Analysis
-
max time kernel
40s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05-11-2024 00:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
150 seconds
General
-
Target
7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exe
-
Size
163KB
-
MD5
300f5be7fcd41665fd1e8b1bfc0eb9e6
-
SHA1
05ffc4740cbed2f02e5be133932f27900a3ee378
-
SHA256
7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f
-
SHA512
63f6eb3e0668da81be6f99a2edda9956c7cb9ef5f8156ece3fc168ce00469019a7c6dcf49a9d6889efef0db7895f76ef36aaf8bb36d9a20e0538606133a6e264
-
SSDEEP
3072:6qd4fAVCwUsYSI0alt1aWltOrWKDBr+yJb:qazPDGaWLOf
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lbpolb32.exeNalnmahf.exeAogmdk32.exeGljdlq32.exeCqfdem32.exeDqknqleg.exeFgffck32.exeElbkbh32.exeGdjpcj32.exeMcknjidn.exeEmailhfb.exeIggbdb32.exeHjpnjheg.exeIfikehii.exeBpbokj32.exeIbklddof.exeKcgdgnmc.exeJpnfdbig.exeLamkllea.exeOjakdd32.exeLkfbmj32.exeAoakfl32.exeJigagocd.exeJljgni32.exeNbodpo32.exeBhngbm32.exeKblhdkgk.exeLiqcei32.exeOifelfni.exeCclkcdpl.exeJoicje32.exeMjbiac32.exeDeajlf32.exeHopgikop.exeKmgekh32.exeJncenh32.exeCjqglf32.exeDmgokcja.exeLcieef32.exeLlainlje.exeIlnqhddd.exeNglmifca.exeFokaoh32.exeGkancm32.exeIilalc32.exeLkhcdhmk.exeNjipabhe.exeGmbagf32.exeMdkcgk32.exePihnqj32.exeBlmikkle.exeIijbnkne.exeLjhppo32.exeMgomoboc.exeNcbfcq32.exeLbfdnijp.exeKkaaee32.exeNcbdjhnf.exePhklcn32.exeLnobfn32.exeFaljqcmk.exeJnppei32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbpolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nalnmahf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqfdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqknqleg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgffck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjpcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcknjidn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emailhfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjpnjheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifikehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpbokj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibklddof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgdgnmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnfdbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lamkllea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojakdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkfbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoakfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigagocd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jljgni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbodpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhngbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblhdkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liqcei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifelfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cclkcdpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joicje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deajlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hopgikop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmgekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jncenh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjqglf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgokcja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcieef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llainlje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnqhddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nglmifca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokaoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkancm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iilalc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibklddof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhcdhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njipabhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmbagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkcgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihnqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmikkle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iijbnkne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhppo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgomoboc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbfcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbfdnijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkaaee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbdjhnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phklcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnobfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faljqcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnppei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbfcq32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001d769-1657.dat