Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 22:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4cf26022f153bdf943914aa6af935f48753524a7e9c16abd75efd73c1319259d.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
4cf26022f153bdf943914aa6af935f48753524a7e9c16abd75efd73c1319259d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
4cf26022f153bdf943914aa6af935f48753524a7e9c16abd75efd73c1319259d.exe
-
Size
96KB
-
MD5
cd665c3e846fe2b0f22977c3b44b4768
-
SHA1
484b8b319eadc7668d49b579b18b6e78fb7a74c3
-
SHA256
4cf26022f153bdf943914aa6af935f48753524a7e9c16abd75efd73c1319259d
-
SHA512
7a3ccde82665ff47df2ca0c3ee70ae3ac8903d47c52f8c07b8f587fb4216d8acb853d11ca733c5bdc432816a0721d4b2fb03f8620fc59a2452b67d7ab2a606ac
-
SSDEEP
1536:V7QcVPbD/jpw9CG7/CtrL2f2Lcr7RZObZUUWaegPYAm:RN/dw8TpGClUUWaet
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mkhapk32.exeCljobphg.exeDolmodpi.exeGfjkjo32.exeJjjghcfp.exeMnlnbl32.exeBmabggdm.exeFpggamqc.exeIngpmmgm.exeDmennnni.exeFngcmcfe.exeIomoenej.exeAdcjop32.exeOloahhki.exeCpmapodj.exeEojiqb32.exeJemfhacc.exeHgiepjga.exeNaaqofgj.exeQohpkf32.exeKoodbl32.exeOampjeml.exeOohgdhfn.exeBllbaa32.exeGemkelcd.exeQadoba32.exeHbnaeh32.exeJafdcbge.exeLnmkfh32.exePkpmdbfd.exeGnpphljo.exeMqhfoebo.exePkhjph32.exeBhpofl32.exeFkofga32.exeIeojgc32.exeJbfheo32.exeHpnoncim.exeOhnohn32.exeCfcjfk32.exeIlafiihp.exeJjjpnlbd.exeMcpcdg32.exeLdgccb32.exeCnhgjaml.exeJnjejjgh.exeHmkigh32.exeBmhocd32.exeQcaofebg.exeHpjmnjqn.exeDnpdegjp.exeLjnlecmp.exeDiccgfpd.exeOeokal32.exeEkdnei32.exeAaenbd32.exeGejhef32.exePakdbp32.exeElpkep32.exeFjjnifbl.exeMjbogmdb.exeImnocf32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljobphg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolmodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjghcfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmabggdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ingpmmgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmennnni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fngcmcfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomoenej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oloahhki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojiqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgiepjga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naaqofgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koodbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oampjeml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oohgdhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bllbaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemkelcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qadoba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmkfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnpphljo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqhfoebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpofl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkofga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieojgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnoncim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohnohn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilafiihp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjpnlbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldgccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnhgjaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnjejjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmkigh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhocd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcaofebg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpdegjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljnlecmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diccgfpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaenbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fngcmcfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakdbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elpkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjjnifbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbogmdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imnocf32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x0007000000023ca2-207.