Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 11:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exe
-
Size
96KB
-
MD5
694638840f8fea55d636029ecfbe67f0
-
SHA1
4d2feee09048ec0fbfbd16b10dd4e37876a0b9eb
-
SHA256
b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47
-
SHA512
afc962b4aac1e798411c2ece39b4cdf81134636b3dbda75de225dac90c5c928c2ee7a2eaa308e647b4064bf5d34a588af682ebc333cfe49e9a86ae50c611a37a
-
SSDEEP
1536:zsjrDK4gkdsn8fNv9O9y1q/2L+7RZObZUUWaegPYAm:zsjreGs8i9eqE+ClUUWaet
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nhdhif32.exeKekiphge.exeLoqmba32.exeAdlcfjgh.exeKlhemhpk.exeGfejjgli.exeGiipab32.exeKlbdgb32.exeNmlgfnal.exeObmnna32.exePidfdofi.exeBjmeiq32.exeBjdkjpkb.exeClojhf32.exeGdkgkcpq.exeDpkibo32.exeEoiiijcc.exeHmalldcn.exePhlclgfc.exeCeebklai.exeBbgqjdce.exeQnebjc32.exeHifpke32.exeIliebpfc.exeJmfafgbd.exePmkhjncg.exeMlfacfpc.exeBecpap32.exeBqijljfd.exePlolgk32.exeMnifja32.exeNajpll32.exeOeehln32.exeHahnac32.exeLhiakf32.exeNlqmmd32.exeBkegah32.exeJnnnalph.exeCchbgi32.exeCpiqmlfm.exeKnfndjdp.exeLhnkffeo.exeMdiefffn.exeMmdjkhdh.exeMobfgdcl.exeCmpgpond.exeBflbigdb.exeAbegfa32.exeOgknoe32.exePckajebj.exeAopahjll.exeMcckcbgp.exePplaki32.exeJhafhe32.exeGkephn32.exeMmgfqh32.exePofkha32.exeAgolnbok.exeBkklhjnk.exePkdihhag.exeBaojapfj.exeCbffoabe.exeLqejbiim.exeQcachc32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdhif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adlcfjgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhemhpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfejjgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giipab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbdgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlgfnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obmnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidfdofi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmeiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdkgkcpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkibo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoiiijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmalldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phlclgfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnebjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifpke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iliebpfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkhjncg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfacfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqijljfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plolgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnifja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeehln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahnac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiakf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlqmmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnnnalph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchbgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpiqmlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnkffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdiefffn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bflbigdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogknoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopahjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcckcbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhafhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pofkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agolnbok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkdihhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbffoabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcachc32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001d3f0-1863.dat family_bruteratel behavioral1/files/0x000400000001da55-2358.dat family_bruteratel behavioral1/files/0x000400000001da60-2368.