family_bruteratel behavioral1/files/0x000400000001e05a-3141.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Qjbehfbo.exeQkcbpn32.exeQamjmh32.exeAoakfl32.exeAgloko32.exeAdppdckh.exeAbdpngjb.exeAklefm32.exeAchikonn.exeAnmnhhmd.exeBigohejb.exeBjfkbhae.exeCakfcfoc.exeCjdkllec.exeCjhdgk32.exeCedbmi32.exeDidgig32.exeDekhnh32.exeDabicikf.exeEganqo32.exeEchoepmo.exeEmpphi32.exeEghdanac.exeEabeal32.exeFebjmj32.exeFokofpif.exeFakhhk32.exeFghppa32.exeGndebkii.exeGqendf32.exeGojkecka.exeGdjpcj32.exeHkhbkc32.exeIijbnkne.exeIeqbbl32.exeImndmnob.exeJigagocd.exeJbpfpd32.exeJpcfih32.exeJljgni32.exeJoicje32.exeKokppd32.exeKkaaee32.exeKnbjgq32.exeKhjkiikl.exeKabobo32.exeKdakoj32.exeLnipgp32.exeLcfhpf32.exeLlomhllh.exeLcieef32.exeLlainlje.exeLhhjcmpj.exeLbpolb32.exeLkhcdhmk.exeMdahnmck.exeMoflkfca.exeMjpmkdpp.exeMqjehngm.exeMjbiac32.exeMcknjidn.exeMpaoojjb.exeMjgclcjh.exeNpdkdjhp.exepid Process 652 Qjbehfbo.exe 2960 Qkcbpn32.exe 2732 Qamjmh32.exe 1380 Aoakfl32.exe 2968 Agloko32.exe 2896 Adppdckh.exe 2708 Abdpngjb.exe 1352 Aklefm32.exe 3068 Achikonn.exe 2612 Anmnhhmd.exe 2300 Bigohejb.exe 3064 Bjfkbhae.exe 1920 Cakfcfoc.exe 2188 Cjdkllec.exe 2272 Cjhdgk32.exe 1564 Cedbmi32.exe 1560 Didgig32.exe 1804 Dekhnh32.exe 992 Dabicikf.exe 820 Eganqo32.exe 2096 Echoepmo.exe 912 Empphi32.exe 1984 Eghdanac.exe 2796 Eabeal32.exe 2264 Febjmj32.exe 792 Fokofpif.exe 1692 Fakhhk32.exe 2140 Fghppa32.exe 2740 Gndebkii.exe 1988 Gqendf32.exe 1620 Gojkecka.exe 2552 Gdjpcj32.exe 3048 Hkhbkc32.exe 2212 Iijbnkne.exe 2892 Ieqbbl32.exe 288 Imndmnob.exe 2168 Jigagocd.exe 2400 Jbpfpd32.exe 2172 Jpcfih32.exe 1140 Jljgni32.exe 2368 Joicje32.exe 2104 Kokppd32.exe 900 Kkaaee32.exe 2680 Knbjgq32.exe 2252 Khjkiikl.exe 1780 Kabobo32.exe 1008 Kdakoj32.exe 1992 Lnipgp32.exe 2020 Lcfhpf32.exe 872 Llomhllh.exe 2056 Lcieef32.exe 2760 Llainlje.exe 2504 Lhhjcmpj.exe 1660 Lbpolb32.exe 2128 Lkhcdhmk.exe 2948 Mdahnmck.exe 828 Moflkfca.exe 2240 Mjpmkdpp.exe 1824 Mqjehngm.exe 1616 Mjbiac32.exe 1756 Mcknjidn.exe 2144 Mpaoojjb.exe 1004 Mjgclcjh.exe 844 Npdkdjhp.exe -
Loads dropped DLL 64 IoCs
Processes:
7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exeQjbehfbo.exeQkcbpn32.exeQamjmh32.exeAoakfl32.exeAgloko32.exeAdppdckh.exeAbdpngjb.exeAklefm32.exeAchikonn.exeAnmnhhmd.exeBigohejb.exeBjfkbhae.exeCakfcfoc.exeCjdkllec.exeCjhdgk32.exeCedbmi32.exeDidgig32.exeDekhnh32.exeDabicikf.exeEganqo32.exeEchoepmo.exeEmpphi32.exeEghdanac.exeEabeal32.exeFebjmj32.exeFokofpif.exeFakhhk32.exeFghppa32.exeGndebkii.exeGqendf32.exeGojkecka.exepid Process 3012 7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exe 3012 7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exe 652 Qjbehfbo.exe 652 Qjbehfbo.exe 2960 Qkcbpn32.exe 2960 Qkcbpn32.exe 2732 Qamjmh32.exe 2732 Qamjmh32.exe 1380 Aoakfl32.exe 1380 Aoakfl32.exe 2968 Agloko32.exe 2968 Agloko32.exe 2896 Adppdckh.exe 2896 Adppdckh.exe 2708 Abdpngjb.exe 2708 Abdpngjb.exe 1352 Aklefm32.exe 1352 Aklefm32.exe 3068 Achikonn.exe 3068 Achikonn.exe 2612 Anmnhhmd.exe 2612 Anmnhhmd.exe 2300 Bigohejb.exe 2300 Bigohejb.exe 3064 Bjfkbhae.exe 3064 Bjfkbhae.exe 1920 Cakfcfoc.exe 1920 Cakfcfoc.exe 2188 Cjdkllec.exe 2188 Cjdkllec.exe 2272 Cjhdgk32.exe 2272 Cjhdgk32.exe 1564 Cedbmi32.exe 1564 Cedbmi32.exe 1560 Didgig32.exe 1560 Didgig32.exe 1804 Dekhnh32.exe 1804 Dekhnh32.exe 992 Dabicikf.exe 992 Dabicikf.exe 820 Eganqo32.exe 820 Eganqo32.exe 2096 Echoepmo.exe 2096 Echoepmo.exe 912 Empphi32.exe 912 Empphi32.exe 1984 Eghdanac.exe 1984 Eghdanac.exe 2796 Eabeal32.exe 2796 Eabeal32.exe 2264 Febjmj32.exe 2264 Febjmj32.exe 792 Fokofpif.exe 792 Fokofpif.exe 1692 Fakhhk32.exe 1692 Fakhhk32.exe 2140 Fghppa32.exe 2140 Fghppa32.exe 2740 Gndebkii.exe 2740 Gndebkii.exe 1988 Gqendf32.exe 1988 Gqendf32.exe 1620 Gojkecka.exe 1620 Gojkecka.