOW64\Kimjhnnl.exeC:\Windows\system32\Kimjhnnl.exe107⤵
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe108⤵PID:580
-
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe109⤵PID:2988
-
C:\Windows\SysWOW64\Kiofnm32.exeC:\Windows\system32\Kiofnm32.exe110⤵PID:2820
-
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe111⤵PID:2940
-
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe112⤵PID:2584
-
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe113⤵PID:1572
-
C:\Windows\SysWOW64\Leegbnan.exeC:\Windows\system32\Leegbnan.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe115⤵PID:1408
-
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe116⤵PID:972
-
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe117⤵PID:572
-
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe118⤵PID:2432
-
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe119⤵PID:1948
-
C:\Windows\SysWOW64\Lfippfej.exeC:\Windows\system32\Lfippfej.exe120⤵PID:2984
-
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe121⤵PID:2420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-