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Iibfajdc.exeIplnnd32.exeIbkkjp32.exeIhhcbf32.exeIbmgpoia.exeIigpli32.exeJkhldafl.exeJenpajfb.exeJhlmmfef.exeJepmgj32.exeJdcmbgkj.exeJpjngh32.exeJhafhe32.exeJnnnalph.exeJplkmgol.exeJdhgnf32.exeJkbojpna.exeJpogbgmi.exeKcmcoblm.exeKjglkm32.exeKnbhlkkc.exeKlehgh32.exeKoddccaa.exeKfnmpn32.exeKhlili32.exeKlhemhpk.exeKofaicon.exeKcdjoaee.exeKfbfkmeh.exeKllnhg32.exeKokjdb32.exeKnnkpobc.exeKhcomhbi.exeLnpgeopa.exeLdjpbign.exeLkdhoc32.exeLqqpgj32.exeLjieppcb.exeLneaqn32.exeLcaiiejc.exeLfpeeqig.exeLjkaeo32.exeLqejbiim.exeLjnnko32.exeLmljgj32.exeLqhfhigj.exeLcfbdd32.exeMkaghg32.exeMpmcielb.exeMbkpeake.exeMfglep32.exeMiehak32.exeMmadbjkk.exeMkddnf32.exeMpopnejo.exeMfihkoal.exeMelifl32.exeMihdgkpp.exeMlfacfpc.exeMbpipp32.exeMeoell32.exeMlhnifmq.exeMjkndb32.exeMngjeamd.exepid Process 2512 Iibfajdc.exe 1964 Iplnnd32.exe 2344 Ibkkjp32.exe 2828 Ihhcbf32.exe 2736 Ibmgpoia.exe 2628 Iigpli32.exe 2620 Jkhldafl.exe 2452 Jenpajfb.exe 1116 Jhlmmfef.exe 1800 Jepmgj32.exe 596 Jdcmbgkj.exe 2592 Jpjngh32.exe 1848 Jhafhe32.exe 2940 Jnnnalph.exe 2200 Jplkmgol.exe 996 Jdhgnf32.exe 3004 Jkbojpna.exe 1628 Jpogbgmi.exe 684 Kcmcoblm.exe 2864 Kjglkm32.exe 1720 Knbhlkkc.exe 912 Klehgh32.exe 2192 Koddccaa.exe 1820 Kfnmpn32.exe 2456 Khlili32.exe 1580 Klhemhpk.exe 1712 Kofaicon.exe 1164 Kcdjoaee.exe 2812 Kfbfkmeh.exe 2332 Kllnhg32.exe 2920 Kokjdb32.exe 2796 Knnkpobc.exe 3052 Khcomhbi.exe 1020 Lnpgeopa.exe 1172 Ldjpbign.exe 492 Lkdhoc32.exe 2020 Lqqpgj32.exe 2916 Ljieppcb.exe 1760 Lneaqn32.exe 2264 Lcaiiejc.exe 2404 Lfpeeqig.exe 3000 Ljkaeo32.exe 2072 Lqejbiim.exe 1988 Ljnnko32.exe 1744 Lmljgj32.exe 1080 Lqhfhigj.exe 752 Lcfbdd32.exe 2132 Mkaghg32.exe 1592 Mpmcielb.exe 2416 Mbkpeake.exe 2732 Mfglep32.exe 2988 Miehak32.exe 2976 Mmadbjkk.exe 2740 Mkddnf32.exe 1976 Mpopnejo.exe 1968 Mfihkoal.exe 1728 Melifl32.exe 1476 Mihdgkpp.exe 1792 Mlfacfpc.exe 2932 Mbpipp32.exe 2196 Meoell32.exe 2996 Mlhnifmq.exe 1296 Mjkndb32.exe 2784 Mngjeamd.exe -
Loads dropped DLL 64 IoCs
Processes:
b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exeIibfajdc.exeIplnnd32.exeIbkkjp32.exeIhhcbf32.exeIbmgpoia.exeIigpli32.exeJkhldafl.exeJenpajfb.exeJhlmmfef.exeJepmgj32.exeJdcmbgkj.exeJpjngh32.exeJhafhe32.exeJnnnalph.exeJplkmgol.exeJdhgnf32.exeJkbojpna.exeJpogbgmi.exeKcmcoblm.exeKjglkm32.exeKnbhlkkc.exeKlehgh32.exeKoddccaa.exeKfnmpn32.exeKhlili32.exeKlhemhpk.exeKofaicon.exeKcdjoaee.exeKfbfkmeh.exeKllnhg32.exeKokjdb32.exepid Process 1992 b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exe 1992 b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exe 2512 Iibfajdc.exe 2512 Iibfajdc.exe 1964 Iplnnd32.exe 1964 Iplnnd32.exe 2344 Ibkkjp32.exe 2344 Ibkkjp32.exe 2828 Ihhcbf32.exe 2828 Ihhcbf32.exe 2736 Ibmgpoia.exe 2736 Ibmgpoia.exe 2628 Iigpli32.exe 2628 Iigpli32.exe 2620 Jkhldafl.exe 2620 Jkhldafl.exe 2452 Jenpajfb.exe 2452 Jenpajfb.exe 1116 Jhlmmfef.exe 1116 Jhlmmfef.exe 1800 Jepmgj32.exe 1800 Jepmgj32.exe 596 Jdcmbgkj.exe 596 Jdcmbgkj.exe 2592 Jpjngh32.exe 2592 Jpjngh32.exe 1848 Jhafhe32.exe 1848 Jhafhe32.exe 2940 Jnnnalph.exe 2940 Jnnnalph.exe 2200 Jplkmgol.exe 2200 Jplkmgol.exe 996 Jdhgnf32.exe 996 Jdhgnf32.exe 3004 Jkbojpna.exe 3004 Jkbojpna.exe 1628 Jpogbgmi.exe 1628 Jpogbgmi.exe 684 Kcmcoblm.exe 684 Kcmcoblm.exe 2864 Kjglkm32.exe 2864 Kjglkm32.exe 1720 Knbhlkkc.exe 1720 Knbhlkkc.exe 912 Klehgh32.exe 912 Klehgh32.exe 2192 Koddccaa.exe 2192 Koddccaa.exe 1820 Kfnmpn32.exe 1820 Kfnmpn32.exe 2456 Khlili32.exe 2456 Khlili32.exe 1580 Klhemhpk.exe 1580 Klhemhpk.exe 1712 Kofaicon.exe 1712 Kofaicon.exe 1164 Kcdjoaee.exe 1164 Kcdjoaee.exe 2812 Kfbfkmeh.exe 2812 Kfbfkmeh.exe 2332 Kllnhg32.exe 2332 Kllnhg32.exe 2920 Kokjdb32.exe 2920 Kokjdb32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Njjcip32.exeBceibfgj.exeGjojef32.exePkcbnanl.exeOabkom32.exeMkddnf32.exeAmfognic.exeCeeieced.exeEeohkeoe.exeMjcaimgg.exeNlcibc32.exeOiffkkbk.exeAojabdlf.exeDifnaqih.exeDphmloih.exeFgnadkic.exeKnmdeioh.exeOdchbe32.exeMnomjl32.exeOehdan32.exeHcigco32.exeOococb32.exePgbdodnh.exeIhglhp32.exeJedcpi32.exeDbifnj32.exeHmalldcn.exeNnmlcp32.exeOplelf32.exeAkfkbd32.exeMeabakda.exeAknlofim.exeBnldjekl.exeFjhcegll.exeKdpfadlm.exeKpkpadnl.exeMjkndb32.exeBgblmk32.exeHakkgc32.exeEelkeeah.exeEcbhdi32.exeLbcbjlmb.exeNcnngfna.exePnbojmmp.exeNjfjnpgp.exeNnkcpq32.exeLlgjaeoj.exeNdqkleln.exeAhpifj32.exeBccmmf32.exeAmaelomh.exeCpdgbm32.exeKjokokha.exeLldmleam.exeNeknki32.exeNlfmbibo.exeOpaebkmc.exeEclbcj32.exeEnlidg32.exeNajpll32.exePlmpblnb.exeCehfkb32.exedescription