Analysis
-
max time kernel
121s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 22:39
Behavioral task
behavioral1
Sample
4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exe
-
Size
163KB
-
MD5
b9ae162e1c464bbd33d74d457860f38d
-
SHA1
2a5db0e0af3cc6afa399d8e9b701622e57fd8951
-
SHA256
4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492
-
SHA512
4f7a44e643b7d1933289a3ccb6fc3cf16ebda224105e1a6c484f6c07622c95a5d047c1aed5f729c689a7ae7b9711afb2d7ffa4dde8b59081f9becf1681933c7f
-
SSDEEP
3072:0JGwhUmHYJY9k+VvZDWltOrWKDBr+yJb:0J1FHY29kIhWLOf
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pfkimhhi.exeEfmckpko.exeCaokmd32.exeQaqlbmbn.exeIpfkabpg.exePipjpj32.exeFcpacf32.exeKambcbhb.exeGkoobhhg.exeJikhnaao.exeLmalgq32.exeQdpohodn.exeBjfpdf32.exeNijpdfhm.exeFoolgh32.exeNmcopebh.exeBlinefnd.exeEpqgopbi.exeMblcin32.exePojecajj.exeJqbbhg32.exeOehgjfhi.exeAeokba32.exeHgckoofa.exeFihalb32.exeGeloanjg.exeGaagcpdl.exeOkhgod32.exeJdmjfe32.exeIcdcllpc.exeEdmilpld.exeFmohco32.exeJacfidem.exeCjoilfek.exeDqfabdaf.exeLlcehg32.exeOoemcb32.exeEakooqih.exeOeaqig32.exeKfidqb32.exeNcmglp32.exeDbabho32.exeDkgldm32.exeNdgbgefh.exePifbjn32.exeEhhfjcff.exeKecjmodq.exeDofnnkfg.exeAmmoel32.exeMciabmlo.exeLnlaomae.exeMeljbqna.exeNcfjajma.exeOodjjign.exeMebnic32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkimhhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efmckpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caokmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqlbmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipfkabpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipjpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcpacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkoobhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdpohodn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfpdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijpdfhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foolgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmcopebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blinefnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epqgopbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mblcin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqbbhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehgjfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeokba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgckoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geloanjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaagcpdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdmjfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdcllpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edmilpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmohco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jacfidem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjoilfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqfabdaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooemcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakooqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeaqig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfidqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbabho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkgldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndgbgefh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehhfjcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kecjmodq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dofnnkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ammoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mciabmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlaomae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meljbqna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfjajma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodjjign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebnic32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 6 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001cadb-995.dat family_bruteratel behavioral1/files/0x000400000001da0a-1933.dat family_bruteratel behavioral1/files/0x00050000000201c0-3753.dat family_bruteratel behavioral1/files/0x00040000000204d8-4012.dat family_bruteratel behavioral1/files/0x0003000000020f4b-7476.dat family_bruteratel behavioral1/files/0x0003000000021600-11326.