Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 20:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
120 seconds
General
-
Target
630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exe
-
Size
163KB
-
MD5
204e36ceea174527d4f82699372f042d
-
SHA1
3276d201da073dfd97c41d69b2b223358f0e5c49
-
SHA256
630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c
-
SHA512
f8745c9d46593913bec5bfe4b09f30aa968b34af1de29bfd1cb7b9ffbbf868a12bd6c6eb23803d00ec3edfba6085c826e4c9bbcb5ee075dcb31a775e3bf74795
-
SSDEEP
1536:PNpnHv60cZjH6aHHeA1nd1TKnHRnlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUw:Ly0c5a4++dGZltOrWKDBr+yJbw
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Liibgkoo.exePodpoffm.exeEdcnakpa.exeAdipfd32.exeBqmpdioa.exeIogpag32.exeLnkege32.exeEpqgopbi.exeJhahanie.exeEbialmjb.exeGhacfmic.exeMfgnnhkc.exeHgeelf32.exeInmmbc32.exeQboikm32.exeAaklmhak.exeJgmjdaqb.exeIladfn32.exeHonnki32.exeAokckm32.exeFegjgkla.exeNklopg32.exeFcichb32.exeBeadgdli.exePkfghh32.exeAphjjf32.exeBnochnpm.exeNbfnggeo.exeIomcpe32.exeNdjfgkha.exeCjppfl32.exeIkfdkc32.exeKmklak32.exeMagdam32.exePdnkanfg.exeDbfbnddq.exeJfgebjnm.exeMopbgn32.exeJngilalk.exeNaegmabc.exeIcabeo32.exeFolhgbid.exeQigebglj.exeEbappk32.exeOhjkcile.exeCbdkbjkl.exeKbenacdm.exeLdkdckff.exeQncfphff.exeFfjljmla.exeFabmmejd.exeMdadjd32.exeEmaijk32.exeIbcphc32.exeJdidmf32.exeKhohkamc.exeLaleof32.exeHhkopj32.exeMonhjgkj.exePefhlcdk.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Podpoffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edcnakpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adipfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqmpdioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnkege32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhahanie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebialmjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghacfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfgnnhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inmmbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qboikm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaklmhak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmjdaqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iladfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aokckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fegjgkla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcichb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beadgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkfghh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnochnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfnggeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomcpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndjfgkha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjppfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfdkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmklak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magdam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdnkanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbfbnddq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfgebjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mopbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jngilalk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naegmabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icabeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcnakpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folhgbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qigebglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebappk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjkcile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdkbjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbenacdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldkdckff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qncfphff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffjljmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabmmejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdadjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emaijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibcphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdidmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khohkamc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laleof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhkopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Monhjgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefhlcdk.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0004000000020544-3926.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Kgclio32.exeKjahej32.exeLclicpkm.exeLkgngb32.exeLhknaf32.exeLdbofgme.exeLhpglecl.exeMjaddn32.exeMkqqnq32.exeMqnifg32.exeMclebc32.exeMobfgdcl.exeMfokinhf.exeNbflno32.exeNmkplgnq.exeNbhhdnlh.exeNnafnopi.exeNapbjjom.exeOnfoin32.exeOadkej32.exeOaghki32.exeOfcqcp32.exeOeindm32.exeOlbfagca.exeObmnna32.exeOpqoge32.exeOemgplgo.exePhlclgfc.exePmkhjncg.exePdeqfhjd.exePgfjhcge.exePaknelgk.exeQdlggg32.exeQkfocaki.exeQpbglhjq.exeQeppdo32.exeQjklenpa.exeAjmijmnn.exeAllefimb.exeAcfmcc32.exeAlnalh32.exeAomnhd32.exeAfffenbp.exeAdlcfjgh.exeAkfkbd32.exeBgllgedi.exeBccmmf32.exeBgoime32.exeBniajoic.exeBmlael32.exeBgaebe32.exeBjpaop32.exeBmnnkl32.exeBoljgg32.exeBffbdadk.exeBieopm32.exeBqlfaj32.exeBoogmgkl.exeBbmcibjp.exeBigkel32.exeBkegah32.exeCbppnbhm.exeCenljmgq.exeCmedlk32.exepid Process 2304 Kgclio32.exe 348 Kjahej32.exe 2144 Lclicpkm.exe 2872 Lkgngb32.exe 3024 Lhknaf32.exe 2832 Ldbofgme.exe 2640 Lhpglecl.exe 1476 Mjaddn32.exe 1632 Mkqqnq32.exe 2964 Mqnifg32.exe 2700 Mclebc32.exe 2972 Mobfgdcl.exe 2180 Mfokinhf.exe 1904 Nbflno32.exe 2292 Nmkplgnq.exe 1104 Nbhhdnlh.exe 300 Nnafnopi.exe 1676 Napbjjom.exe 1548 Onfoin32.exe 1792 Oadkej32.exe 2608 Oaghki32.exe 2060 Ofcqcp32.exe 2216 Oeindm32.exe 2064 Olbfagca.exe 1600 Obmnna32.exe 1696 Opqoge32.exe 584 Oemgplgo.exe 2748 Phlclgfc.exe 2772 Pmkhjncg.exe 2900 Pdeqfhjd.exe 2904 Pgfjhcge.exe 2704 Paknelgk.exe 2716 Qdlggg32.exe 2692 Qkfocaki.exe 1996 Qpbglhjq.exe 2708 Qeppdo32.exe 2628 Qjklenpa.exe 1780 Ajmijmnn.exe 3008 Allefimb.exe 1892 Acfmcc32.exe 2572 Alnalh32.exe 2224 Aomnhd32.exe 948 Afffenbp.exe 1336 Adlcfjgh.exe 908 Akfkbd32.exe 1748 Bgllgedi.exe 2468 Bccmmf32.exe 572 Bgoime32.exe 2564 Bniajoic.exe 2464 Bmlael32.exe 2188 Bgaebe32.exe 3028 Bjpaop32.exe 2892 Bmnnkl32.exe 2752 Boljgg32.exe 2440 Bffbdadk.exe 580 Bieopm32.exe 1588 Bqlfaj32.exe 2192 Boogmgkl.exe 2280 Bbmcibjp.exe 952 Bigkel32.exe 1820 Bkegah32.exe 2496 Cbppnbhm.exe 2532 Cenljmgq.exe 3060 Cmedlk32.exe -
Loads dropped DLL 64 IoCs
Processes:
630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exeKgclio32.exeKjahej32.exeLclicpkm.exeLkgngb32.exeLhknaf32.exeLdbofgme.exeLhpglecl.exeMjaddn32.exeMkqqnq32.exeMqnifg32.exeMclebc32.exeMobfgdcl.exeMfokinhf.exeNbflno32.exeNmkplgnq.exeNbhhdnlh.exeNnafnopi.exeNapbjjom.exeOnfoin32.exeOadkej32.exeOaghki32.exeOfcqcp32.exeOeindm32.exeOlbfagca.exeObmnna32.exeOpqoge32.exeOemgplgo.exePhlclgfc.exePmkhjncg.exePdeqfhjd.exePgfjhcge.exepid Process 2372 630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exe 2372 630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exe 2304 Kgclio32.exe 2304 Kgclio32.exe 348 Kjahej32.exe 348 Kjahej32.exe 2144 Lclicpkm.exe 2144 Lclicpkm.exe 2872 Lkgngb32.exe 2872 Lkgngb32.exe 3024 Lhknaf32.exe 3024 Lhknaf32.exe 2832 Ldbofgme.exe 2832 Ldbofgme.exe 2640 Lhpglecl.exe 2640 Lhpglecl.exe 1476 Mjaddn32.exe 1476 Mjaddn32.exe 1632 Mkqqnq32.exe 1632 Mkqqnq32.exe 2964 Mqnifg32.exe 2964 Mqnifg32.exe 2700 Mclebc32.exe 2700 Mclebc32.exe 2972 Mobfgdcl.exe 2972 Mobfgdcl.exe 2180 Mfokinhf.exe 2180 Mfokinhf.exe 1904 Nbflno32.exe 1904 Nbflno32.exe 2292 Nmkplgnq.exe 2292 Nmkplgnq.exe 1104 Nbhhdnlh.exe 1104 Nbhhdnlh.exe 300 Nnafnopi.exe 300 Nnafnopi.exe 1676 Napbjjom.exe 1676 Napbjjom.exe 1548 Onfoin32.exe 1548 Onfoin32.exe 1792 Oadkej32.exe 1792 Oadkej32.exe 2608 Oaghki32.exe 2608 Oaghki32.exe 2060 Ofcqcp32.exe 2060 Ofcqcp32.exe 2216 Oeindm32.exe 2216 Oeindm32.exe 2064 Olbfagca.exe 2064 Olbfagca.exe 1600 Obmnna32.exe 1600 Obmnna32.exe 1696 Opqoge32.exe 1696 Opqoge32.exe 584 Oemgplgo.exe 584 Oemgplgo.exe 2748 Phlclgfc.exe 2748 Phlclgfc.exe 2772 Pmkhjncg.exe 2772 Pmkhjncg.exe 2900 Pdeqfhjd.exe 2900 Pdeqfhjd.exe 2904 Pgfjhcge.exe 2904 Pgfjhcge.