Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exe
Resource
win7-20241023-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exe
-
Size
96KB
-
MD5
49d84dd659deede41a21b42f60596a6c
-
SHA1
fa7943c3715d13bd08e080bfd89132bb455aae88
-
SHA256
ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b
-
SHA512
46b612a5a6f8cbde432fdebdae3c4459c2f2797d51bd4d67ba31c9152a4264691bf3763280d47c0997556ccd6742d6f75a2fd65f51dcf7fc603559f3151290df
-
SSDEEP
1536:rpGq5K7fEOCJzXfJBXoqkQjrLHyNB2L47RZObZUUWaegPYAm:rXAfEN5fJVPjL4ClUUWaet
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mmogmjmn.exeFkbgckgd.exeQemldifo.exeLjieppcb.exeGqodqodl.exeLghgmg32.exeDomqjm32.exeFdbhge32.exeGblkoham.exeMqjefamk.exeMdogedmh.exeJmfcop32.exeKlehgh32.exeNjbfnjeg.exeQhkipdeb.exeHnkion32.exeLnjcomcf.exeEdlhqlfi.exeBoifga32.exeGiaidnkf.exeKhoebi32.exeGkbcbn32.exeLhfefgkg.exeQdlggg32.exeQlgkki32.exeJjpdmi32.exeHomdhjai.exeCehhdkjf.exeFqlicclo.exeAjeeeblb.exeFggkcl32.exeJbhcim32.exePkoicb32.exeEhlmljkm.exeKofaicon.exeJeafjiop.exeNnokahip.exeHahnac32.exeMmgfqh32.exeNncbdomg.exeHgflflqg.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmogmjmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbgckgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qemldifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljieppcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqodqodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblkoham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqjefamk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdogedmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdbhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfcop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klehgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbfnjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnkion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjcomcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edlhqlfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boifga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giaidnkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khoebi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbcbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlgkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homdhjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehhdkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqlicclo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajeeeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggkcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlmljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofaicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeafjiop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnokahip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahnac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncbdomg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgflflqg.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 6 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001db29-2488.dat family_bruteratel behavioral1/files/0x0003000000020a50-5544.dat family_bruteratel behavioral1/files/0x0003000000020eef-6865.dat family_bruteratel behavioral1/files/0x000300000002116f-8352.dat family_bruteratel behavioral1/files/0x00030000000213c8-10050.dat family_bruteratel behavioral1/files/0x000300000002143d-10421.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Depbfhpe.exeDebplg32.exeDcfpel32.exeDhbhmb32.exeDomqjm32.exeElqaca32.exeEeielfhk.exeEndjaief.exeEdnbncmb.exeEgmojnlf.exeEdqocbkp.exeElldgehk.exeEfdhpjok.exeEolmip32.exeFffefjmi.exeFqlicclo.exeFcjeon32.exeFkejcq32.exeFcmben32.exeFmegncpp.exeFoccjood.exeFbbofjnh.exeFdpkbf32.exeFkjdopeh.exeFbdlkj32.exeFdbhge32.exeGjpqpl32.exeGqiimfam.exeGnmifk32.exeGgfnopfg.exeGnpflj32.exeGjfgqk32.exeGmecmg32.exeGjicfk32.exeGmgpbf32.exeHebdfind.exeHphidanj.exeHnkion32.exeHpjeialg.exeHnmeen32.exeHjdfjo32.exeHnpbjnpo.exeHlccdboi.exeHnbopmnm.exeHhjcic32.exeHfmddp32.exeHjipenda.exeIabhah32.exeIfoqjo32.exeIjklknbn.exeImiigiab.exeIdcacc32.exeIbfaopoi.exeIjmipn32.exeImleli32.exeIpjahd32.exeIbhndp32.exeIegjqk32.exeImnbbi32.exeIoooiack.exeIfffkncm.exeIiecgjba.exeIlcoce32.exeIbmgpoia.exepid Process 2144 Depbfhpe.exe 1972 Debplg32.exe 2252 Dcfpel32.exe 2860 Dhbhmb32.exe 2744 Domqjm32.exe 2972 Elqaca32.exe 