Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 01:43
Behavioral task
behavioral1
Sample
87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
120 seconds
General
-
Target
87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe
-
Size
163KB
-
MD5
e1d2e397cce23871d6800f0131836900
-
SHA1
ad38e84a0906be2ab26336c3fcdfa906c339263e
-
SHA256
87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4
-
SHA512
c042027335b5d368765be502162774461d951a200916ceb13e742623d507e3f83f077356fe44a4369997146639c54f54017edda20e993fcdc978b7d8f5a20a20
-
SSDEEP
1536:PzFUEg/T48+taofUtZkJlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:Bk/c8+4yUt2JltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Iqhfnifq.exeAnhpkg32.exeNphghn32.exeAfcdpi32.exeFbfjkj32.exeNqmqcmdh.exeNobndj32.exePncjad32.exeNdfpnl32.exeEmpomd32.exeOekehomj.exeDdppmclb.exeDqinhcoc.exeEfoifiep.exeNnodgbed.exeEfffpjmk.exeEkghcq32.exeAadobccg.exeCbjnqh32.exeKijmbnpo.exeLkbpke32.exeNdafcmci.exeAfeaei32.exeBojipjcj.exeKppldhla.exeMoenkf32.exeQhincn32.exeOkkkoj32.exeAfgnkilf.exeBikcbc32.exeMaldfbjn.exeAdgein32.exeDjafaf32.exeNfjildbp.exeOhmoco32.exeDdbmcb32.exeCccdjl32.exeDkbbinig.exePjlgle32.exeDmmbge32.exeElieipej.exeEgpena32.exeLehdhn32.exeOjeakfnd.exeCjjpag32.exeCppobaeb.exeJkkjeeke.exeAjamfh32.exeBkcfjk32.exeEebibf32.exeMgnfji32.exePfchqf32.exeCfcmlg32.exePbepkh32.exeBeadgdli.exeDhgccbhp.exeEfmlqigc.exeIjlaloaf.exeKihpmnbb.exePcpbik32.exePmfjmake.exeClkicbfa.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqhfnifq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhpkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphghn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcdpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmqcmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobndj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfpnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Empomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekehomj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddppmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqinhcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnodgbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efffpjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekghcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadobccg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbjnqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijmbnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkbpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndafcmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bojipjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kppldhla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moenkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhincn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkkoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgnkilf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maldfbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adgein32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djafaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfjildbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohmoco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afeaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbmcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkkoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccdjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkbbinig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmbge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egpena32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojeakfnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppobaeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkjeeke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkcfjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eebibf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfchqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfcmlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbepkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beadgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhgccbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efmlqigc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijlaloaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihpmnbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmfjmake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clkicbfa.