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Gklnjj32.exeGaefgd32.exeGgbook32.exeGiqkkf32.exeGnlgleef.exeHgelek32.exeHnodaecc.exeHpmpnp32.exeHgghjjid.exeHnaqgd32.exeHpomcp32.exeHgiepjga.exeHjhalefe.exeHdmein32.exeHkgnfhnh.exeHnfjbdmk.exeHdpbon32.exeHgnoki32.exeHnhghcki.exeHpfcdojl.exeIhnkel32.exeIklgah32.exeIjogmdqm.exeIqipio32.exeIkndgg32.exeInmpcc32.exeIdghpmnp.exeIkqqlgem.exeInomhbeq.exeIakiia32.exeIggaah32.exeInainbcn.exeIdkbkl32.exeIndfca32.exeIqbbpm32.exeJjjghcfp.exeJdpkflfe.exeJkjcbe32.exeJqglkmlj.exeJhndljll.exeJklphekp.exeJbfheo32.exeJdedak32.exeJnmijq32.exeJdgafjpn.exeJkaicd32.exeJjdjoane.exeKdinljnk.exeKghjhemo.exeKnbbep32.exeKqpoakco.exeKgjgne32.exeKndojobi.exeKqbkfkal.exeKijchhbo.exeKbbhqn32.exeKilpmh32.exeKkjlic32.exeKbddfmgl.exeKecabifp.exeKinmcg32.exeKnkekn32.exeLbgalmej.exeLgcjdd32.exepid Process 2840 Gklnjj32.exe 2724 Gaefgd32.exe 3904 Ggbook32.exe 4992 Giqkkf32.exe 5096 Gnlgleef.exe 2076 Hgelek32.exe 2936 Hnodaecc.exe 3304 Hpmpnp32.exe 4468 Hgghjjid.exe 2900 Hnaqgd32.exe 2756 Hpomcp32.exe 4608 Hgiepjga.exe 3332 Hjhalefe.exe 3784 Hdmein32.exe 2084 Hkgnfhnh.exe 2800 Hnfjbdmk.exe 3728 Hdpbon32.exe 1516 Hgnoki32.exe 3024 Hnhghcki.exe 4192 Hpfcdojl.exe 3952 Ihnkel32.exe 1572 Iklgah32.exe 740 Ijogmdqm.exe 4240 Iqipio32.exe 4876 Ikndgg32.exe 916 Inmpcc32.exe 4888 Idghpmnp.exe 628 Ikqqlgem.exe 4884 Inomhbeq.exe 3236 Iakiia32.exe 2764 Iggaah32.exe 4696 Inainbcn.exe 2864 Idkbkl32.exe 3192 Indfca32.exe 4220 Iqbbpm32.exe 4156 Jjjghcfp.exe 4308 Jdpkflfe.exe 1424 Jkjcbe32.exe 228 Jqglkmlj.exe 4404 Jhndljll.exe 3500 Jklphekp.exe 1504 Jbfheo32.exe 1848 Jdedak32.exe 3980 Jnmijq32.exe 32 Jdgafjpn.exe 4160 Jkaicd32.exe 4040 Jjdjoane.exe 2436 Kdinljnk.exe 3356 Kghjhemo.exe 3716 Knbbep32.exe 4004 Kqpoakco.exe 5060 Kgjgne32.exe 4948 Kndojobi.exe 1148 Kqbkfkal.exe 1892 Kijchhbo.exe 1384 Kbbhqn32.exe 1952 Kilpmh32.exe 3124 Kkjlic32.exe 4032 Kbddfmgl.exe 3604 Kecabifp.exe 936 Kinmcg32.exe 4828 Knkekn32.exe 4304 Lbgalmej.exe 5032 Lgcjdd32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Piijno32.exeKpcjgnhb.exeFoclgq32.exeHahokfag.exePfagighf.exeLhmmjbkf.exeBdpaeehj.exeBnoknihb.exeLljklo32.exeKhiofk32.exeOlicnfco.exeConanfli.exeCdkifmjq.exeFiqjke32.exeHnfjbdmk.exeJnhidk32.exeMnhkbfme.exeAddaif32.exeCpmapodj.exeMcfbkpab.exeQadoba32.exePknqoc32.exeHekgfj32.exeBoihcf32.exeCklhcfle.exeLplfcf32.exeCfcjfk32.exeGfhndpol.exeImkbnf32.exeEhlhih32.exeIeagmcmq.exeCljobphg.exeLcimdh32.exeNggnadib.exeCnhgjaml.exeLojmcdgl.exeMnmdme32.exeLmdnbn32.exeQmeigg32.exeNciopppp.exeMcbpjg32.exePjbcplpe.exeJbfheo32.exeQohpkf32.exeHkbmqb32.exeFiaael32.exeJlolpq32.exeKcejco32.exeMkjnfkma.exeNceefd32.exeMcifkf32.exeEjalcgkg.exeEmdajb32.exeKclgmq32.exeMccfdmmo.exeOloahhki.exeCcbadp32.exeKjccdkki.exeQdbdcg32.exeGokbgpeg.exeEdbiniff.exeBdickcpo.exeEpmmqheb.exedescription ioc Process File created C:\Windows\SysWOW64\Djpphb32.dll Piijno32.exe File opened for modification C:\Windows\SysWOW64\Kcbfcigf.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Cidcnbjk.dll Foclgq32.exe File created C:\Windows\SysWOW64\Hlpihhpj.dll Hahokfag.exe File created C:\Windows\SysWOW64\Pmkofa32.exe Pfagighf.exe File opened for modification C:\Windows\SysWOW64\Ljkifn32.exe Lhmmjbkf.exe File opened for modification C:\Windows\SysWOW64\Bnhenj32.exe Bdpaeehj.exe File created C:\Windows\SysWOW64\Ciggeb32.dll Bnoknihb.exe File opened for modification C:\Windows\SysWOW64\Loighj32.exe Lljklo32.exe File created C:\Windows\SysWOW64\Fgcodk32.dll Khiofk32.exe File created C:\Windows\SysWOW64\Hponje32.dll Olicnfco.exe File created C:\Windows\SysWOW64\Mmihfl32.dll Conanfli.exe File created C:\Windows\SysWOW64\Okhbek32.dll Cdkifmjq.exe File created C:\Windows\SysWOW64\Ojehbail.dll Fiqjke32.exe File opened for modification C:\Windows\SysWOW64\Hdpbon32.exe Hnfjbdmk.exe File opened for modification C:\Windows\SysWOW64\Jpfepf32.exe Jnhidk32.exe File created C:\Windows\SysWOW64\Fnipgg32.dll Mnhkbfme.exe File created C:\Windows\SysWOW64\Hkjefc32.dll Addaif32.exe File opened for modification C:\Windows\SysWOW64\Cggimh32.exe