2832 Eeielfhk.exe 1240 Endjaief.exe 700 Ednbncmb.exe 708 Egmojnlf.exe 3004 Edqocbkp.exe 1684 Elldgehk.exe 3040 Efdhpjok.exe 2200 Eolmip32.exe 2060 Fffefjmi.exe 2168 Fqlicclo.exe 1260 Fcjeon32.exe 2456 Fkejcq32.exe 2248 Fcmben32.exe 1572 Fmegncpp.exe 1456 Foccjood.exe 3036 Fbbofjnh.exe 2128 Fdpkbf32.exe 1776 Fkjdopeh.exe 988 Fbdlkj32.exe 1624 Fdbhge32.exe 1988 Gjpqpl32.exe 2868 Gqiimfam.exe 2816 Gnmifk32.exe 2532 Ggfnopfg.exe 2908 Gnpflj32.exe 2984 Gjfgqk32.exe 1968 Gmecmg32.exe 1768 Gjicfk32.exe 776 Gmgpbf32.exe 1500 Hebdfind.exe 1940 Hphidanj.exe 1816 Hnkion32.exe 828 Hpjeialg.exe 2384 Hnmeen32.exe 2180 Hjdfjo32.exe 2268 Hnpbjnpo.exe 1128 Hlccdboi.exe 1376 Hnbopmnm.exe 1284 Hhjcic32.exe 1708 Hfmddp32.exe 2088 Hjipenda.exe 1552 Iabhah32.exe 2368 Ifoqjo32.exe 2080 Ijklknbn.exe 2976 Imiigiab.exe 2912 Idcacc32.exe 2924 Ibfaopoi.exe 2720 Ijmipn32.exe 1656 Imleli32.exe 2888 Ipjahd32.exe 2812 Ibhndp32.exe 2004 Iegjqk32.exe 1696 Imnbbi32.exe 316 Ioooiack.exe 2680 Ifffkncm.exe 692 Iiecgjba.exe 1332 Ilcoce32.exe 2228 Ibmgpoia.exe -
Loads dropped DLL 64 IoCs
Processes:
ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exeDepbfhpe.exeDebplg32.exeDcfpel32.exeDhbhmb32.exeDomqjm32.exeElqaca32.exeEeielfhk.exeEndjaief.exeEdnbncmb.exeEgmojnlf.exeEdqocbkp.exeElldgehk.exeEfdhpjok.exeEolmip32.exeFffefjmi.exeFqlicclo.exeFcjeon32.exeFkejcq32.exeFcmben32.exeFmegncpp.exeFoccjood.exeFbbofjnh.exeFdpkbf32.exeFkjdopeh.exeFbdlkj32.exeFdbhge32.exeGjpqpl32.exeGqiimfam.exeGnmifk32.exeGgfnopfg.exeGnpflj32.exepid Process 2416 ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exe 2416 ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exe 2144 Depbfhpe.exe 2144 Depbfhpe.exe 1972 Debplg32.exe 1972 Debplg32.exe 2252 Dcfpel32.exe 2252 Dcfpel32.exe 2860 Dhbhmb32.exe 2860 Dhbhmb32.exe 2744 Domqjm32.exe 2744 Domqjm32.exe 2972 Elqaca32.exe 2972 Elqaca32.exe 2832 Eeielfhk.exe 2832 Eeielfhk.exe 1240 Endjaief.exe 1240 Endjaief.exe 700 Ednbncmb.exe 700 Ednbncmb.exe 708 Egmojnlf.exe 708 Egmojnlf.exe 3004 Edqocbkp.exe 3004 Edqocbkp.exe 1684 Elldgehk.exe 1684 Elldgehk.exe 3040 Efdhpjok.exe 3040 Efdhpjok.exe 2200 Eolmip32.exe 2200 Eolmip32.exe 2060 Fffefjmi.exe 2060 Fffefjmi.exe 2168 Fqlicclo.exe 2168 Fqlicclo.exe 1260 Fcjeon32.exe 1260 Fcjeon32.exe 2456 Fkejcq32.exe 2456 Fkejcq32.exe 2248 Fcmben32.exe 2248 Fcmben32.exe 1572 Fmegncpp.exe 1572 Fmegncpp.exe 1456 Foccjood.exe 1456 Foccjood.exe 3036 Fbbofjnh.exe 3036 Fbbofjnh.exe 2128 Fdpkbf32.exe 2128 Fdpkbf32.exe 1776 Fkjdopeh.exe 1776 Fkjdopeh.exe 988 Fbdlkj32.exe 988 Fbdlkj32.exe 1624 Fdbhge32.exe 1624 Fdbhge32.exe 1988 Gjpqpl32.exe 1988 Gjpqpl32.exe 2868 Gqiimfam.exe 2868 Gqiimfam.exe 2816 Gnmifk32.exe 2816 Gnmifk32.exe 2532 Ggfnopfg.exe 2532 Ggfnopfg.exe 2908 Gnpflj32.exe 2908 Gnpflj32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nccnlk32.exeKlpdaf32.exeAdnpkjde.exeAjhddk32.exeHklhae32.exePepfnd32.exeJdaqmg32.exeFgigil32.exeKfnmpn32.exeAgglbp32.exeAohdmdoh.exeGkebafoa.exeIkgkei32.exeHhjcic32.exeJenpajfb.exeGjdldd32.exeKpojkp32.exeOhiffh32.exeEodicd32.exeFdkklp32.exeJbhcim32.exeHnpbjnpo.exeBejfao32.exePilbocej.exePlbkfdba.exeElgfkhpi.exeNijnln32.exeGjjmijme.exeNbhhdnlh.exeDilapopb.exePpkhhjei.exeQdojgmfe.exePepcelel.exeLifcib32.exeAkfkbd32.exeAjehnk32.exeElibpg32.exeLmmfnb32.exeOhcdhi32.exeMggabaea.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Hlpchfdi.exe File created C:\Windows\SysWOW64\Kcfjhebe.dll Nccnlk32.exe File created C:\Windows\SysWOW64\Jijacjnc.exe File opened for modification C:\Windows\SysWOW64\Lcjlnpmo.exe Klpdaf32.exe File opened for modification C:\Windows\SysWOW64\Bkhhhd32.exe Adnpkjde.exe File created C:\Windows\SysWOW64\Chfkee32.dll Ajhddk32.exe File created C:\Windows\SysWOW64\Mmichb32.dll Hklhae32.exe File created C:\Windows\SysWOW64\Pdmbdddn.dll Pepfnd32.exe File created C:\Windows\SysWOW64\Gaocdi32.dll File created C:\Windows\SysWOW64\Jniefm32.exe Jdaqmg32.exe File created C:\Windows\SysWOW64\Fncpef32.exe Fgigil32.exe File opened for modification C:\Windows\SysWOW64\Ebfqfpop.exe File opened for modification C:\Windows\SysWOW64\Felcbk32.exe File created C:\Windows\SysWOW64\Noagjc32.exe File created C:\Windows\SysWOW64\Mnbkmo32.dll Kfnmpn32.exe File created C:\Windows\SysWOW64\Ajehnk32.exe Agglbp32.exe File created C:\Windows\SysWOW64\Khpjqgjc.dll Aohdmdoh.exe File created C:\Windows\SysWOW64\Ikeebbaa.dll