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jigagocd.exeKabobo32.exeJcekbk32.exeNgcbie32.exeLiqcei32.exeQjbehfbo.exeGqendf32.exeIncgfl32.exeJnaihhgf.exeFejjah32.exeEigbfb32.exeKfnmnojj.exeOpkpme32.exeJfdgnf32.exeOnqaonnc.exeHkhbkc32.exePbkgegad.exeJffakm32.exeAdnegldo.exeFakhhk32.exeNeemgp32.exeGgppdpif.exeIadphghe.exeMdkcgk32.exeIniidj32.exeJijqeg32.exeAgloko32.exeDekhnh32.exePlaoim32.exePmbdfolj.exeQamjmh32.exeNalnmahf.exeHibebeqb.exePppihdha.exeLbpolb32.exePldknmhd.exeGndebkii.exeIijbnkne.exeMnqdpj32.exePicdejbg.exe7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exeEpdncb32.exeJehklc32.exeIeqbbl32.exeEmailhfb.exeGocnjn32.exeJgidnobg.exeMkhocj32.exeAbdpngjb.exePmlngdhk.exePdffcn32.exeCgkanomj.exeLgpjcnhh.exeJccjln32.exeLnipgp32.exeNglmifca.exeDmgokcja.exeNdhlfh32.exeQicoleno.exeLphnlcnh.exeFimedaoe.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Jbpfpd32.exe Jigagocd.exe File created C:\Windows\SysWOW64\Ndfqak32.dll Kabobo32.exe File created C:\Windows\SysWOW64\Jfdgnf32.exe Jcekbk32.exe File created C:\Windows\SysWOW64\Oiglfm32.exe Ngcbie32.exe File created C:\Windows\SysWOW64\Begpdg32.dll Liqcei32.exe File created C:\Windows\SysWOW64\Qkcbpn32.exe Qjbehfbo.exe File opened for modification C:\Windows\SysWOW64\Qkcbpn32.exe Qjbehfbo.exe File opened for modification C:\Windows\SysWOW64\Gojkecka.exe Gqendf32.exe File created C:\Windows\SysWOW64\Ihefej32.dll Incgfl32.exe File created C:\Windows\SysWOW64\Facfgahm.dll Jnaihhgf.exe File opened for modification C:\Windows\SysWOW64\Gocnjn32.exe Fejjah32.exe File created C:\Windows\SysWOW64\Jnbbgfli.dll Eigbfb32.exe File created C:\Windows\SysWOW64\Jabmdd32.dll Kfnmnojj.exe File created C:\Windows\SysWOW64\Picdejbg.exe Opkpme32.exe File created C:\Windows\SysWOW64\Jmnpkp32.exe Jfdgnf32.exe File created C:\Windows\SysWOW64\Oifelfni.exe Onqaonnc.exe File opened for modification C:\Windows\SysWOW64\Iijbnkne.exe Hkhbkc32.exe File opened for modification C:\Windows\SysWOW64\Pldknmhd.exe Pbkgegad.exe File created C:\Windows\SysWOW64\Lckfbdjp.dll Jffakm32.exe File created C:\Windows\SysWOW64\Fdkqbd32.dll Adnegldo.exe File created C:\Windows\SysWOW64\Fghppa32.exe Fakhhk32.exe File opened for modification C:\Windows\SysWOW64\Npkaei32.exe Neemgp32.exe File created C:\Windows\SysWOW64\Jokofini.dll Ggppdpif.exe File opened for modification C:\Windows\SysWOW64\Ilnqhddd.exe Iadphghe.exe File opened for modification C:\Windows\SysWOW64\Nbodpo32.exe Mdkcgk32.exe File created C:\Windows\SysWOW64\Kgqffm32.dll Iniidj32.exe File created C:\Windows\SysWOW64\Eiijopan.dll Jijqeg32.exe File created C:\Windows\SysWOW64\Pcpmbgfg.dll Agloko32.exe File created C:\Windows\SysWOW64\Opihbegb.dll Dekhnh32.exe File opened for modification C:\Windows\SysWOW64\Pbkgegad.exe Plaoim32.exe File opened for modification C:\Windows\SysWOW64\Pfjiod32.exe Pmbdfolj.exe File opened for modification C:\Windows\SysWOW64\Aoakfl32.exe Qamjmh32.exe File created C:\Windows\SysWOW64\Nnpofe32.exe Nalnmahf.exe File created C:\Windows\SysWOW64\Mfdbnlgi.dll Hibebeqb.exe File created C:\Windows\SysWOW64\Pihnqj32.exe Pppihdha.exe File created C:\Windows\SysWOW64\Pjkkeqgf.dll Qamjmh32.exe File opened for modification C:\Windows\SysWOW64\Lkhcdhmk.exe Lbpolb32.exe File created C:\Windows\SysWOW64\Phklcn32.exe Pldknmhd.exe File opened for modification C:\Windows\SysWOW64\Gqendf32.exe Gndebkii.exe File opened for modification C:\Windows\SysWOW64\Ieqbbl32.exe Iijbnkne.exe File created C:\Windows\SysWOW64\Pdihddlc.dll Mnqdpj32.exe File opened for modification C:\Windows\SysWOW64\Pblinp32.exe Picdejbg.exe File created C:\Windows\SysWOW64\Qjbehfbo.exe 7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exe File created C:\Windows\SysWOW64\Fdbgia32.exe Epdncb32.exe File opened for modification C:\Windows\SysWOW64\Jnppei32.exe Jehklc32.exe File opened for modification C:\Windows\SysWOW64\Imndmnob.exe Ieqbbl32.exe File created C:\Windows\SysWOW64\Emceag32.exe Emailhfb.exe File created C:\Windows\SysWOW64\Llloeb32.dll Gocnjn32.exe File opened for modification C:\Windows\SysWOW64\Jijqeg32.exe Jgidnobg.exe File created C:\Windows\SysWOW64\Opbcppkf.dll Mkhocj32.exe File created C:\Windows\SysWOW64\Emnagfnn.dll Abdpngjb.exe File created C:\Windows\SysWOW64\Pdffcn32.exe Pmlngdhk.exe File