ioc Process File created C:\Windows\SysWOW64\Omioekbo.exe Njjcip32.exe File opened for modification C:\Windows\SysWOW64\Bgaebe32.exe Bceibfgj.exe File opened for modification C:\Windows\SysWOW64\Gmmfaa32.exe Gjojef32.exe File created C:\Windows\SysWOW64\Pnbojmmp.exe Pkcbnanl.exe File created C:\Windows\SysWOW64\Oemgplgo.exe Oabkom32.exe File created C:\Windows\SysWOW64\Mpopnejo.exe Mkddnf32.exe File created C:\Windows\SysWOW64\Dognqkje.dll Amfognic.exe File created C:\Windows\SysWOW64\Amjllk32.dll Ceeieced.exe File created C:\Windows\SysWOW64\Ehmdgp32.exe Eeohkeoe.exe File created C:\Windows\SysWOW64\Mnomjl32.exe Mjcaimgg.exe File opened for modification C:\Windows\SysWOW64\Njfjnpgp.exe Nlcibc32.exe File opened for modification C:\Windows\SysWOW64\Ohiffh32.exe Oiffkkbk.exe File created C:\Windows\SysWOW64\Dkppib32.dll Aojabdlf.exe File opened for modification C:\Windows\SysWOW64\Dldkmlhl.exe Difnaqih.exe File created C:\Windows\SysWOW64\Dhpemm32.exe Dphmloih.exe File opened for modification C:\Windows\SysWOW64\Fjlmpfhg.exe Fgnadkic.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Knmdeioh.exe File created C:\Windows\SysWOW64\Ofadnq32.exe Odchbe32.exe File opened for modification C:\Windows\SysWOW64\Mqnifg32.exe Mnomjl32.exe File created C:\Windows\SysWOW64\Ohniib32.dll Oehdan32.exe File created C:\Windows\SysWOW64\Hfhcoj32.exe Hcigco32.exe File created C:\Windows\SysWOW64\Oabkom32.exe Oococb32.exe File created C:\Windows\SysWOW64\Piqpkpml.exe Pgbdodnh.exe File opened for modification C:\Windows\SysWOW64\Ifjlcmmj.exe Ihglhp32.exe File created C:\Windows\SysWOW64\Gjcgnola.dll Jedcpi32.exe File created C:\Windows\SysWOW64\Dgeaoinb.exe Dbifnj32.exe File created C:\Windows\SysWOW64\Hpphhp32.exe Hmalldcn.exe File created C:\Windows\SysWOW64\Nbhhdnlh.exe Nnmlcp32.exe File opened for modification C:\Windows\SysWOW64\Odgamdef.exe Oplelf32.exe File created C:\Windows\SysWOW64\Aoagccfn.exe Akfkbd32.exe File created C:\Windows\SysWOW64\Clnoge32.dll Meabakda.exe File created C:\Windows\SysWOW64\Anlhkbhq.exe Aknlofim.exe File opened for modification C:\Windows\SysWOW64\Bbgqjdce.exe Bnldjekl.exe File created C:\Windows\SysWOW64\Mcjdhh32.dll Fjhcegll.exe File created C:\Windows\SysWOW64\Lgnebokc.dll Kdpfadlm.exe File created C:\Windows\SysWOW64\Gobdahei.dll Kpkpadnl.exe File opened for modification C:\Windows\SysWOW64\Mngjeamd.exe Mjkndb32.exe File opened for modification C:\Windows\SysWOW64\Bkmhnjlh.exe Bgblmk32.exe File created C:\Windows\SysWOW64\Hcigco32.exe Hakkgc32.exe File created C:\Windows\SysWOW64\Epbpbnan.exe Eelkeeah.exe File created C:\Windows\SysWOW64\Eaeipfei.exe Ecbhdi32.exe File opened for modification C:\Windows\SysWOW64\Ldbofgme.exe Lbcbjlmb.exe File opened for modification C:\Windows\SysWOW64\Nlefhcnc.exe Ncnngfna.exe File created C:\Windows\SysWOW64\Kbdjfk32.dll Pnbojmmp.exe File created C:\Windows\SysWOW64\Nnafnopi.exe Njfjnpgp.exe File opened for modification C:\Windows\SysWOW64\Najpll32.exe Nnkcpq32.exe File created C:\Windows\SysWOW64\Ljlmgnqj.dll Llgjaeoj.exe File created C:\Windows\SysWOW64\Khdecggq.dll Ndqkleln.exe File created C:\Windows\SysWOW64\Incjbkig.dll Ahpifj32.exe File created C:\Windows\SysWOW64\Lkknbejg.dll Bccmmf32.exe File opened for modification C:\Windows\SysWOW64\Aopahjll.exe Amaelomh.exe File created C:\Windows\SysWOW64\Ccpcckck.exe Cpdgbm32.exe File created C:\Windows\SysWOW64\Jpbbmeon.dll Kjokokha.exe File created C:\Windows\SysWOW64\Djmlem32.dll Lldmleam.exe File created C:\Windows\SysWOW64\Ldbofgme.exe Lbcbjlmb.exe File created C:\Windows\SysWOW64\Eamjfeja.dll Neknki32.exe File opened for modification C:\Windows\SysWOW64\Nbpeoc32.exe Nlfmbibo.exe File created C:\Windows\SysWOW64\Mapecq32.dll Opaebkmc.exe