Gkebafoa.exe File opened for modification C:\Windows\SysWOW64\Ifmocb32.exe Ikgkei32.exe File opened for modification C:\Windows\SysWOW64\Nnjklb32.exe File created C:\Windows\SysWOW64\Pbglpg32.exe File opened for modification C:\Windows\SysWOW64\Hipkfkgh.exe File created C:\Windows\SysWOW64\Hfmddp32.exe Hhjcic32.exe File created C:\Windows\SysWOW64\Jdaqmg32.exe Jenpajfb.exe File created C:\Windows\SysWOW64\Ggdekbgb.exe File created C:\Windows\SysWOW64\Mkaeob32.exe File created C:\Windows\SysWOW64\Migbpocm.exe File opened for modification C:\Windows\SysWOW64\Gqodqodl.exe Gjdldd32.exe File created C:\Windows\SysWOW64\Ckmicpja.dll File created C:\Windows\SysWOW64\Jamkdghb.dll Kpojkp32.exe File opened for modification C:\Windows\SysWOW64\Pdnkanfg.exe File created C:\Windows\SysWOW64\Cnfnahkp.dll File opened for modification C:\Windows\SysWOW64\Opqoge32.exe Ohiffh32.exe File created C:\Windows\SysWOW64\Kojgdjqe.dll Eodicd32.exe File created C:\Windows\SysWOW64\Lcpkhoab.dll Fdkklp32.exe File opened for modification C:\Windows\SysWOW64\Jialfgcc.exe Jbhcim32.exe File created C:\Windows\SysWOW64\Kpbhjh32.exe File opened for modification C:\Windows\SysWOW64\Hlccdboi.exe Hnpbjnpo.exe File created C:\Windows\SysWOW64\Dklqidif.dll Bejfao32.exe File created C:\Windows\SysWOW64\Aknpmobg.dll Pilbocej.exe File created C:\Windows\SysWOW64\Bedoacoi.dll File created C:\Windows\SysWOW64\Liibgkoo.exe File opened for modification C:\Windows\SysWOW64\Migbpocm.exe File opened for modification C:\Windows\SysWOW64\Pblcbn32.exe Plbkfdba.exe File opened for modification C:\Windows\SysWOW64\Eoebgcol.exe Elgfkhpi.exe File created C:\Windows\SysWOW64\Gbpfqb32.dll Nijnln32.exe File created C:\Windows\SysWOW64\Nphpng32.exe File opened for modification C:\Windows\SysWOW64\Gbadjg32.exe Gjjmijme.exe File opened for modification C:\Windows\SysWOW64\Nefdpjkl.exe Nbhhdnlh.exe File created C:\Windows\SysWOW64\Dljmlj32.exe Dilapopb.exe File created C:\Windows\SysWOW64\Dafikqcd.dll File opened for modification C:\Windows\SysWOW64\Pomhcg32.exe Ppkhhjei.exe File opened for modification C:\Windows\SysWOW64\Qngopb32.exe Qdojgmfe.exe File created C:\Windows\SysWOW64\Iidobe32.dll Pepcelel.exe File created C:\Windows\SysWOW64\Ljphmekn.dll Lifcib32.exe File opened for modification C:\Windows\SysWOW64\Abpcooea.exe Akfkbd32.exe File created C:\Windows\SysWOW64\Apppkekc.exe Ajehnk32.exe File created C:\Windows\SysWOW64\Dokggo32.dll Elibpg32.exe File opened for modification C:\Windows\SysWOW64\Lmpcca32.exe Lmmfnb32.exe File opened for modification C:\Windows\SysWOW64\Lpaehl32.exe File opened for modification C:\Windows\SysWOW64\Kkciic32.exe File created C:\Windows\SysWOW64\Hlbhgd32.dll Ohcdhi32.exe File created C:\Windows\SysWOW64\Bpdokkbh.dll Mggabaea.exe File created C:\Windows\SysWOW64\Gfdeopaj.dll -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ohagbj32.exeDicnkdnf.exeIhpfgalh.exeMfokinhf.exeNgealejo.exePifbjn32.exeMdadjd32.exeKocpbfei.exeMpnkopeh.exeMhcfjnhm.exeAggiigmn.exeKlecfkff.exeClbnhmjo.exeNpdfhhhe.exeDokfme32.exeEppefg32.exeHifpke32.exeHbaaik32.exeEipgjaoi.exeOioggmmc.exeQobbofgn.exeIfjlcmmj.exeOeindm32.exeDipjkn32.exeJdhifooi.exeEakhdj32.exeKllnhg32.exeMpamde32.exeKnhjjj32.exeOhhmcinf.exeEknmhk32.exeIfgpnmom.exeKaompi32.exeKnnkpobc.exeEoiiijcc.exeFdiogq32.exeDfmeccao.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohagbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicnkdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpfgalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfokinhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngealejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdadjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnkopeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcfjnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klecfkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbnhmjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdfhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbaaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eipgjaoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oioggmmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobbofgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjlcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dipjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhifooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakhdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kllnhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpamde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhjjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhmcinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgpnmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaompi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnkpobc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoiiijcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmeccao.exe -
