Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 22:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exe
-
Size
96KB
-
MD5
6dc8e7ac603e5faef9bcf47428d92fe0
-
SHA1
70a5354bbc6bf4863e566a44b00a020aa3757aeb
-
SHA256
bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83f
-
SHA512
75ffcc19555d15f758accd545935ee4b41ae184de929f95b62cfff2c7147d8c6c2a1e701d2e8885738502a6966a67058bd669697d71f5fd353c6613739dafbeb
-
SSDEEP
1536:/7UGV042IyL5KE6B5rWCAVUcu0up27HRkqfE2LT7RZObZUUWaegPYAW:/7bNyL5KNWCuGp2rJdTClUUWaeF
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gipngg32.exeJaecod32.exeObbdml32.exeJcleiclo.exeIaegpaao.exeOajndh32.exeBjedmo32.exePhehko32.exeGcjmmdbf.exeInmpklpj.exeGmnngl32.exeFbegbacp.exeBoleejag.exeNepokogo.exeLgpdglhn.exePnmdbi32.exeJjpgfbom.exeNopaoj32.exeLaqojfli.exeHbofmcij.exeIjcngenj.exeLdbaopdj.exeKbmome32.exeKhnapkjg.exeDbmkfh32.exeJjnjqb32.exeJcandb32.exeFcqjfeja.exeQaablcej.exeNbeedh32.exeFdqnkoep.exeGgbieb32.exeLhlbbg32.exeKenhopmf.exeMgnfji32.exePidaba32.exeGpgjnbnl.exeMqehjecl.exeEhhfjcff.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gipngg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaecod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcleiclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaegpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oajndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phehko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcjmmdbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmpklpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmnngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbegbacp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boleejag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nepokogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpdglhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnmdbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpgfbom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nopaoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjedmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laqojfli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbofmcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijcngenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldbaopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjnjqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcqjfeja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaablcej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbeedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdqnkoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggbieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlbbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidaba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgjnbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqehjecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehhfjcff.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 7 IoCs
Processes:
resource yara_rule behavioral1/files/0x000500000001c875-480.dat family_bruteratel behavioral1/files/0x000400000001dbc4-2337.dat family_bruteratel behavioral1/files/0x0005000000020174-3716.dat family_bruteratel behavioral1/files/0x000300000002080a-4645.dat family_bruteratel behavioral1/files/0x000300000002094d-5044.dat family_bruteratel behavioral1/files/0x0003000000020ae0-5464.dat family_bruteratel behavioral1/files/0x0003000000020eac-6578.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Dmgmpnhl.exeDbdehdfc.exeDebadpeg.exeDokfme32.exeDfbnoc32.exeDomccejd.exeEegkpo32.exeElacliin.exeEbklic32.exeEmdmjamj.exeEgmabg32.exeEabepp32.exeEgonhf32.exeEaebeoan.exeEcfnmh32.exeFlocfmnl.exeFdekgjno.exeFeggob32.exeFlapkmlj.exeFgfdie32.exeFiepea32.exeFlclam32.exeFcmdnfad.exeFleifl32.exeFodebh32.exeFdqnkoep.exeFhljkm32.exeGhofam32.exeGgagmjbq.exeGgdcbi32.exeGnnlocgk.exeGckdgjeb.exeGjdldd32.exeGlchpp32.exeGghmmilh.exeGnbejb32.exeGmeeepjp.exeGqcnln32.exeHcajhi32.exeHfpfdeon.exeHkmollme.exeHcdgmimg.exeHdecea32.exeHnnhngjf.exeHfepod32.exeHegpjaac.exeHkahgk32.exeHejmpqop.exeHieiqo32.exeHnbaif32.exeHaqnea32.exeHcojam32.exeHgkfal32.exeIkfbbjdj.exeIndnnfdn.exeImgnjb32.exeIeofkp32.exeIgmbgk32.exeIjkocg32.exeIngkdeak.exeIaegpaao.exeIcdcllpc.exeIjnkifgp.exeIiqldc32.exepid Process 2184 Dmgmpnhl.exe 2772 Dbdehdfc.exe 2736 Debadpeg.exe 2448 Dokfme32.exe 2640 Dfbnoc32.exe 2104 Domccejd.exe 2436 Eegkpo32.exe 1412 Elacliin.exe 2828 Ebklic32.exe 2812 Emdmjamj.exe 