File created C:\Windows\SysWOW64\Foibdham.dll Eclbcj32.exe File opened for modification C:\Windows\SysWOW64\Eecafd32.exe Enlidg32.exe File opened for modification C:\Windows\SysWOW64\Npmphinm.exe Najpll32.exe File created C:\Windows\SysWOW64\Poklngnf.exe Plmpblnb.exe File opened for modification C:\Windows\SysWOW64\Cicalakk.exe Cehfkb32.exe File created C:\Windows\SysWOW64\Fdcfhj32.dll Ecbhdi32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 6328 6260 WerFault.exe 645 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Becpap32.exeEoepnk32.exeFdiogq32.exeHneeilgj.exeMdghaf32.exeQgjccb32.exePilfpqaa.exeAdfqgl32.exeKnhjjj32.exeOoabmbbe.exePdeqfhjd.exeBejfao32.exeHidcef32.exeAccqnc32.exeOopijc32.exeMnmpdlac.exeLkdhoc32.exeLjieppcb.exeAflfjc32.exeBflbigdb.exeDogpdg32.exeKaajei32.exeJhlmmfef.exeJhafhe32.exeApgagg32.exeBffbdadk.exeCocphf32.exeNipdkieg.exeQgmpibam.exeJeafjiop.exeMcckcbgp.exeNlnpgd32.exeOaghki32.exeKjglkm32.exeNmejllia.exeIhdpbq32.exeAmaelomh.exeBkklhjnk.exeMggabaea.exeNbflno32.exeLqqpgj32.exeNlfmbibo.exePincfpoo.exeObmnna32.exeBnqned32.exeFgldnkkf.exeBdqlajbb.exeNecogkbo.exeQaqnkafa.exeAfgmodel.exeGgnmbn32.exeLdbofgme.exePmkhjncg.exeAdlcfjgh.exeOlmcchlg.exePlolgk32.exeJmfafgbd.exeQndkpmkm.exeBimoloog.exeBfqpecma.exeCcpcckck.exeCopjdhib.exeFcnkhmdp.exeCcjoli32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Becpap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoepnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hneeilgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdghaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilfpqaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfqgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhjjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooabmbbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejfao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accqnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oopijc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmpdlac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdhoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljieppcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflfjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflbigdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaajei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhlmmfef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhafhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipdkieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmpibam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeafjiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcckcbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaghki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjglkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmejllia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdpbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaelomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkklhjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbflno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqqpgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfmbibo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pincfpoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnqned32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgldnkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necogkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqnkafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgmodel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnmbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbofgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkhjncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adlcfjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmcchlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plolgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfafgbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndkpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimoloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqpecma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpcckck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copjdhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnkhmdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjoli32.exe -
