Analysis
-
max time kernel
85s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 17:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exe
-
Size
163KB
-
MD5
cfb10025966b4314e2dc6dd89db27010
-
SHA1
e3a6e514dfbb9c38b8c22557eabd2227659ee4fc
-
SHA256
f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66a
-
SHA512
87838c4e67c7f98f957279d6b24b1e04a54f5f992544361df3332d8f2efd3a4d05905a3c5a651ff2c84e68a53ad0cdcdbea1cc0274e35cbd7cac247df10911c0
-
SSDEEP
1536:PNIc+bsZoBCtwjvsuVm7QAR6azn50MilProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:VltoctNuAcPaz50MiltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fhjmfnok.exeIqfiii32.exeMfmqmgbm.exeMehpga32.exeGdjqamme.exeJlkglm32.exeMmccqbpm.exeBjembh32.exeDqaode32.exeDecdmi32.exeMiapbpmb.exeCojeomee.exeKhghgchk.exeNqbaic32.exeOqgjdbpi.exeFbkjap32.exeKhjgel32.exeLnkege32.exeAfpogk32.exeOodjjign.exeCjjpag32.exeDilapopb.exeQkielpdf.exeBbhccm32.exeFmdbnnlj.exeMndhnd32.exeGcppkbia.exeBceeqi32.exeLocjhqpa.exeMdmkoepk.exeAgglbp32.exeEanldqgf.exeNgbmlo32.exeCnklgkap.exeNcgcdi32.exeCncolfcl.exeCbjnqh32.exeLfoojj32.exeMqjefamk.exePfqlkfoc.exeDlpbna32.exeDiidjpbe.exeJpajbl32.exeJacfidem.exeJeaahk32.exeMeljbqna.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjmfnok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqfiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfmqmgbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjqamme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmccqbpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjembh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqaode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Decdmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miapbpmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojeomee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khghgchk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqbaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqgjdbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbkjap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khjgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnkege32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oodjjign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilapopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkielpdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhccm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mndhnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcppkbia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceeqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Locjhqpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmkoepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agglbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eanldqgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnklgkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncolfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjqamme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqjefamk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlpbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diidjpbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpajbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jacfidem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeaahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meljbqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 11 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001da16-1962.dat family_bruteratel behavioral1/files/0x000400000001e326-3189.dat family_bruteratel behavioral1/files/0x000400000001e3a3-3204.dat family_bruteratel behavioral1/files/0x0003000000020c92-5800.dat family_bruteratel behavioral1/files/0x0003000000020df3-6225.dat family_bruteratel behavioral1/files/0x0003000000020e27-6323.dat family_bruteratel behavioral1/files/0x0003000000020ef8-6635.dat family_bruteratel behavioral1/files/0x000300000002113b-7785.dat family_bruteratel behavioral1/files/0x00030000000217a5-11564.dat family_bruteratel behavioral1/files/0x0003000000021a90-12941.dat family_bruteratel behavioral1/files/0x0003000000021bf4-13459.