Cpmapodj.exe File created C:\Windows\SysWOW64\Egcpgp32.dll Mcfbkpab.exe File created C:\Windows\SysWOW64\Qikgco32.exe Qadoba32.exe File created C:\Windows\SysWOW64\Ojmcpd32.dll Pknqoc32.exe File created C:\Windows\SysWOW64\Gefklj32.dll Hekgfj32.exe File created C:\Windows\SysWOW64\Bnlhncgi.exe Boihcf32.exe File created C:\Windows\SysWOW64\Bghgmioe.dll Cklhcfle.exe File opened for modification C:\Windows\SysWOW64\Lckboblp.exe Lplfcf32.exe File created C:\Windows\SysWOW64\Mgdkaadn.dll Cfcjfk32.exe File created C:\Windows\SysWOW64\Gejopl32.exe Gfhndpol.exe File created C:\Windows\SysWOW64\Iomoenej.exe Imkbnf32.exe File created C:\Windows\SysWOW64\Gkdinefi.dll Ehlhih32.exe File created C:\Windows\SysWOW64\Cpiijfll.dll Ieagmcmq.exe File opened for modification C:\Windows\SysWOW64\Cnkkjh32.exe Cljobphg.exe File created C:\Windows\SysWOW64\Gkjdipap.dll Lcimdh32.exe File created C:\Windows\SysWOW64\Njfkmphe.exe Nggnadib.exe File opened for modification C:\Windows\SysWOW64\Chnlgjlb.exe Cnhgjaml.exe File opened for modification C:\Windows\SysWOW64\Laiipofp.exe Lojmcdgl.exe File opened for modification C:\Windows\SysWOW64\Malpia32.exe Mnmdme32.exe File opened for modification C:\Windows\SysWOW64\Lcnfohmi.exe Lmdnbn32.exe File created C:\Windows\SysWOW64\Qpcecb32.exe Qmeigg32.exe File created C:\Windows\SysWOW64\Ajhapb32.dll Nciopppp.exe File created C:\Windows\SysWOW64\Mfqlfb32.exe Mcbpjg32.exe File created C:\Windows\SysWOW64\Lngqkhda.dll Pjbcplpe.exe File created C:\Windows\SysWOW64\Ejlacgdj.dll Jbfheo32.exe File created C:\Windows\SysWOW64\Ajndioga.exe Qohpkf32.exe File created C:\Windows\SysWOW64\Kideagnd.dll Hkbmqb32.exe File created C:\Windows\SysWOW64\Fpkibf32.exe Fiaael32.exe File created C:\Windows\SysWOW64\Kpjgaoqm.exe Jlolpq32.exe File created C:\Windows\SysWOW64\Jendmajn.dll Qohpkf32.exe File created C:\Windows\SysWOW64\Fqjmdflo.dll Kcejco32.exe File opened for modification C:\Windows\SysWOW64\Mnhkbfme.exe Mkjnfkma.exe File opened for modification C:\Windows\SysWOW64\Nfcabp32.exe Nceefd32.exe File created C:\Windows\SysWOW64\Hilpobpd.dll Mcifkf32.exe File created C:\Windows\SysWOW64\Emphocjj.exe Ejalcgkg.exe File created C:\Windows\SysWOW64\Ijagjini.dll Emdajb32.exe File created C:\Windows\SysWOW64\Knalji32.exe Kclgmq32.exe File opened for modification C:\Windows\SysWOW64\Mkjnfkma.exe Mccfdmmo.exe File opened for modification C:\Windows\SysWOW64\Odjeljhd.exe Oloahhki.exe File created C:\Windows\SysWOW64\Fabibb32.dll Ccbadp32.exe File created C:\Windows\SysWOW64\Kmaopfjm.exe Kjccdkki.exe File opened for modification C:\Windows\SysWOW64\Qklmpalf.exe Qdbdcg32.exe File created C:\Windows\SysWOW64\Gbiockdj.exe Gokbgpeg.exe File created C:\Windows\SysWOW64\Oifoah32.dll Edbiniff.exe File opened for modification C:\Windows\SysWOW64\Bheplb32.exe Bdickcpo.exe File created C:\Windows\SysWOW64\Eblimcdf.exe Epmmqheb.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 16664 3724 WerFault.exe 1021 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Idkbkl32.exeOcjoadei.exeHgelek32.exeMcbpjg32.exeQdphngfl.exeKoodbl32.exeKpanan32.exePafkgphl.exeKdinljnk.exeCbbnpg32.exeGeanfelc.exeIeojgc32.exeGfeaopqo.exeKpcjgnhb.exeOanokhdb.exeCaojpaij.exeEfccmidp.exeMmnhcb32.exeBnfihkqm.exeDoaneiop.exeMjidgkog.exeLbgalmej.exeEnnqfenp.exeLfgipd32.exeKhiofk32.exeLojmcdgl.exePidlqb32.exePkcadhgm.exeFffhifdk.exeAddaif32.exeHmpcbhji.exeKjccdkki.exeDqbcbkab.exeJhkbdmbg.exeKmfhkf32.exeAafemk32.exeDqnjgl32.exeOejbfmpg.exeBnmoijje.exeGklnjj32.exeBjnmpl32.exeBkafmd32.exeGlldgljg.exeBokehc32.exeKclgmq32.exeAfkknogn.exeHkpqkcpd.exeOanfen32.exeEofgpikj.exeCklhcfle.exeOoejohhq.exeDbndfl32.exeJnjejjgh.exeCdpcal32.exeBjpjel32.exeBllbaa32.exeGicgpelg.exeIhpcinld.exeEokqkh32.exeNggnadib.exeBdfpkm32.exeCdkifmjq.exeLgffic32.exeIlafiihp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjoadei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgelek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdphngfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpanan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafkgphl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdinljnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geanfelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieojgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaopqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanokhdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caojpaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efccmidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmnhcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfihkqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doaneiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjidgkog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgalmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ennqfenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgipd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khiofk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojmcdgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidlqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcadhgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffhifdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpcbhji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjccdkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqbcbkab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhkbdmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafemk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqnjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejbfmpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmoijje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkafmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glldgljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokehc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkknogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpqkcpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eofgpikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooejohhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbndfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnjejjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gicgpelg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpcinld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokqkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggnadib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfpkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkifmjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgffic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilafiihp.exe -
Modifies registry class 64 IoCs
Processes:
Ecefqnel.exeIinqbn32.exeAokkahlo.exeIeagmcmq.exePbcncibp.exeJnmijq32.exeAnmfbl32.exeDkahilkl.exeGejopl32.exeFinnef32.exeMnkggfkb.exeEblimcdf.exeGfokoelp.exeEppjfgcp.exeKgninn32.exeHdhedh32.exeKjeiodek.exeLljklo32.exeOgcnmc32.exeQfkqjmdg.exeMicoed32.exeLjpaqmgb.exePmiikh32.exeDooaoj32.exeFihnomjp.exeMjggal32.exeLjhefhha.exeNolgijpk.exeBkmmaeap.exeIikmbh32.exeNglhld32.exeKbddfmgl.exeNpgmpf32.exeAkkffkhk.exeGnblnlhl.exeHnlodjpa.exeLjobpiql.exeHpabni32.exeHlglidlo.exeMnmmboed.exeFdlkdhnk.exeOcdnln32.exeDkbocbog.exeLcnmin32.exeDndgfpbo.exeLjgpkonp.exePkenjh32.exePeahgl32.exeEofgpikj.exeNnfpinmi.exeIefphb32.exeJbepme32.exeKhlklj32.exeNihipdhl.exeOmdieb32.exePahilmoc.exeAoalgn32.exeEifaim32.exeNnfgcd32.exeDlghoa32.exeIjcjmmil.exeKqphfe32.exeMpeiie32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecefqnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddooacnk.dll" Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll" Aokkahlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbcncibp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnmijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdifpa32.dll" Gejopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeedjegm.dll" Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eblimcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfokoelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppjfgcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpgal32.dll" Hdhedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogcnmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaplji32.dll" Micoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljpaqmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiboaq32.dll" Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fihnomjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljpaqmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll" Mjggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjgbadl.dll" Ljhefhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjjfgb32.dll" Bkmmaeap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqmiic32.dll" Iikmbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppceehj.dll" Nglhld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbddfmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll" Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll" Akkffkhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnblnlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnlodjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljobpiql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpabni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpnmg32.dll" Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klambq32.dll" Fdlkdhnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocdnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkbocbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcnmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljgpkonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncndec32.dll" Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoffg32.dll" Peahgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eofgpikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnfpinmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khlklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgpnkdm.dll" Nihipdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likage32.dll" Omdieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmcpd32.dll" Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjgdg32.dll" Aoalgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eifaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbqaei32.dll" Dlghoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekkfckg.dll" Kqphfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpeiie32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4cf26022f153bdf943914aa6af935f48753524a7e9c16abd75efd73c1319259d.exeGklnjj32.exeGaefgd32.exeGgbook32.exeGiqkkf32.exeGnlgleef.exeHgelek32.exeHnodaecc.exeHpmpnp32.exeHgghjjid.exeHnaqgd32.exeHpomcp32.exeHgiepjga.exeHjhalefe.exeHdmein32.exeHkgnfhnh.exeHnfjbdmk.exeHdpbon32.exeHgnoki32.exeHnhghcki.exeHpfcdojl.exeIhnkel32.exedescription pid Process procid_target PID 1400 wrote to memory of 2840 1400 4cf26022f153bdf943914aa6af935f48753524a7e9c16abd75efd73c1319259d.exe 82 PID 1400 wrote to memory of 2840 1400 4cf26022f153bdf943914aa6af935f48753524a7e9c16abd75efd73c1319259d.exe 82 PID 1400 wrote to memory of 2840 1400 4cf26022f153bdf943914aa6af935f48753524a7e9c16abd75efd73c1319259d.exe 82 PID 2840 wrote to memory of 2724 2840 Gklnjj32.exe 83 PID 2840 wrote to memory of 2724 2840 Gklnjj32.exe 83 PID 2840 wrote to memory of 2724 2840 Gklnjj32.exe 83 PID 2724 wrote to memory of 3904 2724 Gaefgd32.exe 84 PID 2724 wrote to memory of 3904 2724 Gaefgd32.exe 84 PID 2724 wrote to memory of 3904 2724 Gaefgd32.exe 84 PID 3904 wrote to memory of 4992 3904 Ggbook32.exe 85 PID 3904 wrote to memory of 4992 3904 Ggbook32.exe 85 PID 3904 wrote to memory of 4992 3904 Ggbook32.exe 85 PID 4992 wrote to memory of 5096 4992 Giqkkf32.exe 86 PID 4992 wrote to memory of 5096 4992 Giqkkf32.exe 86 PID 4992 wrote to memory of 5096 4992 Giqkkf32.exe 86 PID 5096 wrote to memory of 2076 5096 Gnlgleef.exe 87 PID 5096 wrote to memory of 2076 5096 Gnlgleef.exe 87 PID 5096 wrote to memory of 2076 5096 Gnlgleef.exe 87 PID 2076 wrote to memory of 2936 2076 Hgelek32.exe 88 PID 2076 wrote to memory of 2936 2076 Hgelek32.exe 88 PID 2076 wrote to memory of 2936 2076 Hgelek32.exe 88 PID 2936 wrote to memory of 3304 2936 Hnodaecc.exe 89 PID 2936 wrote to memory of 3304 2936 Hnodaecc.exe 89 PID 2936 wrote to memory of 3304 2936 Hnodaecc.exe 89 PID 3304 wrote to memory of 4468 3304 Hpmpnp32.exe 90 