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Nlcibc32.exeNapbjjom.exeOmioekbo.exeOfadnq32.exeObhdcanc.exeOeindm32.exeOfhjopbg.exeOpqoge32.exePkjphcff.exePhnpagdp.exePdeqfhjd.exePojecajj.exePplaki32.exePifbjn32.exeQdlggg32.exeQndkpmkm.exeApedah32.exeApgagg32.exeAfffenbp.exeAhebaiac.exeAdlcfjgh.exeAkfkbd32.exeBhjlli32.exeBdqlajbb.exeBkjdndjo.exeBjpaop32.exeBqijljfd.exeBfioia32.exeCenljmgq.exeCocphf32.exeCepipm32.exeCinafkkd.exeCjonncab.exeCgcnghpl.exeCjakccop.exeCfhkhd32.exeDmbcen32.exeDiidjpbe.exeDpcmgi32.exeDjiqdb32.exeDljmlj32.exeDfpaic32.exeDokfme32.exeDfbnoc32.exeDpjbgh32.exeEakooqih.exeEdlhqlfi.exeEkfpmf32.exeEmdmjamj.exeEdoefl32.exeEabepp32.exeEhlmljkm.exeEmifeqid.exeEdcnakpa.exeEkmfne32.exeFlocfmnl.exeFdekgjno.exeFibcoalf.exeFoolgh32.exeFeiddbbj.exeFlclam32.exeFcmdnfad.exeFelajbpg.exeFkhibino.exepid Process 3008 Nlcibc32.exe 2268 Napbjjom.exe 3052 Omioekbo.exe 2808 Ofadnq32.exe 3020 Obhdcanc.exe 2648 Oeindm32.exe 2532 Ofhjopbg.exe 2292 Opqoge32.exe 1412 Pkjphcff.exe 2828 Phnpagdp.exe 2404 Pdeqfhjd.exe 2736 Pojecajj.exe 2856 Pplaki32.exe 2132 Pifbjn32.exe 408 Qdlggg32.exe 956 Qndkpmkm.exe 1968 Apedah32.exe 1036 Apgagg32.exe 3064 Afffenbp.exe 1016 Ahebaiac.exe 3048 Adlcfjgh.exe 1572 Akfkbd32.exe 1236 Bhjlli32.exe 2004 Bdqlajbb.exe 2320 Bkjdndjo.exe 1588 Bjpaop32.exe 1668 Bqijljfd.exe 2768 Bfioia32.exe 2824 Cenljmgq.exe 356 Cocphf32.exe 2676 Cepipm32.exe 2632 Cinafkkd.exe 1408 Cjonncab.exe 892 Cgcnghpl.exe 2416 Cjakccop.exe 2724 Cfhkhd32.exe 752 Dmbcen32.exe 1400 Diidjpbe.exe 1460 Dpcmgi32.exe 2136 Djiqdb32.exe 2096 Dljmlj32.exe 676 Dfpaic32.exe 1860 Dokfme32.exe 764 Dfbnoc32.exe 908 Dpjbgh32.exe 1932 Eakooqih.exe 2912 Edlhqlfi.exe 2276 Ekfpmf32.exe 2072 Emdmjamj.exe 2596 Edoefl32.exe 3028 Eabepp32.exe 2660 Ehlmljkm.exe 2752 Emifeqid.exe 2868 Edcnakpa.exe 284 Ekmfne32.exe 1544 Flocfmnl.exe 2572 Fdekgjno.exe 2032 Fibcoalf.exe 1908 Foolgh32.exe 2160 Feiddbbj.exe 900 Flclam32.exe 1708 Fcmdnfad.exe 1516 Felajbpg.exe 1560 Fkhibino.exe -
Loads dropped DLL 64 IoCs
Processes:
4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exeNlcibc32.exeNapbjjom.exeOmioekbo.exeOfadnq32.exeObhdcanc.exeOeindm32.exeOfhjopbg.exeOpqoge32.exePkjphcff.exePhnpagdp.exePdeqfhjd.exePojecajj.exePplaki32.exePifbjn32.exeQdlggg32.exeQndkpmkm.exeApedah32.exeApgagg32.exeAfffenbp.exeAhebaiac.exeAdlcfjgh.exeAkfkbd32.exeBhjlli32.exeBdqlajbb.exeBkjdndjo.exeBjpaop32.exeBqijljfd.exeBfioia32.exeCenljmgq.exeCocphf32.exeCepipm32.exepid Process 3012 4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exe 3012 4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exe 3008 Nlcibc32.exe 3008 Nlcibc32.exe 2268 Napbjjom.exe 2268 Napbjjom.exe 3052 Omioekbo.exe 3052 Omioekbo.exe 2808 Ofadnq32.exe 2808 Ofadnq32.exe 3020 Obhdcanc.exe 3020 Obhdcanc.exe 2648 Oeindm32.exe 2648 Oeindm32.exe 2532 Ofhjopbg.exe 2532 Ofhjopbg.exe 2292 Opqoge32.exe 2292 Opqoge32.exe 1412 Pkjphcff.exe 1412 Pkjphcff.exe 2828 Phnpagdp.exe 2828 Phnpagdp.exe 2404 Pdeqfhjd.exe 2404 Pdeqfhjd.exe 2736 Pojecajj.exe 2736 Pojecajj.exe 2856 Pplaki32.exe 2856 Pplaki32.exe 2132 Pifbjn32.exe 2132 Pifbjn32.exe 408 Qdlggg32.exe 408 Qdlggg32.exe 956 Qndkpmkm.exe 956 Qndkpmkm.exe 1968 Apedah32.exe 1968 Apedah32.exe 1036 Apgagg32.exe 1036 Apgagg32.exe 3064 Afffenbp.exe 3064 Afffenbp.exe 1016 Ahebaiac.exe 1016 Ahebaiac.exe 3048 Adlcfjgh.exe 3048 Adlcfjgh.exe 1572 Akfkbd32.exe 1572 Akfkbd32.exe 1236 Bhjlli32.exe 1236 Bhjlli32.exe 2004 Bdqlajbb.exe 2004 Bdqlajbb.exe 2320 Bkjdndjo.exe 2320 Bkjdndjo.exe 1588 Bjpaop32.exe 1588 Bjpaop32.exe 1668 Bqijljfd.exe 1668 Bqijljfd.exe 2768 Bfioia32.exe 2768 Bfioia32.exe 2824 Cenljmgq.exe 2824 Cenljmgq.exe 356 Cocphf32.exe 356 Cocphf32.exe 2676 Cepipm32.exe 2676 Cepipm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fjnignob.exeGdfiofhn.exeHjlbdc32.exeBoemlbpk.exeClciod32.exeKfidqb32.exeCbghhj32.exeIqllghon.exeOnipqp32.exeFmodaadg.exeKggfnoch.exeOahbjmjp.exeJhmofo32.exeLdbaopdj.exeNhmbdl32.exeGeilah32.exeNgoleb32.exeQcmkhi32.exeFfghjg32.exePmjaohol.exeFacdgl32.exeLepclldc.exeOoemcb32.exeOhbjgg32.exeMlolnllf.exeGlpgibbn.exeJjmcfl32.exeNmggllha.exeDpjbgh32.exeLpcoeb32.exeFlfkoeoh.exePmhgba32.exeIjnkifgp.exeLidgcclp.exeGcedad32.exeIgpdnlgd.exeApnhggln.exeOmioekbo.exeLnqjnhge.exeEjklan32.exeDgkiih32.exeOjblbgdg.exeAanibhoh.exeHeliepmn.exeAgkako32.exeHhkopj32.exeNjeelc32.exeFheoiqgi.exeHdkaabnh.exeJbbccgmp.exeDemaoj32.exeBkcfjk32.exeIlifndlo.exeBlniinac.exedescription