Modifies registry class 64 IoCs
Processes:
Elgfkhpi.exeNmejllia.exeAgbpnh32.exeInjndk32.exeLgehno32.exeDbncjf32.exeHcepqh32.exeQiiahgjh.exeQdofep32.exeOkbpde32.exeAnjlebjc.exeMjaddn32.exePoklngnf.exeIjkocg32.exeEfhqmadd.exePlmpblnb.exeBgblmk32.exeCcpcckck.exeDomqjm32.exeMqklqhpg.exeGdhdkn32.exeLlmmpcfe.exeOnfabgch.exeCillkbac.exeOpqoge32.exeEegkpo32.exeHiqoeplo.exeMbchni32.exeElibpg32.exeGgagmjbq.exeNppofado.exeMbkpeake.exeFnflke32.exeFdpgph32.exeGnmifk32.exeNmflee32.exeAgglbp32.exeDokfme32.exeHkjkle32.exeMhqjen32.exeKfpifm32.exeMbnocipg.exeNmnojp32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elgfkhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlalaoic.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmejllia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agbpnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbncjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcepqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiiahgjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdofep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okbpde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejnebko.dll" Anjlebjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjaddn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poklngnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijkocg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnnoic32.dll" Plmpblnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbefdnjd.dll" Ccpcckck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Domqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqklqhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdhdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofial32.dll" Llmmpcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onfabgch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enemcbio.dll" Opqoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclnjd32.dll" Eegkpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiqoeplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbchni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggagmjbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nppofado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalmek32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbkpeake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjfigdn.dll" Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcpnpp32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcnhf32.dll" Gnmifk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndglp32.dll" Nmflee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agglbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dppfbm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnngnk32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmmpj32.dll" Dokfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdofg32.dll" Hkjkle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhqjen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbnocipg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmnojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lldpji32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhldnm32.