PID 3304 wrote to memory of 4468 3304 Hpmpnp32.exe 90 PID 3304 wrote to memory of 4468 3304 Hpmpnp32.exe 90 PID 4468 wrote to memory of 2900 4468 Hgghjjid.exe 91 PID 4468 wrote to memory of 2900 4468 Hgghjjid.exe 91 PID 4468 wrote to memory of 2900 4468 Hgghjjid.exe 91 PID 2900 wrote to memory of 2756 2900 Hnaqgd32.exe 92 PID 2900 wrote to memory of 2756 2900 Hnaqgd32.exe 92 PID 2900 wrote to memory of 2756 2900 Hnaqgd32.exe 92 PID 2756 wrote to memory of 4608 2756 Hpomcp32.exe 93 PID 2756 wrote to memory of 4608 2756 Hpomcp32.exe 93 PID 2756 wrote to memory of 4608 2756 Hpomcp32.exe 93 PID 4608 wrote to memory of 3332 4608 Hgiepjga.exe 94 PID 4608 wrote to memory of 3332 4608 Hgiepjga.exe 94 PID 4608 wrote to memory of 3332 4608 Hgiepjga.exe 94 PID 3332 wrote to memory of 3784 3332 Hjhalefe.exe 95 PID 3332 wrote to memory of 3784 3332 Hjhalefe.exe 95 PID 3332 wrote to memory of 3784 3332 Hjhalefe.exe 95 PID 3784 wrote to memory of 2084 3784 Hdmein32.exe 96 PID 3784 wrote to memory of 2084 3784 Hdmein32.exe 96 PID 3784 wrote to memory of 2084 3784 Hdmein32.exe 96 PID 2084 wrote to memory of 2800 2084 Hkgnfhnh.exe 97 PID 2084 wrote to memory of 2800 2084 Hkgnfhnh.exe 97 PID 2084 wrote to memory of 2800 2084 Hkgnfhnh.exe 97 PID 2800 wrote to memory of 3728 2800 Hnfjbdmk.exe 98 PID 2800 wrote to memory of 3728 2800 Hnfjbdmk.exe 98 PID 2800 wrote to memory of 3728 2800 Hnfjbdmk.exe 98 PID 3728 wrote to memory of 1516 3728 Hdpbon32.exe 99 PID 3728 wrote to memory of 1516 3728 Hdpbon32.exe 99 PID 3728 wrote to memory of 1516 3728 Hdpbon32.exe 99 PID 1516 wrote to memory of 3024 1516 Hgnoki32.exe 100 PID 1516 wrote to memory of 3024 1516 Hgnoki32.exe 100 PID 1516 wrote to memory of 3024 1516 Hgnoki32.exe 100 PID 3024 wrote to memory of 4192 3024 Hnhghcki.exe 101 PID 3024 wrote to memory of 4192 3024 Hnhghcki.exe 101 PID 3024 wrote to memory of 4192 3024 Hnhghcki.exe 101 PID 4192 wrote to memory of 3952 4192 Hpfcdojl.exe 102 PID 4192 wrote to memory of 3952 4192 Hpfcdojl.exe 102 PID 4192 wrote to memory of 3952 4192 Hpfcdojl.exe 102 PID 3952 wrote to memory of 1572 3952 Ihnkel32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cf26022f153bdf943914aa6af935f48753524a7e9c16abd75efd73c1319259d.exe"C:\Users\Admin\AppData\Local\Temp\4cf26022f153bdf943914aa6af935f48753524a7e9c16abd75efd73c1319259d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe23⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe24⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe25⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe26⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe27⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe28⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe29⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe30⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe31⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe32⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe33⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe35⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe36⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe38⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe39⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe40⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe41⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe42⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe44⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3980 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe46⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe47⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe48⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe50⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe51⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe52⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe53⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe54⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe55⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe56⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe57⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe58⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe59⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4032 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe61⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe62⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe63⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe65⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe66⤵PID:1928