Modifies registry class 64 IoCs
Processes:
Nefdpjkl.exeIigpli32.exeBecpap32.exePbagipfi.exeBgaebe32.exeIbkkjp32.exeNeqnqofm.exeHjlioj32.exeLoqmba32.exeMkqqnq32.exeKfnmpn32.exePalepb32.exeQododfek.exeEklqcl32.exeIlnomp32.exeBffbdadk.exePomhcg32.exeOgiaif32.exeBckjhl32.exeLbfook32.exeDnpciaef.exeOlmcchlg.exeEelkeeah.exeOmioekbo.exeNhdhif32.exeEacljf32.exeInlkik32.exeAfdiondb.exeBkhhhd32.exeEoepnk32.exeMkddnf32.exeNjfjnpgp.exePhlclgfc.exeAoojnc32.exeLcaiiejc.exeIppdgc32.exeLcofio32.exeNbflno32.exePkaehb32.exeOpaebkmc.exeJmdepg32.exeMjkgjl32.exeOajlkojn.exeCfmhdpnc.exeOpqoge32.exeKhkbbc32.exeBdqlajbb.exeBqlfaj32.exeHnjbeh32.exeGdkgkcpq.exeGgnmbn32.exeKlngkfge.exeLldmleam.exeNbjeinje.exeCgaaah32.exeEpmfgo32.exeJajcdjca.exeMklcadfn.exeCegoqlof.exeLkdhoc32.exePmmeon32.exeNpmphinm.exeHfegij32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbklf32.dll" Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmpn32.dll" Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljqglfel.dll" Becpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioba32.dll" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphiff32.dll" Ibkkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neqnqofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loqmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbkmo32.dll" Kfnmpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eklqcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgiekfhg.dll" Ilnomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll" Bffbdadk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pomhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllmhajo.dll" Ogiaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Femijbfb.dll" Mkqqnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnpciaef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmcchlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eelkeeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhdhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmpacaf.dll" Eacljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nckljk32.dll" Inlkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phlclgfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcaiiejc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ippdgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdndgcj.dll" Lcofio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbobb32.dll" Nbflno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opaebkmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkgjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oajlkojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opqoge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khkbbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bglbcj32.dll" Gdkgkcpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggnmbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klngkfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epmfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeikk32.dll" Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkdhoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkbonmp.dll" Npmphinm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfegij32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exeIibfajdc.exeIplnnd32.exeIbkkjp32.exeIhhcbf32.exeIbmgpoia.exeIigpli32.exeJkhldafl.exeJenpajfb.exeJhlmmfef.exeJepmgj32.exeJdcmbgkj.exeJpjngh32.exeJhafhe32.exeJnnnalph.exeJplkmgol.exedescription pid Process procid_target PID 1992 wrote to memory of 2512 1992 b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exe 30 PID 1992 wrote to memory of 2512 1992 b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exe 30 PID 1992 wrote to memory of 2512 1992 b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exe 30 