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000500000001c8be-641.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Ikfdkc32.exeIcbipe32.exeIjlaloaf.exeIjlaloaf.exeIngmmn32.exeIianmlfn.exeIqhfnifq.exeIciopdca.exeImacijjb.exeJkdcdf32.exeJihdnk32.exeJbphgpfg.exeJgmaog32.exeJbcelp32.exeJkkjeeke.exeJjnjqb32.exeJgbjjf32.exeKjbclamj.exeKppldhla.exeKckhdg32.exeKihpmnbb.exeKijmbnpo.exeKngekdnf.exeKfnnlboi.exeKpfbegei.exeKhagijcd.exeLolofd32.exeLbgkfbbj.exeLkbpke32.exeLehdhn32.exeLophacfl.exeLmeebpkd.exeLaaabo32.exeLgnjke32.exeLdbjdj32.exeLcdjpfgh.exeMlmoilni.exeMokkegmm.exeMeecaa32.exeMhdpnm32.exeMaldfbjn.exeMhflcm32.exeMkdioh32.exeMaoalb32.exeMkgeehnl.exeMobaef32.exeMdojnm32.exeMgnfji32.exeMoenkf32.exeMacjgadf.exeNdafcmci.exeNhmbdl32.exeNjnokdaq.exeNnjklb32.exeNphghn32.exeNcgcdi32.exeNknkeg32.exeNjalacon.exeNpkdnnfk.exeNdfpnl32.exeNgeljh32.exeNfglfdeb.exeNnodgbed.exeNqmqcmdh.exepid Process 2672 Ikfdkc32.exe 2944 Icbipe32.exe 2888 Ijlaloaf.exe 2712 Ijlaloaf.exe 2564 Ingmmn32.exe 2152 Iianmlfn.exe 1332 Iqhfnifq.exe 2312 Iciopdca.exe 2124 Imacijjb.exe 2140 Jkdcdf32.exe 2616 Jihdnk32.exe 2196 Jbphgpfg.exe 2324 Jgmaog32.exe 700 Jbcelp32.exe 1964 Jkkjeeke.exe 1028 Jjnjqb32.exe 2060 Jgbjjf32.exe 2068 Kjbclamj.exe 1268 Kppldhla.exe 1092 Kckhdg32.exe 1744 Kihpmnbb.exe 2424 Kijmbnpo.exe 1660 Kngekdnf.exe 1648 Kfnnlboi.exe 1948 Kpfbegei.exe 2700 Khagijcd.exe 2792 Lolofd32.exe 2784 Lbgkfbbj.exe 2684 Lkbpke32.exe 3012 Lehdhn32.exe 2848 Lophacfl.exe 1072 Lmeebpkd.exe 1980 Laaabo32.exe 792 Lgnjke32.exe 2860 Ldbjdj32.exe 2836 Lcdjpfgh.exe 2376 Mlmoilni.exe 2264 Mokkegmm.exe 1484 Meecaa32.exe 2092 Mhdpnm32.exe 2316 Maldfbjn.exe 2164 Mhflcm32.exe 2168 Mkdioh32.exe 1020 Maoalb32.exe 696 Mkgeehnl.exe 1368 Mobaef32.exe 1696 Mdojnm32.exe 2444 Mgnfji32.exe 888 Moenkf32.exe 1280 Macjgadf.exe 1600 Ndafcmci.exe 2688 Nhmbdl32.exe 2560 Njnokdaq.exe 2916 Nnjklb32.exe 1208 Nphghn32.exe 1808 Ncgcdi32.exe 2608 Nknkeg32.exe 3032 Njalacon.exe 484 Npkdnnfk.exe 536 Ndfpnl32.exe 2980 Ngeljh32.exe 3048 Nfglfdeb.exe 952 Nnodgbed.exe 1472 Nqmqcmdh.exe -
Loads dropped DLL 64 IoCs
Processes:
87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exeIkfdkc32.exeIcbipe32.exeIjlaloaf.exeIjlaloaf.exeIngmmn32.exeIianmlfn.exeIqhfnifq.exeIciopdca.exeImacijjb.exeJkdcdf32.exeJihdnk32.exeJbphgpfg.exeJgmaog32.exeJbcelp32.exeJkkjeeke.exeJjnjqb32.exeJgbjjf32.exeKjbclamj.exeKppldhla.exeKckhdg32.exeKihpmnbb.exeKijmbnpo.exeKngekdnf.exeKfnnlboi.exeKpfbegei.exeKhagijcd.exeLolofd32.exeLbgkfbbj.exeLkbpke32.exeLehdhn32.exeLophacfl.exepid Process 1792 87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe 1792 87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe 2672 Ikfdkc32.exe 2672 Ikfdkc32.exe 2944 Icbipe32.exe 2944 Icbipe32.exe 2888 Ijlaloaf.exe 2888 Ijlaloaf.exe 2712 Ijlaloaf.exe 2712 Ijlaloaf.exe 2564 Ingmmn32.exe 2564 Ingmmn32.exe 2152 Iianmlfn.exe 2152 Iianmlfn.exe 1332 Iqhfnifq.exe 1332 Iqhfnifq.exe 2312 Iciopdca.exe 2312 Iciopdca.exe 2124 Imacijjb.exe 2124 Imacijjb.exe 2140 Jkdcdf32.exe 2140 Jkdcdf32.exe 2616 Jihdnk32.exe 2616 Jihdnk32.exe 2196 Jbphgpfg.exe 2196 Jbphgpfg.exe 2324 Jgmaog32.exe 2324 Jgmaog32.exe 700 Jbcelp32.exe 700 Jbcelp32.exe 1964 Jkkjeeke.exe 1964 Jkkjeeke.exe 1028 Jjnjqb32.exe 1028 Jjnjqb32.exe 2060 Jgbjjf32.exe 2060 Jgbjjf32.exe 2068 Kjbclamj.exe 2068 Kjbclamj.exe 1268 Kppldhla.exe 1268 Kppldhla.exe 1092 Kckhdg32.exe 1092 Kckhdg32.exe 1744 Kihpmnbb.exe 1744 Kihpmnbb.exe 2424 Kijmbnpo.exe 2424 Kijmbnpo.exe 1660 Kngekdnf.exe 1660 Kngekdnf.exe 1648 Kfnnlboi.exe 1648 Kfnnlboi.exe 1948 Kpfbegei.exe 1948 Kpfbegei.exe 2700 Khagijcd.exe 2700 Khagijcd.exe 2792 Lolofd32.exe 2792 Lolofd32.exe 2784 Lbgkfbbj.exe 2784 Lbgkfbbj.exe 2684 Lkbpke32.exe 2684 Lkbpke32.exe 3012 Lehdhn32.exe 3012 Lehdhn32.exe 2848 Lophacfl.exe 2848 Lophacfl.exe -