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exeDepbfhpe.exeDebplg32.exeDcfpel32.exeDhbhmb32.exeDomqjm32.exeElqaca32.exeEeielfhk.exeEndjaief.exeEdnbncmb.exeEgmojnlf.exeEdqocbkp.exeElldgehk.exeEfdhpjok.exeEolmip32.exeFffefjmi.exedescription pid Process procid_target PID 2416 wrote to memory of 2144 2416 ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exe 30 PID 2416 wrote to memory of 2144 2416 ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exe 30 PID 2416 wrote to memory of 2144 2416 ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exe 30 PID 2416 wrote to memory of 2144 2416 ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exe 30 PID 2144 wrote to memory of 1972 2144 Depbfhpe.exe 31 PID 2144 wrote to memory of 1972 2144 Depbfhpe.exe 31 PID 2144 wrote to memory of 1972 2144 Depbfhpe.exe 31 PID 2144 wrote to memory of 1972 2144 Depbfhpe.exe 31 PID 1972 wrote to memory of 2252 1972 Debplg32.exe 32 PID 1972 wrote to memory of 2252 1972 Debplg32.exe 32 PID 1972 wrote to memory of 2252 1972 Debplg32.exe 32 PID 1972 wrote to memory of 2252 1972 Debplg32.exe 32 PID 2252 wrote to memory of 2860 2252 Dcfpel32.exe 33 PID 2252 wrote to memory of 2860 2252 Dcfpel32.exe 33 PID 2252 wrote to memory of 2860 2252 Dcfpel32.exe 33 PID 2252 wrote to memory of 2860 2252 Dcfpel32.exe 33 PID 2860 wrote to memory of 2744 2860 Dhbhmb32.exe 34 PID 2860 wrote to memory of 2744 2860 Dhbhmb32.exe 34 PID 2860 wrote to memory of 2744 2860 Dhbhmb32.exe 34 PID 2860 wrote to memory of 2744 2860 Dhbhmb32.exe 34 PID 2744 wrote to memory of 2972 2744 Domqjm32.exe 35 PID 2744 wrote to memory of 2972 2744 Domqjm32.exe 35 PID 2744 wrote to memory of 2972 2744 Domqjm32.exe 35 PID 2744 wrote to memory of 2972 2744 Domqjm32.exe 35 PID 2972 wrote to memory of 2832 2972 Elqaca32.exe 36 PID 2972 wrote to memory of 2832 2972 Elqaca32.exe 36 PID 2972 wrote to memory of 2832 2972 Elqaca32.exe 36 PID 2972 wrote to memory of 2832 2972 Elqaca32.exe 36 PID 2832 wrote to memory of 1240 2832 Eeielfhk.exe 37 PID 2832 wrote to memory of 1240 2832 Eeielfhk.exe 37 PID 2832 wrote to memory of 1240 2832 Eeielfhk.exe 37 PID 2832 wrote to memory of 1240 2832 Eeielfhk.exe 37 PID 1240 wrote to memory of 700 1240 Endjaief.exe 38 PID 1240 wrote to memory of 700 1240 Endjaief.exe 38 PID 1240 wrote to memory of 700 1240 Endjaief.exe 38 PID 1240 wrote to memory of 700 1240 Endjaief.exe 38 PID 700 wrote to memory of 708 700 Ednbncmb.exe 39 PID 700 wrote to memory of 708 700 Ednbncmb.exe 39 PID 700 wrote to memory of 708 700 Ednbncmb.exe 39 PID 700 wrote to memory of 708 700 Ednbncmb.exe 39 PID 708 wrote to memory of 3004 708 Egmojnlf.exe 40 PID 708 wrote to memory of 3004 708 Egmojnlf.exe 40 PID 708 wrote to memory of 3004 708 Egmojnlf.exe 40 PID 708 wrote to memory of 3004 708 Egmojnlf.exe 40 PID 3004 wrote to memory of 1684 3004 Edqocbkp.exe 41 PID 3004 wrote to memory of 1684 3004 Edqocbkp.exe 41 PID 3004 wrote to memory of 1684 3004 Edqocbkp.exe 41 PID 3004 wrote to memory of 1684 3004 Edqocbkp.exe 41 PID 1684 wrote to memory of 3040 1684 Elldgehk.exe 42 PID 1684 wrote to memory of 3040 1684 Elldgehk.exe 42 PID 1684 wrote to memory of 3040 1684 Elldgehk.exe 42 PID 1684 wrote to memory of 3040 1684 Elldgehk.exe 42 PID 3040 wrote to memory of 2200 3040 Efdhpjok.exe 43 PID 3040 wrote to memory of 2200 3040 Efdhpjok.exe 43 PID 3040 wrote to memory of 2200 3040 Efdhpjok.exe 43 PID 3040 wrote to memory of 2200 3040 Efdhpjok.exe 43 PID 2200 wrote to memory of 2060 2200 Eolmip32.exe 44 PID 2200 wrote to memory of 2060 2200 Eolmip32.exe 44 PID 2200 wrote to memory of 2060 2200 Eolmip32.exe 44 PID 2200 wrote to memory of 2060 2200 Eolmip32.exe 44 PID 2060 wrote to memory of 2168 2060 Fffefjmi.exe 45 PID 2060 wrote to memory of 2168 2060 Fffefjmi.exe 45 PID 2060 wrote to memory of 2168 2060 Fffefjmi.exe 45 PID 2060 wrote to memory of 2168 2060 Fffefjmi.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exe"C:\Users\Admin\AppData\Local\Temp\ed9c4d3466ef43d45e0c8559adf05eb2ff8394a5e024539e521edad4f88ffb1b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe33⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe34⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe35⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe36⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe37⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe38⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe40⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe41⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe42⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe44⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe45⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe47⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe48⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe49⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe50⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe51⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe52⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe53⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe54⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe55⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe56⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe57⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe58⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe59⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe60⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe61⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe62⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe63⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe64⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe65⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe66⤵PID:2320
-
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe67⤵PID:1704
-
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe68⤵PID:2528
-
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe69⤵PID:2820
-
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe70⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe71⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe72⤵PID:2364
-
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe73⤵PID:772
-
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe74⤵PID:2036
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe75⤵PID:2932
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe76⤵PID:2040
-
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe77⤵PID:2592
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe78⤵PID:2464
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe79⤵PID:408
-
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe80⤵PID:1440
-
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe81⤵PID:2164
-
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe82⤵PID:860
-
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe83⤵PID:1404
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe84⤵PID:1512
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe85⤵PID:2436
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe87⤵PID:2348
-
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe88⤵
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe89⤵PID:1840
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe91⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe93⤵PID:1944
-
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe94⤵PID:992
-
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe95⤵
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe96⤵
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe97⤵PID:2184
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe98⤵PID:2872
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe99⤵PID:2724
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe100⤵PID:2340
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe101⤵PID:1544
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe102⤵PID:2044
-
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe103⤵PID:1788
-
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe104⤵PID:2328
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe105⤵PID:1804
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe106⤵PID:564
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe107⤵PID:344
-
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1760 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe109⤵PID:548
-
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe110⤵PID:2584
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe111⤵PID:292
-
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe112⤵PID:1952
-
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe113⤵PID:2336
-
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe114⤵PID:768
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe115⤵PID:2316
-
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe117⤵PID:2668
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe118⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe119⤵PID:2708
-
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe120⤵PID:3060
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe121⤵PID:3024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-