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jelhmlgm.exePmehdh32.exePmjaohol.exeBgdkkc32.exeLemdncoa.exeFlclam32.exeLpcoeb32.exeDbbklnpj.exeMoenkf32.exeNbhhdnlh.exeAcfmcc32.exeAdlcfjgh.exeCfmhdpnc.exePoacighp.exeMjilmejf.exeFmlecinf.exeMobaef32.exeAfcdpi32.exeCbppnbhm.exeEdoefl32.exeJijokbfp.exeHbofmcij.exeOmnmal32.exeMacjgadf.exeLbmnea32.exeNoagjc32.exeOkkddd32.exeEgonhf32.exeDihmpinj.exeBcflko32.exeGgklka32.exeIbillk32.exeBffbdadk.exeEihjolae.exeMebnic32.exeKiecgo32.exeEacghhkd.exeFjnignob.exeHhaanh32.exePmhgba32.exeEfjmbaba.exeGlbaei32.exeJnmiag32.exeLkbpke32.exeDfmeccao.exeNnnbni32.exeBqmpdioa.exeDmkcil32.exeDqinhcoc.exeHkjnenbp.exeKglfcd32.exeKigibh32.exeBceibfgj.exeOehgjfhi.exeJfaeme32.exePimkbbpi.exeIjnnao32.exeDjoeki32.exePhlclgfc.exeGoiongbc.exeJmipdo32.exeAoaill32.exeJnifaajh.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Jgkdigfa.exe Jelhmlgm.exe File opened for modification C:\Windows\SysWOW64\Paaddgkj.exe Pmehdh32.exe File created C:\Windows\SysWOW64\Dlfqea32.dll Pmjaohol.exe File opened for modification C:\Windows\SysWOW64\Bnochnpm.exe Bgdkkc32.exe File created C:\Windows\SysWOW64\Iaimld32.dll Lemdncoa.exe File created C:\Windows\SysWOW64\Fpohakbp.exe Flclam32.exe File opened for modification C:\Windows\SysWOW64\Ldokfakl.exe Lpcoeb32.exe File created C:\Windows\SysWOW64\Qgnonqai.dll Dbbklnpj.exe File created C:\Windows\SysWOW64\Macjgadf.exe Moenkf32.exe File opened for modification C:\Windows\SysWOW64\Nnafnopi.exe Nbhhdnlh.exe File opened for modification C:\Windows\SysWOW64\Alnalh32.exe Acfmcc32.exe File opened for modification C:\Windows\SysWOW64\Akfkbd32.exe Adlcfjgh.exe File opened for modification C:\Windows\SysWOW64\Cileqlmg.exe Cfmhdpnc.exe File created C:\Windows\SysWOW64\Pfkkeq32.exe Poacighp.exe File created C:\Windows\SysWOW64\Oigoci32.dll Mjilmejf.exe File created C:\Windows\SysWOW64\Fpjaodmj.exe Fmlecinf.exe File opened for modification C:\Windows\SysWOW64\Maanab32.exe Mobaef32.exe File created C:\Windows\SysWOW64\Lqcmmc32.dll Afcdpi32.exe File opened for modification C:\Windows\SysWOW64\Cenljmgq.exe Cbppnbhm.exe File created C:\Windows\SysWOW64\Bljhgm32.dll Edoefl32.exe File created C:\Windows\SysWOW64\Jlhkgm32.exe Jijokbfp.exe File created C:\Windows\SysWOW64\Chpmbe32.dll Hbofmcij.exe File created C:\Windows\SysWOW64\Pilkle32.dll Omnmal32.exe File opened for modification C:\Windows\SysWOW64\Cobhdhha.exe File created C:\Windows\SysWOW64\Bbmcpemo.dll Macjgadf.exe File created C:\Windows\SysWOW64\Nlqiie32.dll Lbmnea32.exe File created C:\Windows\SysWOW64\Opccallb.exe Noagjc32.exe File opened for modification C:\Windows\SysWOW64\Oqgmmk32.exe Okkddd32.exe File created C:\Windows\SysWOW64\Mfnokgjk.dll Egonhf32.exe File created C:\Windows\SysWOW64\Ddaglffo.dll Dihmpinj.exe File created C:\Windows\SysWOW64\Bedhgj32.exe Bcflko32.exe File created C:\Windows\SysWOW64\Hhmhcigh.exe Ggklka32.exe File created C:\Windows\SysWOW64\Ifekkdfq.dll Ibillk32.exe File opened for modification C:\Windows\SysWOW64\Bieopm32.exe Bffbdadk.exe File opened for modification C:\Windows\SysWOW64\Elgfkhpi.exe Eihjolae.exe File opened for modification C:\Windows\SysWOW64\Mgcjpkak.exe Mebnic32.exe File created C:\Windows\SysWOW64\Abhnddbn.dll Kiecgo32.exe File created C:\Windows\SysWOW64\Anjaagnc.dll Eacghhkd.exe File opened for modification C:\Windows\SysWOW64\Fmlecinf.exe Fjnignob.exe File created C:\Windows\SysWOW64\Faeihnam.dll Hhaanh32.exe File opened for modification C:\Windows\SysWOW64\Pjlgle32.exe Pmhgba32.exe File opened for modification C:\Windows\SysWOW64\Eihjolae.exe Efjmbaba.exe File opened for modification C:\Windows\SysWOW64\Gaojnq32.exe Glbaei32.exe File opened for modification C:\Windows\SysWOW64\Jfcabd32.exe Jnmiag32.exe File created C:\Windows\SysWOW64\Lalhgogb.exe Lkbpke32.exe File created C:\Windows\SysWOW64\Elnpioai.dll Dfmeccao.exe File created C:\Windows\SysWOW64\Nppofado.exe Nnnbni32.exe File created C:\Windows\SysWOW64\Inppon32.dll Bqmpdioa.exe File created C:\Windows\SysWOW64\Dhpgfeao.exe Dmkcil32.exe File created C:\Windows\SysWOW64\Mhibidgh.dll Dqinhcoc.exe File opened for modification C:\Windows\SysWOW64\Hadfah32.exe Hkjnenbp.exe File created C:\Windows\SysWOW64\Qmpebb32.dll Kglfcd32.exe File created C:\Windows\SysWOW64\Monann32.dll Kigibh32.exe File created C:\Windows\SysWOW64\Bgaebe32.exe Bceibfgj.exe File created C:\Windows\SysWOW64\Ohfcfb32.exe Oehgjfhi.exe File created C:\Windows\SysWOW64\Hapbpm32.dll Jfaeme32.exe File created C:\Windows\SysWOW64\Hhfnqbdc.dll Pimkbbpi.exe File opened for modification C:\Windows\SysWOW64\Immjnj32.exe Ijnnao32.exe File created