created C:\Windows\SysWOW64\Qicoleno.exe Pdffcn32.exe File created C:\Windows\SysWOW64\Gpfmejbd.dll Cgkanomj.exe File created C:\Windows\SysWOW64\Lphnlcnh.exe Lgpjcnhh.exe File created C:\Windows\SysWOW64\Mfglbp32.dll Jccjln32.exe File created C:\Windows\SysWOW64\Lcfhpf32.exe Lnipgp32.exe File created C:\Windows\SysWOW64\Gnhfacfn.dll Nglmifca.exe File created C:\Windows\SysWOW64\Mkljhe32.dll Dmgokcja.exe File created C:\Windows\SysWOW64\Onqaonnc.exe Ndhlfh32.exe File opened for modification C:\Windows\SysWOW64\Qajfmbna.exe Qicoleno.exe File created C:\Windows\SysWOW64\Biqghigf.dll Lphnlcnh.exe File created C:\Windows\SysWOW64\Pbkgegad.exe Plaoim32.exe File created C:\Windows\SysWOW64\Hccbnhla.exe Fimedaoe.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ckdpinhf.exeGljdlq32.exeHgmhcm32.exeOfcldoef.exeFebjmj32.exeImndmnob.exeCfjgopop.exeJccjln32.exeAcfonhgd.exeKiccle32.exePdffcn32.exeCmocha32.exeLdgnmhhj.exeOinbglkm.exeBhgaan32.exeJgidnobg.exeGndebkii.exeGqendf32.exePgbejj32.exeKlgbfo32.exeMdkcgk32.exeMpmdff32.exeOpkpme32.exeJncenh32.exeMcknjidn.exePkkeeikj.exeBiakbc32.exeGocnjn32.exeBfnnpbnn.exeKnkbimbg.exePihnqj32.exeIgjabj32.exeKhjkiikl.exeAjjeld32.exeHojbbiae.exeFakhhk32.exeFpihnbmk.exeQpjchicb.exeLcieef32.exeDflnkjhe.exeBcedbefd.exeLepfoe32.exeMkconepp.exeBkefcc32.exeLpodmb32.exeIipgeb32.exeIbjikk32.exeAdnegldo.exeLnipgp32.exeMjgclcjh.exeMlnbmikh.exeLllkaobc.exeQamjmh32.exeJbpfpd32.exeLamkllea.exeIkmjnnah.exeLckdcn32.exeNhmbfhfd.exeAbdpngjb.exeFejjah32.exeJpcfih32.exeIggbdb32.exeNgcbie32.exeElbkbh32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckdpinhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljdlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmhcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcldoef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febjmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imndmnob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjgopop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jccjln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfonhgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiccle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdffcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnmhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oinbglkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhgaan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgidnobg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndebkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqendf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbejj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klgbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkcgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmdff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncenh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknjidn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkkeeikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biakbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocnjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfnnpbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkbimbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihnqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjkiikl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojbbiae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakhhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpihnbmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpjchicb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcieef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflnkjhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcedbefd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepfoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkconepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkefcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpodmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipgeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjikk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnegldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnipgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgclcjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlnbmikh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllkaobc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qamjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamkllea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikmjnnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckdcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmbfhfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdpngjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejjah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcfih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggbdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcbie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbkbh32.exe -
Modifies registry class 64 IoCs
Processes:
Gqendf32.exeBnhjae32.exePmlngdhk.exeAdnegldo.exeCqlhlo32.exeHojbbiae.exeCacegd32.exeOmddmkhl.exeAniffaim.exeGeplpfnh.exeQhbdmeoe.exeDjhldahb.exeMkhocj32.exePgbejj32.exeQajfmbna.exeEmlhfb32.exeEpakcm32.exeImepgbnc.exeIniidj32.exeMnqdpj32.exeAoakfl32.exeLcieef32.exeGkiooocb.exeApeflmjc.exeEpjdbn32.exeHgkknm32.exeAolihc32.exeEmieflec.exeJfdgnf32.exeCjhdgk32.exeOifelfni.exeIkcpmieg.exeImndmnob.exeCbdkdffm.exeGebiefle.exeLcignoki.exeKnbjgq32.exeLnipgp32.exeMcknjidn.exeLnobfn32.exeMgomoboc.exeGkancm32.exeJigagocd.exeOaiglnih.exeBlmikkle.exeIbklddof.exeOhmljj32.exeIbjikk32.exePmgnan32.exeBkhjcing.exeEganqo32.exeAjjeld32.exeGeeekf32.exeNpkaei32.exeCakfcfoc.exeJehklc32.exeIgjabj32.exeGojkecka.exeJljgni32.exeFokaoh32.exeFabppo32.exeDjqcki32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moelcodj.dll" Gqendf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnhjae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmlngdhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adnegldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmhfaj32.dll" Cqlhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhleh32.dll" Hojbbiae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhmm32.dll" Cacegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkegjeg.dll" Omddmkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aniffaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgeahmik.dll" Geplpfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhbdmeoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djhldahb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkhocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgbbec32.dll" Pgbejj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qajfmbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cacegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emlhfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epakcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbkbe32.dll" Imepgbnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iniidj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnqdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcfam32.dll" Aoakfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngobfm32.dll" Lcieef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqnknp32.dll" Gkiooocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apeflmjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epjdbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpabid32.dll" Hgkknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aolihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emieflec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfdgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egghdk32.dll" Cjhdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oifelfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnejdhif.dll" Ikcpmieg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imndmnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbacpl32.dll" Cbdkdffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gebiefle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joceen32.dll" Lcignoki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knbjgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnipgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcknjidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnobfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgomoboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfimppip.dll" Gkancm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jigagocd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaiglnih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmikkle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibklddof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohmljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibjikk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmgnan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkhjcing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eganqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbkca32.dll" Ajjeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egkfbg32.dll" Geeekf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npkaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpjnd32.dll" Gebiefle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cakfcfoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jehklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igjabj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gojkecka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcqnh32.dll" Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fokaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafklb32.dll" Fabppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djqcki32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exeQjbehfbo.exeQkcbpn32.exeQamjmh32.exeAoakfl32.exeAgloko32.exeAdppdckh.exeAbdpngjb.exeAklefm32.exeAchikonn.exeAnmnhhmd.exeBigohejb.exeBjfkbhae.exeCakfcfoc.exeCjdkllec.exeCjhdgk32.exedescription pid Process procid_target PID 3012 wrote to memory of 652 3012 7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exe 29 PID 3012 wrote to memory of 652 3012 7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exe 29 PID 3012 wrote to memory of 652 3012 7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exe 29 PID 3012 wrote to memory of 652 3012 7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exe 29 PID 652 wrote to memory of 2960 652 Qjbehfbo.exe 30 PID 652 wrote to memory of 2960 652 Qjbehfbo.exe 30 PID 652 wrote to memory of 2960 652 Qjbehfbo.exe 30 PID 652 wrote to memory of 2960 652 Qjbehfbo.exe 30 PID 2960 wrote to memory of 2732 2960 Qkcbpn32.exe 31 PID 2960 wrote to memory of 2732 2960 Qkcbpn32.exe 31 PID 2960 wrote to memory of 2732 2960 Qkcbpn32.exe 31 PID 2960 wrote to memory of 2732 2960 Qkcbpn32.exe 31 PID 2732 wrote to memory of 1380 2732 Qamjmh32.exe 32 PID 2732 wrote to memory of 1380 2732 Qamjmh32.exe 32 PID 2732 wrote to memory of 1380 2732 Qamjmh32.exe 32 PID 2732 wrote to memory of 1380 2732 Qamjmh32.exe 32 PID 1380 wrote to memory of 2968 1380 Aoakfl32.exe 33 PID 1380 wrote to memory of 2968 1380 Aoakfl32.exe 33 PID 1380 wrote to memory of 2968 1380 Aoakfl32.exe 33 PID 1380 wrote to memory of 2968 1380 Aoakfl32.exe 33 PID 2968 wrote to memory of 2896 2968 Agloko32.exe 34 PID 2968 wrote to memory of 2896 2968 Agloko32.exe 34 PID 2968 wrote to memory of 2896 2968 Agloko32.exe 34 PID 2968 wrote to memory of 2896 2968 Agloko32.exe 34 PID 2896 wrote to memory of 2708 2896 Adppdckh.exe 35 PID 2896 wrote to memory of 2708 2896 Adppdckh.exe 35 PID 2896 wrote to memory of 2708 2896 Adppdckh.exe 35 PID 2896 wrote to memory of 2708 2896 Adppdckh.exe 35 PID 2708 wrote to memory of 1352 2708 Abdpngjb.exe 36 PID 2708 wrote to memory of 1352 2708 Abdpngjb.exe 36 PID 2708 wrote to memory of 1352 2708 Abdpngjb.exe 36 PID 2708 wrote to memory of 1352 2708 Abdpngjb.exe 36 PID 1352 wrote to memory of 3068 1352 Aklefm32.exe 37 PID 1352 wrote to memory of 3068 1352 Aklefm32.exe 37 PID 1352 wrote to memory of 3068 1352 Aklefm32.exe 37 PID 1352 wrote to memory of 3068 1352 Aklefm32.exe 37 PID 3068 wrote to memory of 2612 3068 Achikonn.exe 38 PID 3068 wrote to memory of 2612 3068 Achikonn.exe 38 PID 3068 wrote to memory of 2612 3068 Achikonn.exe 38 PID 3068 wrote to memory of 2612 3068 Achikonn.exe 38 PID 2612 wrote to memory of 2300 2612 Anmnhhmd.exe 39 PID 2612 wrote to memory of 2300 2612 Anmnhhmd.exe 39 PID 2612 wrote to memory of 2300 2612 Anmnhhmd.exe 39 PID 2612 wrote to memory of 2300 2612 Anmnhhmd.exe 39 PID 2300 wrote to memory of 3064 2300 Bigohejb.exe 40 PID 2300 wrote to memory of 3064 2300 Bigohejb.exe 40 PID 2300 wrote to memory of 3064 2300 Bigohejb.exe 40 PID 2300 wrote to memory of 3064 2300 Bigohejb.exe 40 PID 3064 wrote to memory of 1920 3064 Bjfkbhae.exe 41 PID 3064 wrote to memory of 1920 