Drops file in System32 directory 64 IoCs
Processes:
Efoifiep.exeKfnnlboi.exeOnjgkf32.exeOekehomj.exeClilmbhd.exeDboglhna.exeEiilge32.exeIjlaloaf.exeBojipjcj.exeCglcek32.exeCpiaipmh.exeDhgccbhp.exeDhdfmbjc.exeKpfbegei.exeMlmoilni.exeMkdioh32.exeOmfnnnhj.exePgibdjln.exeBefnbd32.exeIcbipe32.exeKjbclamj.exeMaoalb32.exeBhpqcpkm.exeDlboca32.exeEjcofica.exeOoidei32.exeOiahnnji.exeQdpohodn.exeAadobccg.exeCncolfcl.exeJkdcdf32.exeOiokholk.exeOnamle32.exePpipdl32.exeBdfahaaa.exeEfmlqigc.exe87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exeNhmbdl32.exePcpbik32.exeKijmbnpo.exeNjnokdaq.exeNnjklb32.exeDbdagg32.exeCgjgol32.exeIngmmn32.exeMobaef32.exeOjeakfnd.exePmfjmake.exeApilcoho.exeNgeljh32.exeDgqion32.exeDnhefh32.exeIjlaloaf.exeKihpmnbb.exeLophacfl.exeNknkeg32.exeCnabffeo.exeDkbbinig.exeMdojnm32.exeQjgjpi32.exedescription ioc Process File created C:\Windows\SysWOW64\Eebibf32.exe Efoifiep.exe File opened for modification C:\Windows\SysWOW64\Eebibf32.exe Efoifiep.exe File opened for modification C:\Windows\SysWOW64\Kpfbegei.exe Kfnnlboi.exe File opened for modification C:\Windows\SysWOW64\Ofaolcmh.exe Onjgkf32.exe File created C:\Windows\SysWOW64\Bkcojhgk.dll Oekehomj.exe File created C:\Windows\SysWOW64\Cpdhna32.exe Clilmbhd.exe File created C:\Windows\SysWOW64\Dfkclf32.exe Dboglhna.exe File opened for modification C:\Windows\SysWOW64\Ekghcq32.exe Eiilge32.exe File created C:\Windows\SysWOW64\Ijlaloaf.exe Ijlaloaf.exe File opened for modification C:\Windows\SysWOW64\Bahelebm.exe Bojipjcj.exe File created C:\Windows\SysWOW64\Cjjpag32.exe Cglcek32.exe File created C:\Windows\SysWOW64\Jmhdkakc.dll Cpiaipmh.exe File created C:\Windows\SysWOW64\Pdkooael.dll Dhgccbhp.exe File created C:\Windows\SysWOW64\Inhcgajk.dll Dhdfmbjc.exe File created C:\Windows\SysWOW64\Peecqfmk.dll Kpfbegei.exe File created C:\Windows\SysWOW64\Mokkegmm.exe Mlmoilni.exe File created C:\Windows\SysWOW64\Noggch32.dll Mkdioh32.exe File created C:\Windows\SysWOW64\Oodjjign.exe Omfnnnhj.exe File opened for modification C:\Windows\SysWOW64\Pncjad32.exe Pgibdjln.exe File created C:\Windows\SysWOW64\Bdinnqon.exe Befnbd32.exe File created C:\Windows\SysWOW64\Ijlaloaf.exe Icbipe32.exe File opened for modification C:\Windows\SysWOW64\Kppldhla.exe Kjbclamj.exe File opened for modification C:\Windows\SysWOW64\Mkgeehnl.exe Maoalb32.exe File created C:\Windows\SysWOW64\Blkmdodf.exe Bhpqcpkm.exe File created C:\Windows\SysWOW64\Apafhqnp.dll Dlboca32.exe File created C:\Windows\SysWOW64\Imbige32.dll Ejcofica.exe File created C:\Windows\SysWOW64\Oqkpmaif.exe Ooidei32.exe File created C:\Windows\SysWOW64\Icdefc32.dll Oiahnnji.exe File opened for modification C:\Windows\SysWOW64\Ajjgei32.exe Qdpohodn.exe File created C:\Windows\SysWOW64\Ahngomkd.exe Aadobccg.exe File created C:\Windows\SysWOW64\Ppaloola.dll Cncolfcl.exe File created C:\Windows\SysWOW64\Dkjgfien.dll Jkdcdf32.exe File opened for modification C:\Windows\SysWOW64\Ogbldk32.exe Oiokholk.exe File created C:\Windows\SysWOW64\Ngemqa32.dll Onamle32.exe File created C:\Windows\SysWOW64\Gnokee32.dll Ppipdl32.exe File created C:\Windows\SysWOW64\Bhbmip32.exe Bdfahaaa.exe File created C:\Windows\SysWOW64\Bocjgfch.dll Efmlqigc.exe File created C:\Windows\SysWOW64\Ikfdkc32.exe 87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe File created C:\Windows\SysWOW64\Njnokdaq.exe Nhmbdl32.exe File created C:\Windows\SysWOW64\Pfnoegaf.exe Pcpbik32.exe File created C:\Windows\SysWOW64\Kngekdnf.exe Kijmbnpo.exe File created C:\Windows\SysWOW64\Nnjklb32.exe Njnokdaq.exe File opened for modification