PID 1992 wrote to memory of 2512 1992 b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exe 30 PID 2512 wrote to memory of 1964 2512 Iibfajdc.exe 31 PID 2512 wrote to memory of 1964 2512 Iibfajdc.exe 31 PID 2512 wrote to memory of 1964 2512 Iibfajdc.exe 31 PID 2512 wrote to memory of 1964 2512 Iibfajdc.exe 31 PID 1964 wrote to memory of 2344 1964 Iplnnd32.exe 32 PID 1964 wrote to memory of 2344 1964 Iplnnd32.exe 32 PID 1964 wrote to memory of 2344 1964 Iplnnd32.exe 32 PID 1964 wrote to memory of 2344 1964 Iplnnd32.exe 32 PID 2344 wrote to memory of 2828 2344 Ibkkjp32.exe 33 PID 2344 wrote to memory of 2828 2344 Ibkkjp32.exe 33 PID 2344 wrote to memory of 2828 2344 Ibkkjp32.exe 33 PID 2344 wrote to memory of 2828 2344 Ibkkjp32.exe 33 PID 2828 wrote to memory of 2736 2828 Ihhcbf32.exe 34 PID 2828 wrote to memory of 2736 2828 Ihhcbf32.exe 34 PID 2828 wrote to memory of 2736 2828 Ihhcbf32.exe 34 PID 2828 wrote to memory of 2736 2828 Ihhcbf32.exe 34 PID 2736 wrote to memory of 2628 2736 Ibmgpoia.exe 35 PID 2736 wrote to memory of 2628 2736 Ibmgpoia.exe 35 PID 2736 wrote to memory of 2628 2736 Ibmgpoia.exe 35 PID 2736 wrote to memory of 2628 2736 Ibmgpoia.exe 35 PID 2628 wrote to memory of 2620 2628 Iigpli32.exe 36 PID 2628 wrote to memory of 2620 2628 Iigpli32.exe 36 PID 2628 wrote to memory of 2620 2628 Iigpli32.exe 36 PID 2628 wrote to memory of 2620 2628 Iigpli32.exe 36 PID 2620 wrote to memory of 2452 2620 Jkhldafl.exe 37 PID 2620 wrote to memory of 2452 2620 Jkhldafl.exe 37 PID 2620 wrote to memory of 2452 2620 Jkhldafl.exe 37 PID 2620 wrote to memory of 2452 2620 Jkhldafl.exe 37 PID 2452 wrote to memory of 1116 2452 Jenpajfb.exe 38 PID 2452 wrote to memory of 1116 2452 Jenpajfb.exe 38 PID 2452 wrote to memory of 1116 2452 Jenpajfb.exe 38 PID 2452 wrote to memory of 1116 2452 Jenpajfb.exe 38 PID 1116 wrote to memory of 1800 1116 Jhlmmfef.exe 39 PID 1116 wrote to memory of 1800 1116 Jhlmmfef.exe 39 PID 1116 wrote to memory of 1800 1116 Jhlmmfef.exe 39 PID 1116 wrote to memory of 1800 1116 Jhlmmfef.exe 39 PID 1800 wrote to memory of 596 1800 Jepmgj32.exe 40 PID 1800 wrote to memory of 596 1800 Jepmgj32.exe 40 PID 1800 wrote to memory of 596 1800 Jepmgj32.exe 40 PID 1800 wrote to memory of 596 1800 Jepmgj32.exe 40 PID 596 wrote to memory of 2592 596 Jdcmbgkj.exe 41 PID 596 wrote to memory of 2592 596 Jdcmbgkj.exe 41 PID 596 wrote to memory of 2592 596 Jdcmbgkj.exe 41 PID 596 wrote to memory of 2592 596 Jdcmbgkj.exe 41 PID 2592 wrote to memory of 1848 2592 Jpjngh32.exe 42 PID 2592 wrote to memory of 1848 2592 Jpjngh32.exe 42 PID 2592 wrote to memory of 1848 2592 Jpjngh32.exe 42 PID 2592 wrote to memory of 1848 2592 Jpjngh32.exe 42 PID 1848 wrote to memory of 2940 1848 Jhafhe32.exe 43 PID 1848 wrote to memory of 2940 1848 Jhafhe32.exe 43 PID 1848 wrote to memory of 2940 1848 Jhafhe32.exe 43 PID 1848 wrote to memory of 2940 1848 Jhafhe32.exe 43 PID 2940 wrote to memory of 2200 2940 Jnnnalph.exe 44 PID 2940 wrote to memory of 2200 2940 Jnnnalph.exe 44 PID 2940 wrote to memory of 2200 2940 Jnnnalph.exe 44 PID 2940 wrote to memory of 2200 2940 Jnnnalph.exe 44 PID 2200 wrote to memory of 996 2200 Jplkmgol.exe 45 PID 2200 wrote to memory of 996 2200 Jplkmgol.exe 45 PID 2200 wrote to memory of 996 2200 Jplkmgol.exe 45 PID 2200 wrote to memory of 996 2200 Jplkmgol.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exe"C:\Users\Admin\AppData\Local\Temp\b641031112902da2c870e99b476714c2ced35623657da84cd9f26a3e55ce7e47N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe33⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe34⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe35⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe36⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:492 