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Khghgchk.exeKoaqcn32.exeKocmim32.exeKpdjaecc.exeKadfkhkf.exeKjokokha.exeKcgphp32.exeKlpdaf32.exeLgehno32.exeLlbqfe32.exeLfkeokjp.exeLocjhqpa.exeLdpbpgoh.exeLkjjma32.exeLfoojj32.exeLklgbadb.exeMnmpdlac.exeMqklqhpg.exeMqnifg32.exeMdiefffn.exeMjfnomde.exeMmdjkhdh.exeMmgfqh32.exeMpebmc32.exeMklcadfn.exeMcckcbgp.exeNedhjj32.exeNpjlhcmd.exeNgealejo.exeNplimbka.exeNlcibc32.exeNbmaon32.exeNcnngfna.exeNenkqi32.exeNjjcip32.exeOadkej32.exeOhncbdbd.exeOmklkkpl.exeOpihgfop.exeOdgamdef.exeObjaha32.exeOlbfagca.exeObmnna32.exeOiffkkbk.exeObokcqhk.exePiicpk32.exePlgolf32.exePepcelel.exePljlbf32.exePmkhjncg.exePhqmgg32.exePkoicb32.exePmmeon32.exePaiaplin.exePhcilf32.exePkaehb32.exePidfdofi.exePaknelgk.exePpnnai32.exePcljmdmj.exePkcbnanl.exePifbjn32.exeQppkfhlc.exeQcogbdkg.exepid Process 2692 Khghgchk.exe 2112 Koaqcn32.exe 2716 Kocmim32.exe 2980 Kpdjaecc.exe 2868 Kadfkhkf.exe 2772 Kjokokha.exe 2648 Kcgphp32.exe 2212 Klpdaf32.exe 1144 Lgehno32.exe 1392 Llbqfe32.exe 1852 Lfkeokjp.exe 2004 Locjhqpa.exe 1316 Ldpbpgoh.exe 2668 Lkjjma32.exe 2192 Lfoojj32.exe 620 Lklgbadb.exe 2232 Mnmpdlac.exe 1084 Mqklqhpg.exe 2848 Mqnifg32.exe 1824 Mdiefffn.exe 2556 Mjfnomde.exe 1756 Mmdjkhdh.exe 2220 Mmgfqh32.exe 3008 Mpebmc32.exe 2268 Mklcadfn.exe 1444 Mcckcbgp.exe 2732 Nedhjj32.exe 572 Npjlhcmd.exe 2644 Ngealejo.exe 2616 Nplimbka.exe 2660 Nlcibc32.exe 1448 Nbmaon32.exe 1716 Ncnngfna.exe 1688 Nenkqi32.exe 1192 Njjcip32.exe 2512 Oadkej32.exe 268 Ohncbdbd.exe 1568 Omklkkpl.exe 2704 Opihgfop.exe 2488 Odgamdef.exe 1080 Objaha32.exe 956 Olbfagca.exe 700 Obmnna32.exe 948 Oiffkkbk.exe 1536 Obokcqhk.exe 884 Piicpk32.exe 2424 Plgolf32.exe 1704 Pepcelel.exe 2100 Pljlbf32.exe 2840 Pmkhjncg.exe 2632 Phqmgg32.exe 2628 Pkoicb32.exe 996 Pmmeon32.exe 1036 Paiaplin.exe 1708 Phcilf32.exe 1620 Pkaehb32.exe 2900 Pidfdofi.exe 1104 Paknelgk.exe 2276 Ppnnai32.exe 2028 Pcljmdmj.exe 2288 Pkcbnanl.exe 1364 Pifbjn32.exe 2260 Qppkfhlc.exe 2244 Qcogbdkg.exe -
Loads dropped DLL 64 IoCs
Processes:
f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exeKhghgchk.exeKoaqcn32.exeKocmim32.exeKpdjaecc.exeKadfkhkf.exeKjokokha.exeKcgphp32.exeKlpdaf32.exeLgehno32.exeLlbqfe32.exeLfkeokjp.exeLocjhqpa.exeLdpbpgoh.exeLkjjma32.exeLfoojj32.exeLklgbadb.exeMnmpdlac.exeMqklqhpg.exeMqnifg32.exeMdiefffn.exeMjfnomde.exeMmdjkhdh.exeMmgfqh32.exeMpebmc32.exeMklcadfn.exeMcckcbgp.exeNedhjj32.exeNpjlhcmd.exeNgealejo.exeNplimbka.exeNlcibc32.exepid Process 2128 f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exe 2128 f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exe 2692 Khghgchk.exe 2692 Khghgchk.exe 2112 Koaqcn32.exe 2112 Koaqcn32.exe 2716 Kocmim32.exe 2716 Kocmim32.exe 2980 Kpdjaecc.exe 2980 Kpdjaecc.exe 2868 Kadfkhkf.exe 2868 Kadfkhkf.exe 2772 Kjokokha.exe 2772 Kjokokha.exe 2648 Kcgphp32.exe 2648 Kcgphp32.exe 2212 Klpdaf32.exe 2212 Klpdaf32.exe 1144 Lgehno32.exe 1144 Lgehno32.exe 1392 Llbqfe32.exe 1392 Llbqfe32.exe 1852 Lfkeokjp.exe 1852 Lfkeokjp.exe 2004 Locjhqpa.exe 2004 Locjhqpa.exe 1316 Ldpbpgoh.exe 1316 Ldpbpgoh.exe 2668 Lkjjma32.exe 2668 Lkjjma32.exe 2192 Lfoojj32.exe 2192 Lfoojj32.exe 620 Lklgbadb.exe 620 Lklgbadb.exe 2232 Mnmpdlac.exe 2232 Mnmpdlac.exe 1084 Mqklqhpg.exe 1084 Mqklqhpg.exe 2848 Mqnifg32.exe 2848 Mqnifg32.exe 1824 Mdiefffn.exe 1824 Mdiefffn.exe 2556 