ioc Process File created C:\Windows\SysWOW64\Fpjaodmj.exe Fjnignob.exe File opened for modification C:\Windows\SysWOW64\Ggdekbgb.exe Gdfiofhn.exe File opened for modification C:\Windows\SysWOW64\Hcdgmimg.exe Hjlbdc32.exe File created C:\Windows\SysWOW64\Bjjaikoa.exe Boemlbpk.exe File created C:\Windows\SysWOW64\Dqjipmcc.dll Clciod32.exe File created C:\Windows\SysWOW64\Kmclmm32.exe Kfidqb32.exe File created C:\Windows\SysWOW64\Cgdqpq32.exe Cbghhj32.exe File created C:\Windows\SysWOW64\Idghhf32.exe Iqllghon.exe File created C:\Windows\SysWOW64\Odcimipf.exe Onipqp32.exe File created C:\Windows\SysWOW64\Fcilnl32.exe Fmodaadg.exe File opened for modification C:\Windows\SysWOW64\Kjebjjck.exe Kggfnoch.exe File created C:\Windows\SysWOW64\Mbggjj32.dll Oahbjmjp.exe File created C:\Windows\SysWOW64\Jbbccgmp.exe Jhmofo32.exe File created C:\Windows\SysWOW64\Lohelidp.exe Ldbaopdj.exe File created C:\Windows\SysWOW64\Pjmgop32.dll File opened for modification C:\Windows\SysWOW64\Nklopg32.exe Nhmbdl32.exe File created C:\Windows\SysWOW64\Jmlenl32.dll File created C:\Windows\SysWOW64\Qojagi32.dll Geilah32.exe File created C:\Windows\SysWOW64\Ninhamne.exe Ngoleb32.exe File opened for modification C:\Windows\SysWOW64\Qfkgdd32.exe Qcmkhi32.exe File created C:\Windows\SysWOW64\Cbfpkj32.dll Ffghjg32.exe File opened for modification C:\Windows\SysWOW64\Pddjlb32.exe Pmjaohol.exe File created C:\Windows\SysWOW64\Qhbokp32.dll Facdgl32.exe File created C:\Windows\SysWOW64\Lljkif32.exe Lepclldc.exe File created C:\Windows\SysWOW64\Oikapk32.exe Ooemcb32.exe File created C:\Windows\SysWOW64\Ogekbchg.exe Ohbjgg32.exe File created C:\Windows\SysWOW64\Lcpnpp32.dll Mlolnllf.exe File opened for modification C:\Windows\SysWOW64\Gampaipe.exe Glpgibbn.exe File opened for modification C:\Windows\SysWOW64\Jmlobg32.exe Jjmcfl32.exe File created C:\Windows\SysWOW64\Npechhgd.exe Nmggllha.exe File opened for modification C:\Windows\SysWOW64\Eakooqih.exe Dpjbgh32.exe File created C:\Windows\SysWOW64\Omgfflgg.dll Lpcoeb32.exe File created C:\Windows\SysWOW64\Hdaqnb32.dll Flfkoeoh.exe File opened for modification C:\Windows\SysWOW64\Pcbookpp.exe Pmhgba32.exe File created C:\Windows\SysWOW64\Alkjpb32.dll Ngoleb32.exe File created C:\Windows\SysWOW64\Iahceq32.exe Ijnkifgp.exe File created C:\Windows\SysWOW64\Lpnopm32.exe Lidgcclp.exe File created C:\Windows\SysWOW64\Moibemdg.dll Gcedad32.exe File opened for modification C:\Windows\SysWOW64\Injlkf32.exe Igpdnlgd.exe File opened for modification C:\Windows\SysWOW64\Abldccka.exe Apnhggln.exe File opened for modification C:\Windows\SysWOW64\Ipaklm32.exe File opened for modification C:\Windows\SysWOW64\Ofadnq32.exe Omioekbo.exe File created C:\Windows\SysWOW64\Lhfnkqgk.exe Lnqjnhge.exe File opened for modification C:\Windows\SysWOW64\Eaednh32.exe Ejklan32.exe File opened for modification C:\Windows\SysWOW64\Djjeedhp.exe Dgkiih32.exe File opened for modification C:\Windows\SysWOW64\Olchjp32.exe Ojblbgdg.exe File created C:\Windows\SysWOW64\Agkako32.exe Aanibhoh.exe File opened for modification C:\Windows\SysWOW64\Mcidkf32.exe Mlolnllf.exe File created C:\Windows\SysWOW64\Lfmiff32.dll Heliepmn.exe File created C:\Windows\SysWOW64\Pfikokgf.dll Agkako32.exe File created C:\Windows\SysWOW64\Bbdofg32.dll Hhkopj32.exe File opened for modification C:\Windows\SysWOW64\Ncnjeh32.exe Njeelc32.exe File created C:\Windows\SysWOW64\Pjblfjdp.dll Fheoiqgi.exe File opened for modification C:\Windows\SysWOW64\Hhfmbq32.exe Hdkaabnh.exe File created C:\Windows\SysWOW64\Agefobee.dll File opened for modification C:\Windows\SysWOW64\Jdcpkp32.exe Jbbccgmp.exe File created C:\Windows\SysWOW64\Kneoni32.dll Demaoj32.exe File created C:\Windows\SysWOW64\Ckecpjdh.exe Bkcfjk32.exe File opened for modification C:\Windows\SysWOW64\Aijfihip.exe File opened for modification C:\Windows\SysWOW64\Npcika32.exe File created C:\Windows\SysWOW64\Nejdjf32.exe File opened for modification C:\Windows\SysWOW64\Iohbjpkb.exe Ilifndlo.exe File created C:\Windows\SysWOW64\Pofomolo.exe File created C:\Windows\SysWOW64\Bakaaepk.exe Blniinac.