C:\Windows\SysWOW64\Dqinhcoc.exe Djoeki32.exe File created C:\Windows\SysWOW64\Pmkhjncg.exe Phlclgfc.exe File created C:\Windows\SysWOW64\Gnkoid32.exe Goiongbc.exe File opened for modification C:\Windows\SysWOW64\Jpgmpk32.exe Jmipdo32.exe File created C:\Windows\SysWOW64\Bpcfcddp.exe Aoaill32.exe File created C:\Windows\SysWOW64\Blcajboa.dll Jnifaajh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ikjhki32.exeJabponba.exeEegmhhie.exeMacjgadf.exeMhjcec32.exeLhpglecl.exeHqnjek32.exeNcamen32.exeBpjldc32.exeJjmcfl32.exeNchipb32.exeGagkjbaf.exeHqiqjlga.exeFelcbk32.exeObmnna32.exeKmqmod32.exeEfljhq32.exeHhaanh32.exeJgbjjf32.exeNedifo32.exePlbkfdba.exeBogjaamh.exeJpmooind.exeBogljj32.exeLpldcfmd.exeLlcehg32.exeLcdhgn32.exeFmohco32.exeEinlmkhp.exeFbpclofe.exeHecebm32.exeLpfnckhe.exeNikkkn32.exeNljhhi32.exeKkdnhi32.exeLdheebad.exeOfnpnkgf.exeHbofmcij.exeHhkopj32.exeHgeelf32.exeOjmbgh32.exeFhljkm32.exeNbflno32.exePhlclgfc.exeLhfpdi32.exeOhfcfb32.exeFeachqgb.exeAgglbp32.exeLhimji32.exeLhoohgdg.exeBhonjg32.exeElgfkhpi.exeAhedjb32.exeJelhmlgm.exeMiiofn32.exeDmgmpnhl.exeJfieigio.exeLdokfakl.exeBpboinpd.exeFpgnoo32.exeKbkdpnil.exePlmbkd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabponba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegmhhie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macjgadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncamen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmcfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagkjbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqiqjlga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felcbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmqmod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efljhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaanh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedifo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbkfdba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogjaamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmooind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpldcfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcehg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdhgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einlmkhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpclofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecebm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfnckhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljhhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldheebad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnpnkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbofmcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmbgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhljkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbflno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfpdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feachqgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhimji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhoohgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhonjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgfkhpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahedjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelhmlgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiofn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgmpnhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfieigio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldokfakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpboinpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgnoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkdpnil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmbkd32.exe -
Modifies registry class 64 IoCs
Processes:
Mkcplien.exeBngfmhbj.exeBmlael32.exeEicpcm32.exeNnokahip.exeChgnneiq.exeIfengpdh.exeNldahn32.exePgodcich.exeOnlahm32.exeAiaoclgl.exeIebldo32.exeMmndfnpl.exePfkkeq32.exeNflchkii.exeKmfpmc32.exeIjnnao32.exeKeoabo32.exeBggjjlnb.exeFpgnoo32.exeOcclcg32.exeIaimipjl.exeLlpfjomf.exeOmcngamh.exeAllefimb.exeBjjaikoa.exeGlklejoo.exeFjhdpk32.exeLpldcfmd.exeQaofgc32.exeKgnkci32.exeKkpqlm32.exeMfjkdh32.exePfebnmcj.exeKdnkdmec.exePehebbbh.exeQnqjkh32.exePofldf32.exeEkfpmf32.exeBpboinpd.exeBnofaf32.exeCamnge32.exeEpqgopbi.exeHdpehd32.exeEpeoaffo.exeGehiioaj.exeMjaddn32.exeCegoqlof.exeIbacbcgg.exeGmnngl32.exeCbjnqh32.exeMmpakm32.exePigklmqc.exeDaplkmbg.exeKmqmod32.exePmhgba32.exeBdinnqon.exeIdekbgji.exeBgoime32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkcplien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bngfmhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll" Bmlael32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnhnhd32.dll" Nnokahip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbpi32.dll" Chgnneiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfejc32.dll" Ifengpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nldahn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgodcich.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onlahm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjdbf32.dll" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmdgf32.dll" Iebldo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmndfnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phohmbjf.dll" Pfkkeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll" Kmfpmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijnnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcgqbmgm.dll" Keoabo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglhaeef.dll" Occlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcccnbp.dll" Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llpfjomf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omcngamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" Allefimb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjjaikoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glklejoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kneibo32.dll" Fjhdpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imlkdf32.dll" Lpldcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkadbc32.dll" Qaofgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgnkci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkpqlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfjkdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll" Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heiebkoj.dll" Pehebbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnqjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimkklpe.dll" Pofldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naolaobc.dll" Ekfpmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghbakjma.dll" Bnofaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Camnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdpehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjaddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibacbcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekmeeno.dll" Gmnngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlanmb32.dll" Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjoipcl.dll" Mmpakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjknge32.dll" Pigklmqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daplkmbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmqmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmhgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqddq32.dll" Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idekbgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnhlm32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgoime32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exeKgclio32.exeKjahej32.exeLclicpkm.exeLkgngb32.exeLhknaf32.exeLdbofgme.exeLhpglecl.exeMjaddn32.exeMkqqnq32.exeMqnifg32.exeMclebc32.exeMobfgdcl.exeMfokinhf.exeNbflno32.exeNmkplgnq.exedescription pid Process procid_target PID 2372 wrote to memory of 2304 2372 630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exe 31 PID 2372 wrote to memory of 2304 2372 630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exe 31 PID 2372 wrote to memory of 2304 2372 630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exe 31 PID 2372 wrote to memory of 2304 2372 630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exe 31 PID 2304 wrote to memory of 348 2304 Kgclio32.exe 32 PID 2304 wrote to memory of 348 2304 Kgclio32.exe 32 PID 2304 wrote to memory of 348 2304 Kgclio32.exe 32 PID 2304 wrote to memory of 348 2304 Kgclio32.exe 32 PID 348 wrote to memory of 2144 348 