-
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe67⤵PID:744
-
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe68⤵
- System Location Discovery: System Language Discovery
PID:3932 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe69⤵PID:4736
-
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe70⤵PID:1976
-
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe71⤵
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe72⤵PID:3504
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe73⤵PID:3996
-
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe74⤵PID:2392
-
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe75⤵PID:2600
-
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe76⤵
- Drops file in System32 directory
PID:4976 -
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe77⤵PID:2836
-
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe78⤵PID:4428
-
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe79⤵PID:3576
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe80⤵PID:864
-
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe81⤵PID:1288
-
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe82⤵PID:4024
-
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3440 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe84⤵PID:4908
-
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe85⤵PID:392
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1112 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe87⤵
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe88⤵PID:3344
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe89⤵PID:5048
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe90⤵PID:5004
-
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe91⤵PID:4780
-
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe92⤵PID:4704
-
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe93⤵PID:2476
-
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe95⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe96⤵PID:2472
-
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe97⤵PID:3004
-
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe98⤵PID:3036
-
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe99⤵PID:5112
-
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe100⤵PID:660
-
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe101⤵PID:3652
-
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe102⤵PID:4584
-
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe103⤵PID:4352
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe104⤵PID:5132
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe105⤵PID:5172
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe106⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe107⤵PID:5260
-
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe108⤵PID:5308
-
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe109⤵PID:5352
-
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe111⤵PID:5440
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe112⤵PID:5484
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe113⤵PID:5528
-
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe114⤵PID:5576
-
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe115⤵PID:5620
-
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe116⤵PID:5668
-
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe117⤵
- System Location Discovery: System Language Discovery
PID:5716 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe118⤵PID:5760
-
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5804 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5848 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe121⤵PID:5892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-