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 6216 5696 1250 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hgiked32.exeMgkbjb32.exeBiccfalm.exeBoemlbpk.exeGonale32.exeAgkako32.exeCfhkhd32.exeKjeglh32.exePllkpn32.exeJkfpjf32.exeKjpceebh.exePgibdjln.exeHokhbj32.exeGedbfimc.exeLepclldc.exePodpoffm.exeMejoei32.exeFcfohlmg.exeHhogaamj.exeAebjaj32.exeIamfdo32.exeNbkgbg32.exeAphcppmo.exeLbgkfbbj.exeMlolnllf.exeEdcnakpa.exeIjnnao32.exeOodjjign.exePjleclph.exeAanibhoh.exeBfmqigba.exeLflonn32.exeJgmjdaqb.exePogegeoj.exeGdfiofhn.exeHnnjfo32.exeFabmmejd.exeGhghnc32.exeEdofbpja.exeHlpmmpam.exeFelajbpg.exeQmenhe32.exeGeloanjg.exeGleqdb32.exeLbkaoalg.exeAebakp32.exeCjakccop.exeFqhclqnc.exePfcjiodd.exeEimcjl32.exePehebbbh.exeBlniinac.exeKkefoc32.exePnimpcke.exeFcilnl32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgiked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkbjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biccfalm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boemlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonale32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkako32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllkpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfpjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpceebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgibdjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gedbfimc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepclldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podpoffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejoei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfohlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhogaamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebjaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbkgbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphcppmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgkfbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlolnllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcnakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnnao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodjjign.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjleclph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanibhoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmqigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflonn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjdaqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pogegeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfiofhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnjfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabmmejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghghnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edofbpja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpmmpam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felajbpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmenhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geloanjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gleqdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkaoalg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebakp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqhclqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfcjiodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimcjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehebbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blniinac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkefoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnimpcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcilnl32.exe -
Modifies registry class 64 IoCs
Processes:
Apgagg32.exeBjjaikoa.exeIjqjgo32.exeMgnfji32.exeAlofnj32.exeLnlaomae.exeNogmin32.exeBjedmo32.exeDhpgfeao.exeFdapcg32.exeHbpbck32.exeFkkfgi32.exeJggoqimd.exeLemdncoa.exeJegdgj32.exeKcpcho32.exeQnciiq32.exeOpialpld.exeJfmkbebl.exeMainndaq.exeLpqlemaj.exeQnqjkh32.exeDljmlj32.exeGlbaei32.exeMebnic32.exeJgmjdaqb.exeQgiplffm.exeCjhabndo.exeAnhpkg32.exeOoemcb32.exeCqaiph32.exeLfdpjp32.exeLlbnnq32.exeLkjmfjmi.exePfchqf32.exeGfoeel32.exeGhghnc32.exeMebpakbq.exeJneoojeb.exeOfadnq32.exeFhgifgnb.exeJfjolf32.exeAbhlak32.exeAognbnkm.exeEpnkip32.exeAjociq32.exeIhdmld32.exeFabmmejd.exeLiblfl32.exeOlimlf32.exeJdcpkp32.exeMfmqmgbm.exeFedfgejh.exeHjddaj32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjjaikoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijqjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompjookk.dll" Mgnfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcigjjli.dll" Alofnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnlaomae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlcbff32.dll" Nogmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afloik32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkfeeek.dll" Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongcaafk.dll" Dhpgfeao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdapcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogllmge.dll" Hbpbck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jggoqimd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lemdncoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jegdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcpcho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolqjlhk.dll" Qnciiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opialpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfmkbebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnekb32.dll" Mainndaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpqlemaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnqjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dljmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glbaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mebnic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgmjdaqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgiplffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foibjlda.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaflfbko.dll" Anhpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olopgm32.dll" Ooemcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfdih32.dll" Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfdpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkjmfjmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfchqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghghnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mebpakbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jneoojeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofadnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhgifgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll" Jfjolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abhlak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aognbnkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epnkip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajociq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnekmihd.dll" Ihdmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fabmmejd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liblfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olimlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdcpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfmqmgbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjddaj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exeNlcibc32.exeNapbjjom.exeOmioekbo.exeOfadnq32.exeObhdcanc.exeOeindm32.exeOfhjopbg.exeOpqoge32.exePkjphcff.exePhnpagdp.exePdeqfhjd.exePojecajj.exePplaki32.exePifbjn32.exeQdlggg32.exedescription pid Process procid_target PID 3012 wrote to memory of 3008 3012 4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exe 31 PID 3012 wrote to memory of 3008 3012 4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exe 31 PID 3012 wrote to memory of 3008 3012 4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exe 31 PID 3012 wrote to memory of 3008 3012 4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exe 31 PID 3008 wrote to memory of 2268 3008 Nlcibc32.exe 32 PID 3008 wrote to memory of 2268 3008 Nlcibc32.exe 32 