Kjahej32.exe 33 PID 348 wrote to memory of 2144 348 Kjahej32.exe 33 PID 348 wrote to memory of 2144 348 Kjahej32.exe 33 PID 348 wrote to memory of 2144 348 Kjahej32.exe 33 PID 2144 wrote to memory of 2872 2144 Lclicpkm.exe 34 PID 2144 wrote to memory of 2872 2144 Lclicpkm.exe 34 PID 2144 wrote to memory of 2872 2144 Lclicpkm.exe 34 PID 2144 wrote to memory of 2872 2144 Lclicpkm.exe 34 PID 2872 wrote to memory of 3024 2872 Lkgngb32.exe 35 PID 2872 wrote to memory of 3024 2872 Lkgngb32.exe 35 PID 2872 wrote to memory of 3024 2872 Lkgngb32.exe 35 PID 2872 wrote to memory of 3024 2872 Lkgngb32.exe 35 PID 3024 wrote to memory of 2832 3024 Lhknaf32.exe 36 PID 3024 wrote to memory of 2832 3024 Lhknaf32.exe 36 PID 3024 wrote to memory of 2832 3024 Lhknaf32.exe 36 PID 3024 wrote to memory of 2832 3024 Lhknaf32.exe 36 PID 2832 wrote to memory of 2640 2832 Ldbofgme.exe 37 PID 2832 wrote to memory of 2640 2832 Ldbofgme.exe 37 PID 2832 wrote to memory of 2640 2832 Ldbofgme.exe 37 PID 2832 wrote to memory of 2640 2832 Ldbofgme.exe 37 PID 2640 wrote to memory of 1476 2640 Lhpglecl.exe 38 PID 2640 wrote to memory of 1476 2640 Lhpglecl.exe 38 PID 2640 wrote to memory of 1476 2640 Lhpglecl.exe 38 PID 2640 wrote to memory of 1476 2640 Lhpglecl.exe 38 PID 1476 wrote to memory of 1632 1476 Mjaddn32.exe 39 PID 1476 wrote to memory of 1632 1476 Mjaddn32.exe 39 PID 1476 wrote to memory of 1632 1476 Mjaddn32.exe 39 PID 1476 wrote to memory of 1632 1476 Mjaddn32.exe 39 PID 1632 wrote to memory of 2964 1632 Mkqqnq32.exe 40 PID 1632 wrote to memory of 2964 1632 Mkqqnq32.exe 40 PID 1632 wrote to memory of 2964 1632 Mkqqnq32.exe 40 PID 1632 wrote to memory of 2964 1632 Mkqqnq32.exe 40 PID 2964 wrote to memory of 2700 2964 Mqnifg32.exe 41 PID 2964 wrote to memory of 2700 2964 Mqnifg32.exe 41 PID 2964 wrote to memory of 2700 2964 Mqnifg32.exe 41 PID 2964 wrote to memory of 2700 2964 Mqnifg32.exe 41 PID 2700 wrote to memory of 2972 2700 Mclebc32.exe 42 PID 2700 wrote to memory of 2972 2700 Mclebc32.exe 42 PID 2700 wrote to memory of 2972 2700 Mclebc32.exe 42 PID 2700 wrote to memory of 2972 2700 Mclebc32.exe 42 PID 2972 wrote to memory of 2180 2972 Mobfgdcl.exe 43 PID 2972 wrote to memory of 2180 2972 Mobfgdcl.exe 43 PID 2972 wrote to memory of 2180 2972 Mobfgdcl.exe 43 PID 2972 wrote to memory of 2180 2972 Mobfgdcl.exe 43 PID 2180 wrote to memory of 1904 2180 Mfokinhf.exe 44 PID 2180 wrote to memory of 1904 2180 Mfokinhf.exe 44 PID 2180 wrote to memory of 1904 2180 Mfokinhf.exe 44 PID 2180 wrote to memory of 1904 2180 Mfokinhf.exe 44 PID 1904 wrote to memory of 2292 1904 Nbflno32.exe 45 PID 1904 wrote to memory of 2292 1904 Nbflno32.exe 45 PID 1904 wrote to memory of 2292 1904 Nbflno32.exe 45 PID 1904 wrote to memory of 2292 1904 Nbflno32.exe 45 PID 2292 wrote to memory of 1104 2292 Nmkplgnq.exe 46 PID 2292 wrote to memory of 1104 2292 Nmkplgnq.exe 46 PID 2292 wrote to memory of 1104 2292 Nmkplgnq.exe 46 PID 2292 wrote to memory of 1104 2292 Nmkplgnq.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exe"C:\Users\Admin\AppData\Local\Temp\630401152bc31e268a9f2f00ba6f2655b085d47bd146ef76bfdf8f24e3217c9c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:300 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Oaghki32.exeC:\Windows\system32\Oaghki32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Pmkhjncg.exeC:\Windows\system32\Pmkhjncg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe33⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe34⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe35⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe36⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe37⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe38⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Ajmijmnn.exeC:\Windows\system32\Ajmijmnn.exe39⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe42⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe43⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe44⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe46⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe47⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe48⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe50⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe52⤵PID:2820
-