2680 Egmabg32.exe 2840 Eabepp32.exe 1944 Egonhf32.exe 2132 Eaebeoan.exe 2180 Ecfnmh32.exe 776 Flocfmnl.exe 1928 Fdekgjno.exe 1872 Feggob32.exe 1028 Flapkmlj.exe 1972 Fgfdie32.exe 2760 Fiepea32.exe 2356 Flclam32.exe 2588 Fcmdnfad.exe 2864 Fleifl32.exe 1004 Fodebh32.exe 960 Fdqnkoep.exe 2884 Fhljkm32.exe 2148 Ghofam32.exe 2732 Ggagmjbq.exe 2276 Ggdcbi32.exe 2832 Gnnlocgk.exe 2092 Gckdgjeb.exe 2292 Gjdldd32.exe 2284 Glchpp32.exe 2996 Gghmmilh.exe 2272 Gnbejb32.exe 1636 Gmeeepjp.exe 684 Gqcnln32.exe 1940 Hcajhi32.exe 1836 Hfpfdeon.exe 2396 Hkmollme.exe 340 Hcdgmimg.exe 1080 Hdecea32.exe 840 Hnnhngjf.exe 2408 Hfepod32.exe 1956 Hegpjaac.exe 1936 Hkahgk32.exe 2192 Hejmpqop.exe 2776 Hieiqo32.exe 1580 Hnbaif32.exe 3032 Haqnea32.exe 2624 Hcojam32.exe 2740 Hgkfal32.exe 2992 Ikfbbjdj.exe 2288 Indnnfdn.exe 3004 Imgnjb32.exe 2268 Ieofkp32.exe 1160 Igmbgk32.exe 2244 Ijkocg32.exe 1532 Ingkdeak.exe 1256 Iaegpaao.exe 2304 Icdcllpc.exe 1752 Ijnkifgp.exe 1984 Iiqldc32.exe -
Loads dropped DLL 64 IoCs
Processes:
bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exeDmgmpnhl.exeDbdehdfc.exeDebadpeg.exeDokfme32.exeDfbnoc32.exeDomccejd.exeEegkpo32.exeElacliin.exeEbklic32.exeEmdmjamj.exeEgmabg32.exeEabepp32.exeEgonhf32.exeEaebeoan.exeEcfnmh32.exeFlocfmnl.exeFdekgjno.exeFeggob32.exeFlapkmlj.exeFgfdie32.exeFiepea32.exeFlclam32.exeFcmdnfad.exeFleifl32.exeFodebh32.exeFdqnkoep.exeFhljkm32.exeGhofam32.exeGgagmjbq.exeGgdcbi32.exeGnnlocgk.exepid Process 2464 bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exe 2464 bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exe 2184 Dmgmpnhl.exe 2184 Dmgmpnhl.exe 2772 Dbdehdfc.exe 2772 Dbdehdfc.exe 2736 Debadpeg.exe 2736 Debadpeg.exe 2448 Dokfme32.exe 2448 Dokfme32.exe 2640 Dfbnoc32.exe 2640 Dfbnoc32.exe 2104 Domccejd.exe 2104 Domccejd.exe 2436 Eegkpo32.exe 2436 Eegkpo32.exe 1412 Elacliin.exe 1412 Elacliin.exe 2828 Ebklic32.exe 2828 Ebklic32.exe 2812 Emdmjamj.exe 2812 Emdmjamj.exe 2680 Egmabg32.exe 2680 Egmabg32.exe 2840 Eabepp32.exe 2840 Eabepp32.exe 1944 Egonhf32.exe 1944 Egonhf32.exe 2132 Eaebeoan.exe 2132 Eaebeoan.exe 2180 Ecfnmh32.exe 2180 Ecfnmh32.exe 776 Flocfmnl.exe 776 Flocfmnl.exe 1928 Fdekgjno.exe 1928 Fdekgjno.exe 1872 Feggob32.exe 1872 Feggob32.exe 1028 Flapkmlj.exe 1028 Flapkmlj.exe 1972 Fgfdie32.exe 1972 Fgfdie32.exe 2760 Fiepea32.exe 2760 Fiepea32.exe 2356 Flclam32.exe 2356 Flclam32.exe 2588 Fcmdnfad.exe 2588 Fcmdnfad.exe 2864 Fleifl32.exe 2864 Fleifl32.exe 1004 Fodebh32.exe 1004 Fodebh32.exe 960 Fdqnkoep.exe 960 Fdqnkoep.exe 2884 Fhljkm32.exe 2884 Fhljkm32.exe 2148 Ghofam32.exe 2148 Ghofam32.exe 2732 Ggagmjbq.exe 2732 Ggagmjbq.exe 2276 Ggdcbi32.exe 2276 Ggdcbi32.exe 2832 Gnnlocgk.exe 2832 Gnnlocgk.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mehpga32.exeImodkadq.exeBnlgbnbp.exeNbfnggeo.exeFahhnn32.exeOmhkcnfg.exeEclcon32.exeNcnjeh32.exeNknimnap.exeInplqlng.exeGjdldd32.exeDlifadkk.exeJcfoihhp.exeBaneak32.exeKhagijcd.exeJajmjcoe.exePddjlb32.exeJieaofmp.exeAjehnk32.exeEejjnhgc.exeCffjagko.exeEmpomd32.exeKmnlhg32.exeKkefoc32.exeCcgnelll.exeDmgmpnhl.exeQfkelkkd.exeNijpdfhm.exePonklpcg.exeEakhdj32.exeMnmbme32.exeMhflcm32.exeLjplkonl.exeHfhfhbce.exeAoomflpd.exeQlfdac32.exeOfdclinq.exeIlemce32.exedescription ioc Process File created C:\Windows\SysWOW64\Mlglpa32.dll Mehpga32.exe File created C:\Windows\SysWOW64\Mpefbfgo.dll File created C:\Windows\SysWOW64\Agiidifg.dll File created C:\Windows\SysWOW64\Hpoofm32.exe File created C:\Windows\SysWOW64\Iladfn32.exe Imodkadq.exe File created C:\Windows\SysWOW64\Nklcci32.dll Bnlgbnbp.exe File opened for modification C:\Windows\SysWOW64\Nhpfdaml.exe Nbfnggeo.exe File created C:\Windows\SysWOW64\Ghghie32.dll File created C:\Windows\SysWOW64\Phplbpbl.dll File opened for modification C:\Windows\SysWOW64\Ddpbfl32.exe File created C:\Windows\SysWOW64\Knanmoan.dll File opened for modification C:\Windows\SysWOW64\Fhbpkh32.exe Fahhnn32.exe File created C:\Windows\SysWOW64\Ooggpiek.exe Omhkcnfg.exe File created C:\Windows\SysWOW64\Bdnnjcdh.dll Eclcon32.exe File created C:\Windows\SysWOW64\Engjkeab.exe File created C:\Windows\SysWOW64\Njhbabif.exe Ncnjeh32.exe File created C:\Windows\SysWOW64\Nkgcpnbh.dll Nknimnap.exe File opened for modification C:\Windows\SysWOW64\Ibkhak32.exe Inplqlng.exe File created C:\Windows\SysWOW64\Ongckp32.exe File opened for modification C:\Windows\SysWOW64\Kkaolm32.exe File opened for modification C:\Windows\SysWOW64\Glchpp32.exe Gjdldd32.exe File created