C:\Windows\SysWOW64\Nphghn32.exe Nnjklb32.exe File created C:\Windows\SysWOW64\Bgjond32.dll Dbdagg32.exe File opened for modification C:\Windows\SysWOW64\Cjhckg32.exe Cgjgol32.exe File opened for modification C:\Windows\SysWOW64\Iianmlfn.exe Ingmmn32.exe File created C:\Windows\SysWOW64\Mdojnm32.exe Mobaef32.exe File created C:\Windows\SysWOW64\Hkagib32.dll Ojeakfnd.exe File opened for modification C:\Windows\SysWOW64\Pcpbik32.exe Pmfjmake.exe File created C:\Windows\SysWOW64\Afcdpi32.exe Apilcoho.exe File opened for modification C:\Windows\SysWOW64\Afcdpi32.exe Apilcoho.exe File created C:\Windows\SysWOW64\Dihoofcd.dll Ngeljh32.exe File opened for modification C:\Windows\SysWOW64\Ahngomkd.exe Aadobccg.exe File created C:\Windows\SysWOW64\Djoeki32.exe Dgqion32.exe File created C:\Windows\SysWOW64\Oamcoejo.dll Dnhefh32.exe File created C:\Windows\SysWOW64\Ingmmn32.exe Ijlaloaf.exe File created C:\Windows\SysWOW64\Ppfafphp.dll Kihpmnbb.exe File opened for modification C:\Windows\SysWOW64\Lmeebpkd.exe Lophacfl.exe File created C:\Windows\SysWOW64\Njalacon.exe Nknkeg32.exe File opened for modification C:\Windows\SysWOW64\Cppobaeb.exe Cnabffeo.exe File created C:\Windows\SysWOW64\Bpmoggbh.dll Dkbbinig.exe File created C:\Windows\SysWOW64\Jgdinn32.dll Mdojnm32.exe File created C:\Windows\SysWOW64\Oekehomj.exe Onamle32.exe File opened for modification C:\Windows\SysWOW64\Qaablcej.exe Qjgjpi32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3500 3460 WerFault.exe 259 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kijmbnpo.exeMaoalb32.exeIcbipe32.exeNjnokdaq.exeBahelebm.exeDbmkfh32.exeIciopdca.exeOiokholk.exePimkbbpi.exeApilcoho.exeMobaef32.exeAnhpkg32.exeAifjgdkj.exeOekehomj.exeBhndnpnp.exeDbadagln.exeBfjkphjd.exeLolofd32.exeMdojnm32.exeClilmbhd.exeEgebjmdn.exeFipbhd32.exeOmfnnnhj.exeOiahnnji.exePadccpal.exePidaba32.exeBlgcio32.exeBhbmip32.exeBggjjlnb.exeCccdjl32.exeClkicbfa.exeEepmlf32.exeJkdcdf32.exeKppldhla.exeBefnbd32.exeDhgccbhp.exeDhiphb32.exeCpgecq32.exeDjoeki32.exeCbjnqh32.exeEqkjmcmq.exeEgpena32.exeOnamle32.exePpipdl32.exeEjfllhao.exeIqhfnifq.exeLophacfl.exeMhflcm32.exeNckmpicl.exeOnoqfehp.exeOckinl32.exeBhpqcpkm.exeChggdoee.exeDnhefh32.exeEclcon32.exeIjlaloaf.exeQdpohodn.exeBlkmdodf.exeDgqion32.exeFpgnoo32.exeBbqkeioh.exeMkdioh32.exeNfjildbp.exeOdacbpee.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijmbnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnokdaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahelebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciopdca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiokholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimkbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apilcoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhpkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifjgdkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekehomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhndnpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbadagln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjkphjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolofd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdojnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clilmbhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egebjmdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfnnnhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiahnnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padccpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidaba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgcio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbmip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggjjlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccdjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkicbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepmlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdcdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppldhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgccbhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgecq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoeki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqkjmcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onamle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppipdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfllhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhfnifq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lophacfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckmpicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onoqfehp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpqcpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chggdoee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhefh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclcon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijlaloaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdpohodn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkmdodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgqion32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgnoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbqkeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjildbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odacbpee.exe -
Modifies registry class 64 IoCs
Processes:
Jbcelp32.exeLdbjdj32.exeNjnokdaq.exePmkdhq32.exeEgebjmdn.exeEiilge32.exeOhmoco32.exeAfcdpi32.exeAfeaei32.exeKckhdg32.exeOiahnnji.exePmfjmake.exePcpbik32.exeBggjjlnb.exeEmbkbdce.exeLbgkfbbj.exeMkgeehnl.exeNcgcdi32.exeDdbmcb32.exeEfmlqigc.exeNqmqcmdh.exeQdpohodn.exeAfgnkilf.exeCpdhna32.exeFedfgejh.exeKngekdnf.exeMokkegmm.exeCncolfcl.exeDgnminke.exeKjbclamj.exeNnodgbed.exeOfaolcmh.exeOiokholk.exeCceapl32.exeDjafaf32.exeDkbbinig.exeEfffpjmk.exeNnjklb32.exeApnfno32.exeAldfcpjn.exeBkcfjk32.exeCdngip32.exeCbjnqh32.exeOmfnnnhj.exeOjeakfnd.exeAadobccg.exeIjlaloaf.exeJkkjeeke.exeKpfbegei.exeBlgcio32.exeCppobaeb.exeChbihc32.exe87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exeJbphgpfg.exeOkkkoj32.exeBhndnpnp.exeEcgjdong.exeOoidei32.exePbepkh32.exeColadm32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbcelp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldbjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnoe32.dll" Njnokdaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmkdhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egebjmdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiilge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohmoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqcmmc32.dll" Afcdpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kckhdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiahnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmfjmake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclafh32.dll" Pcpbik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Embkbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbgkfbbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgeehnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghibjjfb.dll" Ncgcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfkmcdp.dll" Ddbmcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocjgfch.dll" Efmlqigc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offqpg32.dll" Qdpohodn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afgnkilf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpdhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll" Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgnmg32.dll" Kngekdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mokkegmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaloola.dll" Cncolfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgnminke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abhnddbn.dll" Kjbclamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odljflhj.dll" Nnodgbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofaolcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaakfpk.dll" Oiokholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cceapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booqgija.dll" Djafaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmoggbh.dll" Dkbbinig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efffpjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjklb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiokholk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apnfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aldfcpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkcfjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdngip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbogaf32.dll" Cbjnqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngekdnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfnnnhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojeakfnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadobccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmfjeap.dll" Efffpjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgclj32.dll" Ijlaloaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnlpkh32.dll" Jkkjeeke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpfbegei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blgcio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppobaeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chbihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbphgpfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhndnpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecgjdong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kckhdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooidei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coladm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exeIkfdkc32.exeIcbipe32.exeIjlaloaf.exeIjlaloaf.exeIngmmn32.exeIianmlfn.exeIqhfnifq.exeIciopdca.exeImacijjb.exeJkdcdf32.exeJihdnk32.exeJbphgpfg.exeJgmaog32.exeJbcelp32.exeJkkjeeke.exedescription pid Process procid_target PID 1792 wrote to memory of 2672 1792 87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe 30 PID 1792 wrote to memory of 2672 1792 87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe 30 PID 1792 wrote to memory of 2672 1792 87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe 30 PID 1792 wrote to memory of 2672 1792 87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe 30 PID 2672 wrote to memory of 2944 2672 Ikfdkc32.exe 31 PID 2672 wrote to memory of 2944 2672 Ikfdkc32.exe 31 PID 2672 wrote to memory of 2944 2672 Ikfdkc32.exe 31 PID 2672 wrote to memory of 2944 2672 Ikfdkc32.exe 31 PID 2944 wrote to memory of 2888 2944 Icbipe32.exe 32 PID 2944 wrote to memory of 2888 2944 Icbipe32.exe 32 PID 2944 wrote to memory of 2888 2944 Icbipe32.exe 32 PID 2944 wrote to memory of 2888 2944 Icbipe32.exe 32 PID 2888 wrote to memory of 2712 2888 Ijlaloaf.exe 33 PID 2888 wrote to memory of 2712 2888 Ijlaloaf.exe 33 PID 2888 wrote to memory of 2712 2888 Ijlaloaf.exe 33 PID 2888 wrote to memory of 2712 2888 Ijlaloaf.exe 33 PID 2712 wrote to memory of 2564 2712 Ijlaloaf.exe 34 PID 2712 wrote to memory of 2564 2712 Ijlaloaf.exe 34 PID 2712 wrote to memory of 2564 2712 Ijlaloaf.exe 34 PID 2712 wrote to memory of 2564 2712 Ijlaloaf.exe 34 PID 2564 wrote to memory of 2152 2564 Ingmmn32.exe 35 PID 2564 wrote to memory of 2152 2564 Ingmmn32.exe 35 PID 2564 wrote to memory of 2152 2564 Ingmmn32.exe 35 PID 2564 wrote to memory of 2152 2564 Ingmmn32.exe 35 PID 2152 wrote to memory of 1332 2152 Iianmlfn.exe 36 PID 2152 wrote to memory of 1332 2152 Iianmlfn.exe 36 PID 2152 wrote to memory of 1332 2152 Iianmlfn.exe 36 PID 2152 wrote to memory of 1332 2152 Iianmlfn.exe 36 PID 1332 wrote to memory of 2312 1332 Iqhfnifq.exe 