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe53⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe54⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe55⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe56⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe57⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe59⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe60⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe61⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Bbmcibjp.exeC:\Windows\system32\Bbmcibjp.exe62⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe63⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe64⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe66⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe67⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe68⤵PID:2504
-
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe69⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe70⤵PID:768
-
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe71⤵PID:2328
-
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe72⤵PID:2852
-
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe73⤵PID:2800
-
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe74⤵PID:2924
-
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe75⤵PID:2696
-
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe76⤵PID:704
-
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe77⤵
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe78⤵PID:2004
-
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe79⤵PID:1768
-
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe80⤵PID:620
-
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe81⤵PID:680
-
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe82⤵PID:352
-
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe83⤵PID:1100
-
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe84⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe85⤵PID:2184
-
C:\Windows\SysWOW64\Dfmeccao.exeC:\Windows\system32\Dfmeccao.exe86⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe87⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe88⤵PID:2376
-
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe89⤵PID:2840
-
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe90⤵PID:2784
-
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe91⤵PID:2940
-
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe92⤵PID:1132
-
C:\Windows\SysWOW64\Dbfbnddq.exeC:\Windows\system32\Dbfbnddq.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe94⤵PID:2040
-
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe95⤵PID:676
-
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe96⤵PID:3064
-
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe97⤵PID:688
-
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe98⤵PID:756
-
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe99⤵PID:2176
-
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe100⤵PID:536
-
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe101⤵PID:1612
-
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe102⤵PID:1368
-
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe103⤵
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe104⤵PID:2728
-
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe105⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe106⤵PID:2264
-
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe107⤵
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe108⤵PID:1216
-
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1520 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe110⤵PID:1284
-
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe111⤵PID:448
-
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe112⤵PID:2196
-
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe113⤵PID:3016
-
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe114⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe115⤵PID:2796
-
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe116⤵PID:2236
-
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe117⤵PID:2268
-
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe118⤵PID:2992
-
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe120⤵PID:804
-
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe121⤵PID:2544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-