C:\Windows\SysWOW64\Dmkcil32.exe Dlifadkk.exe File created C:\Windows\SysWOW64\Jjpgfbom.exe Jcfoihhp.exe File created C:\Windows\SysWOW64\Nmgjee32.exe File created C:\Windows\SysWOW64\Bjembh32.exe Baneak32.exe File created C:\Windows\SysWOW64\Najeid32.dll Khagijcd.exe File opened for modification C:\Windows\SysWOW64\Jhdegn32.exe Jajmjcoe.exe File opened for modification C:\Windows\SysWOW64\Pfbfhm32.exe Pddjlb32.exe File opened for modification C:\Windows\SysWOW64\Noepdo32.exe File created C:\Windows\SysWOW64\Oojfnakl.exe File created C:\Windows\SysWOW64\Ejgeogmn.exe File opened for modification C:\Windows\SysWOW64\Kpojkp32.exe Jieaofmp.exe File created C:\Windows\SysWOW64\Alddjg32.exe Ajehnk32.exe File created C:\Windows\SysWOW64\Ecmjid32.exe Eejjnhgc.exe File created C:\Windows\SysWOW64\Djafaf32.exe Cffjagko.exe File created C:\Windows\SysWOW64\Egebjmdn.exe Empomd32.exe File created C:\Windows\SysWOW64\Hgkfkohg.dll Kmnlhg32.exe File opened for modification C:\Windows\SysWOW64\Kbpnkm32.exe Kkefoc32.exe File created C:\Windows\SysWOW64\Kndlek32.dll File created C:\Windows\SysWOW64\Mlanmb32.dll Ccgnelll.exe File created C:\Windows\SysWOW64\Peeabm32.exe File created C:\Windows\SysWOW64\Ffphmc32.dll File created C:\Windows\SysWOW64\Fbonbipa.dll Dmgmpnhl.exe File created C:\Windows\SysWOW64\Qiiahgjh.exe Qfkelkkd.exe File opened for modification C:\Windows\SysWOW64\Bpjnmlel.exe File created C:\Windows\SysWOW64\Dpodgocb.exe File opened for modification C:\Windows\SysWOW64\Mmcpjfcj.exe File created C:\Windows\SysWOW64\Nlilqbgp.exe Nijpdfhm.exe File created C:\Windows\SysWOW64\Picojhcm.exe Ponklpcg.exe File created C:\Windows\SysWOW64\Lklfdlbn.dll File created C:\Windows\SysWOW64\Lqnkhh32.dll File created C:\Windows\SysWOW64\Opmhqc32.exe File created C:\Windows\SysWOW64\Edidqf32.exe Eakhdj32.exe File created C:\Windows\SysWOW64\Ocpbal32.dll Mnmbme32.exe File opened for modification C:\Windows\SysWOW64\Mlahdkjc.exe Mhflcm32.exe File created C:\Windows\SysWOW64\Lmnhgjmp.exe Ljplkonl.exe File opened for modification C:\Windows\SysWOW64\Iciaim32.exe File created C:\Windows\SysWOW64\Kanafj32.dll File created C:\Windows\SysWOW64\Mhgimdld.dll File created C:\Windows\SysWOW64\Dllmckbg.dll Hfhfhbce.exe File opened for modification C:\Windows\SysWOW64\Aeiecfga.exe Aoomflpd.exe File opened for modification C:\Windows\SysWOW64\Qkielpdf.exe Qlfdac32.exe File opened for modification C:\Windows\SysWOW64\Oibohdmd.exe Ofdclinq.exe File created C:\Windows\SysWOW64\Mfnfdm32.dll Ilemce32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 7976 7576 1697 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nmabjfek.exeOfdclinq.exeAohgfm32.exeImacijjb.exeJcqlkjae.exeCnabffeo.exeLlebnfpe.exeNjhilimb.exeFeipbefb.exeHekefkig.exeEoebgcol.exeDqfabdaf.exeAhpbkd32.exeLodnjboi.exeKngekdnf.exeCkfjjqhd.exePfqlkfoc.exeHlpchfdi.exeFiepea32.exeGhdiokbq.exeGockgdeh.exeAedlhg32.exeJigbebhb.exeKkdnhi32.exeBogjaamh.exeMaanab32.exeGdcmig32.exeIjimli32.exeLepclldc.exeDqaode32.exeKepgmh32.exeAhngomkd.exeNqjaeeog.exeGlpepj32.exePnnmeh32.exeHdpehd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmabjfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofdclinq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imacijjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcqlkjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnabffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llebnfpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhilimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feipbefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekefkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoebgcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqfabdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpbkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lodnjboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngekdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfjjqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfqlkfoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpchfdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiepea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdiokbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gockgdeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aedlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigbebhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogjaamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