37 PID 1332 wrote to memory of 2312 1332 Iqhfnifq.exe 37 PID 1332 wrote to memory of 2312 1332 Iqhfnifq.exe 37 PID 1332 wrote to memory of 2312 1332 Iqhfnifq.exe 37 PID 2312 wrote to memory of 2124 2312 Iciopdca.exe 38 PID 2312 wrote to memory of 2124 2312 Iciopdca.exe 38 PID 2312 wrote to memory of 2124 2312 Iciopdca.exe 38 PID 2312 wrote to memory of 2124 2312 Iciopdca.exe 38 PID 2124 wrote to memory of 2140 2124 Imacijjb.exe 39 PID 2124 wrote to memory of 2140 2124 Imacijjb.exe 39 PID 2124 wrote to memory of 2140 2124 Imacijjb.exe 39 PID 2124 wrote to memory of 2140 2124 Imacijjb.exe 39 PID 2140 wrote to memory of 2616 2140 Jkdcdf32.exe 40 PID 2140 wrote to memory of 2616 2140 Jkdcdf32.exe 40 PID 2140 wrote to memory of 2616 2140 Jkdcdf32.exe 40 PID 2140 wrote to memory of 2616 2140 Jkdcdf32.exe 40 PID 2616 wrote to memory of 2196 2616 Jihdnk32.exe 41 PID 2616 wrote to memory of 2196 2616 Jihdnk32.exe 41 PID 2616 wrote to memory of 2196 2616 Jihdnk32.exe 41 PID 2616 wrote to memory of 2196 2616 Jihdnk32.exe 41 PID 2196 wrote to memory of 2324 2196 Jbphgpfg.exe 42 PID 2196 wrote to memory of 2324 2196 Jbphgpfg.exe 42 PID 2196 wrote to memory of 2324 2196 Jbphgpfg.exe 42 PID 2196 wrote to memory of 2324 2196 Jbphgpfg.exe 42 PID 2324 wrote to memory of 700 2324 Jgmaog32.exe 43 PID 2324 wrote to memory of 700 2324 Jgmaog32.exe 43 PID 2324 wrote to memory of 700 2324 Jgmaog32.exe 43 PID 2324 wrote to memory of 700 2324 Jgmaog32.exe 43 PID 700 wrote to memory of 1964 700 Jbcelp32.exe 44 PID 700 wrote to memory of 1964 700 Jbcelp32.exe 44 PID 700 wrote to memory of 1964 700 Jbcelp32.exe 44 PID 700 wrote to memory of 1964 700 Jbcelp32.exe 44 PID 1964 wrote to memory of 1028 1964 Jkkjeeke.exe 45 PID 1964 wrote to memory of 1028 1964 Jkkjeeke.exe 45 PID 1964 wrote to memory of 1028 1964 Jkkjeeke.exe 45 PID 1964 wrote to memory of 1028 1964 Jkkjeeke.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe"C:\Users\Admin\AppData\Local\Temp\87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Icbipe32.exeC:\Windows\system32\Icbipe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Iciopdca.exeC:\Windows\system32\Iciopdca.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Imacijjb.exeC:\Windows\system32\Imacijjb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Jihdnk32.exeC:\Windows\system32\Jihdnk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Jgbjjf32.exeC:\Windows\system32\Jgbjjf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Kjbclamj.exeC:\Windows\system32\Kjbclamj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\Kckhdg32.exeC:\Windows\system32\Kckhdg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Kpfbegei.exeC:\Windows\system32\Kpfbegei.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Lmeebpkd.exeC:\Windows\system32\Lmeebpkd.exe33⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe34⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Lgnjke32.exeC:\Windows\system32\Lgnjke32.exe35⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Ldbjdj32.exeC:\Windows\system32\Ldbjdj32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe37⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Meecaa32.exeC:\Windows\system32\Meecaa32.exe40⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Mhdpnm32.exeC:\Windows\system32\Mhdpnm32.exe41⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Mkdioh32.exeC:\Windows\system32\Mkdioh32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\SysWOW64\Mkgeehnl.exeC:\Windows\system32\Mkgeehnl.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Mgnfji32.exeC:\Windows\system32\Mgnfji32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe51⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Ndafcmci.exeC:\Windows\system32\Ndafcmci.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Njalacon.exeC:\Windows\system32\Njalacon.exe59⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Npkdnnfk.exeC:\Windows\system32\Npkdnnfk.exe60⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Ngeljh32.exeC:\Windows\system32\Ngeljh32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe63⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe66⤵