3064 Bjfkbhae.exe 41 PID 3064 wrote to memory of 1920 3064 Bjfkbhae.exe 41 PID 3064 wrote to memory of 1920 3064 Bjfkbhae.exe 41 PID 1920 wrote to memory of 2188 1920 Cakfcfoc.exe 42 PID 1920 wrote to memory of 2188 1920 Cakfcfoc.exe 42 PID 1920 wrote to memory of 2188 1920 Cakfcfoc.exe 42 PID 1920 wrote to memory of 2188 1920 Cakfcfoc.exe 42 PID 2188 wrote to memory of 2272 2188 Cjdkllec.exe 43 PID 2188 wrote to memory of 2272 2188 Cjdkllec.exe 43 PID 2188 wrote to memory of 2272 2188 Cjdkllec.exe 43 PID 2188 wrote to memory of 2272 2188 Cjdkllec.exe 43 PID 2272 wrote to memory of 1564 2272 Cjhdgk32.exe 44 PID 2272 wrote to memory of 1564 2272 Cjhdgk32.exe 44 PID 2272 wrote to memory of 1564 2272 Cjhdgk32.exe 44 PID 2272 wrote to memory of 1564 2272 Cjhdgk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exe"C:\Users\Admin\AppData\Local\Temp\7e4ebb5bf8ab1b7c3a7831fe68cf60e3f726eba99db886270a838e49d1dc3d8f.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Qkcbpn32.exeC:\Windows\system32\Qkcbpn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Agloko32.exeC:\Windows\system32\Agloko32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Adppdckh.exeC:\Windows\system32\Adppdckh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Abdpngjb.exeC:\Windows\system32\Abdpngjb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Aklefm32.exeC:\Windows\system32\Aklefm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Achikonn.exeC:\Windows\system32\Achikonn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Cjdkllec.exeC:\Windows\system32\Cjdkllec.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Cjhdgk32.exeC:\Windows\system32\Cjhdgk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Cedbmi32.exeC:\Windows\system32\Cedbmi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Dekhnh32.exeC:\Windows\system32\Dekhnh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Eganqo32.exeC:\Windows\system32\Eganqo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Empphi32.exeC:\Windows\system32\Empphi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Eghdanac.exeC:\Windows\system32\Eghdanac.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Febjmj32.exeC:\Windows\system32\Febjmj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Fokofpif.exeC:\Windows\system32\Fokofpif.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Fghppa32.exeC:\Windows\system32\Fghppa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Gndebkii.exeC:\Windows\system32\Gndebkii.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Gqendf32.exeC:\Windows\system32\Gqendf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Hkhbkc32.exeC:\Windows\system32\Hkhbkc32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Ieqbbl32.exeC:\Windows\system32\Ieqbbl32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Imndmnob.exeC:\Windows\system32\Imndmnob.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Jigagocd.exeC:\Windows\system32\Jigagocd.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Jbpfpd32.exeC:\Windows\system32\Jbpfpd32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Jpcfih32.exeC:\Windows\system32\Jpcfih32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Jljgni32.exeC:\Windows\system32\Jljgni32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe43⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Kkaaee32.exeC:\Windows\system32\Kkaaee32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Khjkiikl.exeC:\Windows\system32\Khjkiikl.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Kabobo32.exeC:\Windows\system32\Kabobo32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Kdakoj32.exeC:\Windows\system32\Kdakoj32.exe48⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Lcfhpf32.exeC:\Windows\system32\Lcfhpf32.exe50⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Llomhllh.exeC:\Windows\system32\Llomhllh.exe51⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Lcieef32.exeC:\Windows\system32\Lcieef32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Lhhjcmpj.exeC:\Windows\system32\Lhhjcmpj.exe54⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Lkhcdhmk.exeC:\Windows\system32\Lkhcdhmk.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Mdahnmck.exeC:\Windows\system32\Mdahnmck.exe57⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Moflkfca.exeC:\Windows\system32\Moflkfca.exe58⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe59⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe60⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe63⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe65⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe68⤵PID:304