maanab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcmig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijimli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepclldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqaode32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kepgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqjaeeog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpepj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpehd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Ciokijfd.exeKoflgf32.exeHlbpme32.exeFaonom32.exeLidgcclp.exePpkjac32.exeMojbaham.exeGenlgnhd.exeNcipjieo.exeKffqqm32.exeKhgkpl32.exeLofifi32.exePiieicgl.exeFhjhdp32.exeLiibgkoo.exePacajg32.exeGdcmig32.exeQpniokan.exeAjldkhjh.exeMjqmig32.exeNjgpij32.exeEejjnhgc.exeMmjomogn.exeBahelebm.exeDonojm32.exeJqeomfgc.exeLalhgogb.exeMgbcfdmo.exeDdkgbc32.exeEmbkbdce.exeAjehnk32.exeDadbdkld.exeNkclkl32.exeCbbomjnn.exeJlqjkk32.exeNjnokdaq.exeIkapdqoc.exeGkgoff32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciokijfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogihnoda.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlbpme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faonom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lidgcclp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijnecld.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkngk32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppkjac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mojbaham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Genlgnhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihoofcd.dll" Ncipjieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfmgg32.dll" Kffqqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbppfnao.dll" Lofifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piieicgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhjhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liibgkoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmbjhfda.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacajg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdcmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpniokan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajldkhjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdpcbceo.dll" Mjqmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njgpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgfbken.dll" Eejjnhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmjomogn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bahelebm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbppmob.dll" Donojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfldmeci.dll" Jqeomfgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpijio32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkppio32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epiqdk32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lalhgogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgbcfdmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddkgbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnedp32.dll" Embkbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daeclf32.dll" Ajehnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dadbdkld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkclkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmqln32.dll" Cbbomjnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncmib32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlqjkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njnokdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmchaflb.dll" Ikapdqoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgielf32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecaooal.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgoff32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exeDmgmpnhl.exeDbdehdfc.exeDebadpeg.exeDokfme32.exeDfbnoc32.exeDomccejd.exeEegkpo32.exeElacliin.exeEbklic32.exeEmdmjamj.exeEgmabg32.exeEabepp32.exeEgonhf32.exeEaebeoan.exeEcfnmh32.exedescription pid Process procid_target PID 2464 wrote to memory of 2184 2464 bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exe 31 PID 2464 wrote to memory of 2184 2464 bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exe 31 PID 2464 wrote to memory of 2184 2464 bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exe 31 PID 2464 wrote to memory of 2184 2464 bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exe 31 PID 2184 wrote to memory of 2772 2184 Dmgmpnhl.exe 32 PID 2184 wrote to memory of 2772 2184 Dmgmpnhl.exe 32 PID 2184 wrote to memory of 2772 2184 Dmgmpnhl.exe 32 PID 2184 wrote to memory of 2772 2184 Dmgmpnhl.exe 32 PID 2772 wrote to memory of 2736 2772 Dbdehdfc.exe 33 PID 2772 wrote to memory of 2736 2772 Dbdehdfc.exe 33 PID 2772 wrote to memory of 2736 2772 Dbdehdfc.exe 33 PID 2772 wrote to memory of 2736 2772 Dbdehdfc.exe 33 PID 2736 wrote to memory of 2448 2736 Debadpeg.exe 34 PID 2736 wrote to memory of 2448 2736 Debadpeg.exe 34 PID 2736 wrote to memory of 2448 2736 Debadpeg.exe 34 PID 2736 wrote to memory of 2448 2736 Debadpeg.exe 34 PID 2448 wrote to memory of 2640 2448 Dokfme32.exe 35 PID 2448 wrote to memory of 2640 2448 Dokfme32.exe 35 PID 2448 wrote to memory of 2640 2448 Dokfme32.exe 35 PID 2448 wrote to memory of 2640 2448 Dokfme32.exe 35 PID 2640 wrote to memory of 2104 2640 Dfbnoc32.exe 36 PID 2640 wrote to memory of 2104 2640 Dfbnoc32.exe 36 PID 2640 wrote to memory of 2104 2640 Dfbnoc32.exe 36 PID 2640 wrote to memory of 2104 2640 Dfbnoc32.exe 36 PID 2104 wrote to memory of 2436 2104 Domccejd.exe 37 PID 2104 wrote to memory of 2436 2104 Domccejd.exe 37 PID 2104 wrote to memory of 2436 2104 Domccejd.exe 37 PID 2104 wrote to memory of 2436 2104 Domccejd.exe 37 PID 2436 wrote to memory of 1412 2436 Eegkpo32.exe 38 PID 2436 wrote to memory of 1412 2436 Eegkpo32.exe 38 PID 2436 wrote to memory of 1412 2436 Eegkpo32.exe 38 PID 2436 wrote to memory of 1412 2436 Eegkpo32.exe 38 PID 1412 wrote to memory of 2828 1412 Elacliin.exe 39 PID 1412 wrote to memory of 2828 1412 Elacliin.exe 39 PID 1412 wrote to memory of 2828 1412 Elacliin.exe 39 PID 1412 wrote to memory of 2828 1412 Elacliin.exe 39 PID 2828 wrote to memory of 2812 2828 Ebklic32.exe 40 PID 2828 wrote to memory of 2812 2828 Ebklic32.exe 40 PID 2828 wrote to memory of 2812 2828 Ebklic32.exe 40 PID 2828 wrote to memory of 2812 2828 Ebklic32.exe 40 PID 2812 wrote to memory of 2680 2812 Emdmjamj.exe 41 PID 2812 wrote to memory of 2680 2812 Emdmjamj.exe 41 PID 2812 wrote to memory of 2680 2812 Emdmjamj.exe 41 PID 2812 wrote to memory of 2680 2812 Emdmjamj.exe 41 PID 2680 wrote to memory of 2840 2680 Egmabg32.exe 42 PID 2680 wrote to memory of 2840 2680 Egmabg32.exe 42 PID 2680 wrote to memory of 2840 2680 Egmabg32.exe 42 PID 2680 wrote to memory of 2840 2680 Egmabg32.exe 42 PID 2840 wrote to memory of 1944 2840 Eabepp32.exe 43 PID 2840 wrote to memory of 1944 2840 Eabepp32.exe 43 PID 2840 wrote to memory of 1944 2840 Eabepp32.exe 43 PID 2840 wrote to memory of 1944 2840 Eabepp32.exe 43 PID 1944 wrote to memory of 2132 1944 Egonhf32.exe 44 PID 1944 wrote to memory of 2132 1944 Egonhf32.exe 44 PID 1944 wrote to memory of 2132 1944 Egonhf32.exe 44 PID 1944 wrote to memory of 2132 1944 Egonhf32.exe 44 PID 2132 wrote to memory of 2180 2132 Eaebeoan.exe 45 PID 2132 wrote to memory of 2180 2132 Eaebeoan.exe 45 PID 2132 wrote to memory of 2180 2132 Eaebeoan.exe 45 PID 2132 wrote to memory of 2180 2132 Eaebeoan.exe 45 PID 2180 wrote to memory of 776 2180 Ecfnmh32.exe 46 PID 2180 wrote to memory of 776 2180 Ecfnmh32.exe 46 PID 2180 wrote to memory of 776 2180 Ecfnmh32.exe 46 PID 2180 wrote to memory of 776 2180 Ecfnmh32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exe"C:\Users\Admin\AppData\Local\Temp\bc1ad692e9de227949ed5c6af000de4947dc81cfa2749d485ee2055073c6c83fN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe33⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe35⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe36⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe37⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe38⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe39⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe40⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe41⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe42⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe43⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe44⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe45⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe46⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe47⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe48⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe49⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe50⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe51⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe52⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe53⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe54⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe55⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe56⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe57⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe58⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe59⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe60⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe61⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe63⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe64⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe65⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe66⤵PID:1076
-
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe67⤵PID:2164
-
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe68⤵PID:756
-
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe69⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe70⤵PID:2868
-
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe71⤵PID:936
-
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe72⤵PID:2452
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe73⤵PID:1472
-
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe74⤵PID:3056
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe75⤵PID:3024
-
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe76⤵
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe77⤵PID:2496
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe78⤵PID:2212
-
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe79⤵PID:2188
-
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe80⤵PID:2196
-
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe81⤵PID:2520
-
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe83⤵PID:1720
-
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe84⤵PID:2564
-
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe85⤵PID:2204
-
C:\Windows\SysWOW64\Jeclebja.exeC:\Windows\system32\Jeclebja.exe86⤵PID:1196
-
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe87⤵PID:2648
-
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe88⤵PID:2964
-
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe89⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe90⤵PID:2988
-
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe91⤵PID:1860
-
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe92⤵
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe93⤵PID:1948
-
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe94⤵PID:820
-
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe96⤵PID:1732
-
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe97⤵PID:1764
-
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe98⤵PID:2628
-
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe99⤵PID:2788
-
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe100⤵PID:2948
-
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe101⤵PID:2980
-
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe102⤵PID:2800
-
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe103⤵PID:1916
-
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe104⤵PID:1808
-
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe105⤵PID:1572
-
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe106⤵PID:1784
-
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe107⤵PID:1524
-
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe108⤵PID:2144
-
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe109⤵PID:700
-
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe110⤵PID:2912
-
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe111⤵PID:2432
-
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe112⤵PID:2936
-
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe113⤵PID:3008
-
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe114⤵PID:1208
-
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe115⤵PID:1156
-
C:\Windows\SysWOW64\Ldjbkb32.exeC:\Windows\system32\Ldjbkb32.exe116⤵PID:1324
-
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe117⤵PID:1084
-
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe118⤵PID:2140
-
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe119⤵PID:2108
-
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe120⤵PID:3040
-
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-