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\Nfjildbp.exeC:\Windows\system32\Nfjildbp.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Nhhehpbc.exeC:\Windows\system32\Nhhehpbc.exe68⤵PID:2744
-
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe69⤵PID:1564
-
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe71⤵PID:1584
-
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe72⤵PID:2624
-
C:\Windows\SysWOW64\Omfnnnhj.exeC:\Windows\system32\Omfnnnhj.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Oodjjign.exeC:\Windows\system32\Oodjjign.exe74⤵PID:1952
-
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe75⤵PID:2336
-
C:\Windows\SysWOW64\Odacbpee.exeC:\Windows\system32\Odacbpee.exe76⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Ohmoco32.exeC:\Windows\system32\Ohmoco32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe79⤵
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe80⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe82⤵PID:2436
-
C:\Windows\SysWOW64\Ooidei32.exeC:\Windows\system32\Ooidei32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Oqkpmaif.exeC:\Windows\system32\Oqkpmaif.exe84⤵PID:1872
-
C:\Windows\SysWOW64\Oiahnnji.exeC:\Windows\system32\Oiahnnji.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe86⤵PID:2084
-
C:\Windows\SysWOW64\Onoqfehp.exeC:\Windows\system32\Onoqfehp.exe87⤵
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe88⤵PID:2604
-
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Oekehomj.exeC:\Windows\system32\Oekehomj.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe93⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Pncjad32.exeC:\Windows\system32\Pncjad32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Pmfjmake.exeC:\Windows\system32\Pmfjmake.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Pcpbik32.exeC:\Windows\system32\Pcpbik32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Pfnoegaf.exeC:\Windows\system32\Pfnoegaf.exe97⤵PID:1308
-
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe98⤵
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe99⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Pjlgle32.exeC:\Windows\system32\Pjlgle32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Pmkdhq32.exeC:\Windows\system32\Pmkdhq32.exe102⤵
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Pfchqf32.exeC:\Windows\system32\Pfchqf32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2012 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe105⤵PID:1836
-
C:\Windows\SysWOW64\Pmmqmpdm.exeC:\Windows\system32\Pmmqmpdm.exe106⤵PID:2628
-
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe107⤵PID:2080
-
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe108⤵PID:1876
-
C:\Windows\SysWOW64\Pidaba32.exeC:\Windows\system32\Pidaba32.exe109⤵
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe110⤵PID:1044
-
C:\Windows\SysWOW64\Qaofgc32.exeC:\Windows\system32\Qaofgc32.exe111⤵PID:2292
-
C:\Windows\SysWOW64\Qhincn32.exeC:\Windows\system32\Qhincn32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Qjgjpi32.exeC:\Windows\system32\Qjgjpi32.exe113⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Qaablcej.exeC:\Windows\system32\Qaablcej.exe114⤵PID:3064
-
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Ajjgei32.exeC:\Windows\system32\Ajjgei32.exe116⤵PID:2780
-
C:\Windows\SysWOW64\Aadobccg.exeC:\Windows\system32\Aadobccg.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Ahngomkd.exeC:\Windows\system32\Ahngomkd.exe118⤵PID:2212
-
C:\Windows\SysWOW64\Anhpkg32.exeC:\Windows\system32\Anhpkg32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Afcdpi32.exeC:\Windows\system32\Afcdpi32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-