-
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe69⤵PID:1040
-
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe70⤵
- Drops file in System32 directory
PID:740 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe71⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Nalnmahf.exeC:\Windows\system32\Nalnmahf.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe73⤵PID:2860
-
C:\Windows\SysWOW64\Oejgbonl.exeC:\Windows\system32\Oejgbonl.exe74⤵PID:2804
-
C:\Windows\SysWOW64\Omekgakg.exeC:\Windows\system32\Omekgakg.exe75⤵PID:2572
-
C:\Windows\SysWOW64\Ojilqf32.exeC:\Windows\system32\Ojilqf32.exe76⤵PID:2764
-
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe77⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe78⤵PID:2248
-
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe79⤵PID:1264
-
C:\Windows\SysWOW64\Odfjdk32.exeC:\Windows\system32\Odfjdk32.exe80⤵PID:1788
-
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe81⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe82⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Pldknmhd.exeC:\Windows\system32\Pldknmhd.exe83⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe85⤵PID:1696
-
C:\Windows\SysWOW64\Pkkeeikj.exeC:\Windows\system32\Pkkeeikj.exe86⤵
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe87⤵PID:1480
-
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Pmlngdhk.exeC:\Windows\system32\Pmlngdhk.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Qicoleno.exeC:\Windows\system32\Qicoleno.exe91⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Qajfmbna.exeC:\Windows\system32\Qajfmbna.exe92⤵
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe93⤵PID:2560
-
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe94⤵PID:2292
-
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe95⤵PID:2320
-
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe96⤵PID:1280
-
C:\Windows\SysWOW64\Acplpjpj.exeC:\Windows\system32\Acplpjpj.exe97⤵PID:2520
-
C:\Windows\SysWOW64\Ajjeld32.exeC:\Windows\system32\Ajjeld32.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016 -
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe100⤵PID:1772
-
C:\Windows\SysWOW64\Acdfki32.exeC:\Windows\system32\Acdfki32.exe101⤵PID:548
-
C:\Windows\SysWOW64\Adfbbabc.exeC:\Windows\system32\Adfbbabc.exe102⤵PID:2728
-
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe103⤵
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Cjqglf32.exeC:\Windows\system32\Cjqglf32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Cmocha32.exeC:\Windows\system32\Cmocha32.exe106⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Ckdpinhf.exeC:\Windows\system32\Ckdpinhf.exe107⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Cgkanomj.exeC:\Windows\system32\Cgkanomj.exe108⤵
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Cacegd32.exeC:\Windows\system32\Cacegd32.exe109⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Cbcbag32.exeC:\Windows\system32\Cbcbag32.exe110⤵PID:2524
-
C:\Windows\SysWOW64\Clkfjman.exeC:\Windows\system32\Clkfjman.exe111⤵PID:616
-
C:\Windows\SysWOW64\Djqcki32.exeC:\Windows\system32\Djqcki32.exe112⤵
- Modifies registry class
PID:524 -
C:\Windows\SysWOW64\Dpmlcpdm.exeC:\Windows\system32\Dpmlcpdm.exe113⤵PID:320
-
C:\Windows\SysWOW64\Dfjaej32.exeC:\Windows\system32\Dfjaej32.exe114⤵PID:2324
-
C:\Windows\SysWOW64\Dflnkjhe.exeC:\Windows\system32\Dflnkjhe.exe115⤵
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Deajlf32.exeC:\Windows\system32\Deajlf32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:876 -
C:\Windows\SysWOW64\Eahkag32.exeC:\Windows\system32\Eahkag32.exe117⤵PID:1608
-
C:\Windows\SysWOW64\Eajhgg32.exeC:\Windows\system32\Eajhgg32.exe118⤵PID:2312
-
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Emceag32.exeC:\Windows\system32\Emceag32.exe120⤵PID:3056
-
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe121⤵
- Drops file in System32 directory
PID:2880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-