PID 3008 wrote to memory of 2268 3008 Nlcibc32.exe 32 PID 3008 wrote to memory of 2268 3008 Nlcibc32.exe 32 PID 2268 wrote to memory of 3052 2268 Napbjjom.exe 33 PID 2268 wrote to memory of 3052 2268 Napbjjom.exe 33 PID 2268 wrote to memory of 3052 2268 Napbjjom.exe 33 PID 2268 wrote to memory of 3052 2268 Napbjjom.exe 33 PID 3052 wrote to memory of 2808 3052 Omioekbo.exe 34 PID 3052 wrote to memory of 2808 3052 Omioekbo.exe 34 PID 3052 wrote to memory of 2808 3052 Omioekbo.exe 34 PID 3052 wrote to memory of 2808 3052 Omioekbo.exe 34 PID 2808 wrote to memory of 3020 2808 Ofadnq32.exe 35 PID 2808 wrote to memory of 3020 2808 Ofadnq32.exe 35 PID 2808 wrote to memory of 3020 2808 Ofadnq32.exe 35 PID 2808 wrote to memory of 3020 2808 Ofadnq32.exe 35 PID 3020 wrote to memory of 2648 3020 Obhdcanc.exe 36 PID 3020 wrote to memory of 2648 3020 Obhdcanc.exe 36 PID 3020 wrote to memory of 2648 3020 Obhdcanc.exe 36 PID 3020 wrote to memory of 2648 3020 Obhdcanc.exe 36 PID 2648 wrote to memory of 2532 2648 Oeindm32.exe 37 PID 2648 wrote to memory of 2532 2648 Oeindm32.exe 37 PID 2648 wrote to memory of 2532 2648 Oeindm32.exe 37 PID 2648 wrote to memory of 2532 2648 Oeindm32.exe 37 PID 2532 wrote to memory of 2292 2532 Ofhjopbg.exe 38 PID 2532 wrote to memory of 2292 2532 Ofhjopbg.exe 38 PID 2532 wrote to memory of 2292 2532 Ofhjopbg.exe 38 PID 2532 wrote to memory of 2292 2532 Ofhjopbg.exe 38 PID 2292 wrote to memory of 1412 2292 Opqoge32.exe 39 PID 2292 wrote to memory of 1412 2292 Opqoge32.exe 39 PID 2292 wrote to memory of 1412 2292 Opqoge32.exe 39 PID 2292 wrote to memory of 1412 2292 Opqoge32.exe 39 PID 1412 wrote to memory of 2828 1412 Pkjphcff.exe 40 PID 1412 wrote to memory of 2828 1412 Pkjphcff.exe 40 PID 1412 wrote to memory of 2828 1412 Pkjphcff.exe 40 PID 1412 wrote to memory of 2828 1412 Pkjphcff.exe 40 PID 2828 wrote to memory of 2404 2828 Phnpagdp.exe 41 PID 2828 wrote to memory of 2404 2828 Phnpagdp.exe 41 PID 2828 wrote to memory of 2404 2828 Phnpagdp.exe 41 PID 2828 wrote to memory of 2404 2828 Phnpagdp.exe 41 PID 2404 wrote to memory of 2736 2404 Pdeqfhjd.exe 42 PID 2404 wrote to memory of 2736 2404 Pdeqfhjd.exe 42 PID 2404 wrote to memory of 2736 2404 Pdeqfhjd.exe 42 PID 2404 wrote to memory of 2736 2404 Pdeqfhjd.exe 42 PID 2736 wrote to memory of 2856 2736 Pojecajj.exe 43 PID 2736 wrote to memory of 2856 2736 Pojecajj.exe 43 PID 2736 wrote to memory of 2856 2736 Pojecajj.exe 43 PID 2736 wrote to memory of 2856 2736 Pojecajj.exe 43 PID 2856 wrote to memory of 2132 2856 Pplaki32.exe 44 PID 2856 wrote to memory of 2132 2856 Pplaki32.exe 44 PID 2856 wrote to memory of 2132 2856 Pplaki32.exe 44 PID 2856 wrote to memory of 2132 2856 Pplaki32.exe 44 PID 2132 wrote to memory of 408 2132 Pifbjn32.exe 45 PID 2132 wrote to memory of 408 2132 Pifbjn32.exe 45 PID 2132 wrote to memory of 408 2132 Pifbjn32.exe 45 PID 2132 wrote to memory of 408 2132 Pifbjn32.exe 45 PID 408 wrote to memory of 956 408 Qdlggg32.exe 46 PID 408 wrote to memory of 956 408 Qdlggg32.exe 46 PID 408 wrote to memory of 956 408 Qdlggg32.exe 46 PID 408 wrote to memory of 956 408 Qdlggg32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exe"C:\Users\Admin\AppData\Local\Temp\4d68ac6319e5f3b0b13dbeb37d345267b92d9cc8471b6e7703288130a19b5492.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Ahebaiac.exeC:\Windows\system32\Ahebaiac.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:356 -
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe33⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe34⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe35⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe38⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe39⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe40⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe41⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Dljmlj32.exeC:\Windows\system32\Dljmlj32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe43⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe44⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe45⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe48⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe49⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe50⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe51⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe52⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe53⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe54⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe56⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe57⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe58⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe59⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe61⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe62⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe63⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe65⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe67⤵PID:1252
-
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe68⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe69⤵PID:1032
-
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe70⤵PID:268
-
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe71⤵PID:2640
-
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe72⤵PID:2888
-
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe73⤵PID:2884
-
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe75⤵PID:2584
-
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe76⤵PID:2500
-
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe77⤵PID:1996
-
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe78⤵PID:1972
-
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe79⤵PID:856
-
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe80⤵PID:2380
-
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe81⤵PID:300
-
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe82⤵PID:2120
-
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe83⤵PID:2408
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe84⤵PID:2052
-
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe85⤵PID:2084
-
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe86⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe87⤵PID:3068
-
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe88⤵PID:1828
-
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe89⤵PID:2512
-
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe90⤵
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe91⤵PID:308
-
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe92⤵PID:1608
-
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe93⤵PID:1012
-
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe94⤵PID:1332
-
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe95⤵PID:700
-
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe96⤵PID:984
-
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe97⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe98⤵PID:316
-
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe99⤵PID:2420
-
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe100⤵PID:2656
-
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe101⤵PID:2524
-
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe103⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe104⤵PID:2976
-
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe105⤵PID:2112
-
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe106⤵PID:1096
-
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe107⤵PID:960
-
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe108⤵PID:2712
-
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe109⤵PID:1004
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe110⤵PID:2168
-
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe111⤵PID:2308
-
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe112⤵PID:2184
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe114⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe115⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe116⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe117⤵PID:1796
-
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe118⤵PID:2028
-
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe119⤵PID:2000
-
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe120⤵PID:2832
-
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe121⤵PID:1728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-