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe40⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe42⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe43⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe45⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe46⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe47⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe48⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe49⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe50⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe51⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe52⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe53⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe54⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe56⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe57⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe58⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe59⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe61⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe62⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe63⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe65⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe66⤵PID:2292
-
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe67⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe68⤵PID:2064
-
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe69⤵PID:2220
-
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe72⤵
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe73⤵PID:2252
-
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe74⤵PID:108
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe75⤵
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe77⤵
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe78⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2000 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe80⤵PID:1148
-
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe81⤵PID:444
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe82⤵PID:340
-
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe83⤵PID:2056
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe85⤵PID:2324
-
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe86⤵PID:2392
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe87⤵PID:1956
-
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe88⤵
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe89⤵PID:2632
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe90⤵PID:2680
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe91⤵PID:2912
-
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe92⤵
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe93⤵PID:1600
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe94⤵PID:580
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe95⤵PID:1004
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe96⤵PID:1240
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe97⤵PID:2484
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe98⤵PID:1864
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe99⤵PID:2060
-
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe101⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe103⤵PID:3060
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe104⤵PID:2664
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe105⤵PID:1472
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe106⤵PID:1352
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe107⤵
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe108⤵PID:1568
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe109⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe110⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe111⤵PID:328
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe113⤵PID:2800
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe115⤵PID:1088
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe116⤵PID:1412
-
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe117⤵PID:2076
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe118⤵PID:876
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe119⤵PID:1704
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe120⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe121⤵PID:2984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-