Mjfnomde.exe 2556 Mjfnomde.exe 1756 Mmdjkhdh.exe 1756 Mmdjkhdh.exe 2220 Mmgfqh32.exe 2220 Mmgfqh32.exe 3008 Mpebmc32.exe 3008 Mpebmc32.exe 2268 Mklcadfn.exe 2268 Mklcadfn.exe 1444 Mcckcbgp.exe 1444 Mcckcbgp.exe 2732 Nedhjj32.exe 2732 Nedhjj32.exe 572 Npjlhcmd.exe 572 Npjlhcmd.exe 2644 Ngealejo.exe 2644 Ngealejo.exe 2616 Nplimbka.exe 2616 Nplimbka.exe 2660 Nlcibc32.exe 2660 Nlcibc32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Agglbp32.exeNccnlk32.exeInbnhihl.exeMomfan32.exeLophacfl.exeDnhefh32.exeNgjlpmnn.exePadjmfdg.exeLglmefcg.exeDcbnpgkh.exeJbclgf32.exeHgiked32.exeNbmdhfog.exeEphbal32.exeHegpjaac.exeAhedjb32.exeBplijcle.exeEdlhqlfi.exeFhjmfnok.exeOfnpnkgf.exeQblfkgqb.exeLgkkmm32.exeLcdhgn32.exeJfcabd32.exeMdldeo32.exeHhmhcigh.exeQjgjpi32.exeIchmgl32.exeMblbnj32.exeGgbieb32.exeCkmpkpbl.exeImmjnj32.exeLfbdci32.exeMneaacno.exeKhghgchk.exeBccmmf32.exeGlfgnh32.exeMcfemmna.exeQejpoi32.exeFgjjad32.exeAinkcf32.exeImhqbkbm.exeJoppeeif.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Alddjg32.exe Agglbp32.exe File created C:\Windows\SysWOW64\Lmjkjk32.dll Nccnlk32.exe File created C:\Windows\SysWOW64\Fhihab32.dll File opened for modification C:\Windows\SysWOW64\Mgfiocfl.exe File created C:\Windows\SysWOW64\Pjbjjc32.exe File created C:\Windows\SysWOW64\Chnjdl32.dll File opened for modification C:\Windows\SysWOW64\Jfieigio.exe Inbnhihl.exe File created C:\Windows\SysWOW64\Mblbnj32.exe Momfan32.exe File created C:\Windows\SysWOW64\Bcbonine.dll File opened for modification C:\Windows\SysWOW64\Jdogldmo.exe File created C:\Windows\SysWOW64\Lpaehl32.exe Lophacfl.exe File opened for modification C:\Windows\SysWOW64\Dqfabdaf.exe Dnhefh32.exe File created C:\Windows\SysWOW64\Njhilimb.exe Ngjlpmnn.exe File created C:\Windows\SysWOW64\Bniipnpc.dll Padjmfdg.exe File created C:\Windows\SysWOW64\Pjnpoh32.dll Lglmefcg.exe File opened for modification C:\Windows\SysWOW64\Amjiln32.exe File opened for modification C:\Windows\SysWOW64\Ckkenikc.exe File created C:\Windows\SysWOW64\Fichqckn.exe File created C:\Windows\SysWOW64\Jhhcghdk.dll Dcbnpgkh.exe File created C:\Windows\SysWOW64\Jfohgepi.exe Jbclgf32.exe File created C:\Windows\SysWOW64\Jgbmco32.exe File created C:\Windows\SysWOW64\Hjggap32.exe Hgiked32.exe File created C:\Windows\SysWOW64\Pnkiebib.exe File created C:\Windows\SysWOW64\Enadon32.dll Nbmdhfog.exe File created C:\Windows\SysWOW64\Mpelaf32.dll Ephbal32.exe File created C:\Windows\SysWOW64\Chpenm32.dll Hegpjaac.exe File created C:\Windows\SysWOW64\Alaqjaaa.exe Ahedjb32.exe File opened for modification C:\Windows\SysWOW64\Bckefnki.exe Bplijcle.exe File created C:\Windows\SysWOW64\Dheoedma.dll File created C:\Windows\SysWOW64\Libmacbm.dll File opened for modification C:\Windows\SysWOW64\Elcpbigl.exe Edlhqlfi.exe File opened for modification C:\Windows\SysWOW64\Fodebh32.exe Fhjmfnok.exe File created C:\Windows\SysWOW64\Gfbejp32.dll File opened for modification C:\Windows\SysWOW64\Flfnhnfm.exe File opened for modification C:\Windows\SysWOW64\Omhhke32.exe Ofnpnkgf.exe File opened for modification C:\Windows\SysWOW64\Qhincn32.exe Qblfkgqb.exe File opened for modification C:\Windows\SysWOW64\Ghidcceo.exe File opened for modification C:\Windows\SysWOW64\Pkjqcg32.exe File created C:\Windows\SysWOW64\Fgqofhkp.dll File opened for modification C:\Windows\SysWOW64\Ljigih32.exe Lgkkmm32.exe File created C:\Windows\SysWOW64\Lgpdglhn.exe Lcdhgn32.exe File created C:\Windows\SysWOW64\Biklma32.dll Jfcabd32.exe File created C:\Windows\SysWOW64\Gpblmp32.dll Mdldeo32.exe File created C:\Windows\SysWOW64\Knijnb32.dll Hhmhcigh.exe File created C:\Windows\SysWOW64\Qdpohodn.exe Qjgjpi32.exe File created C:\Windows\SysWOW64\Nfhkkc32.dll File created C:\Windows\SysWOW64\Ifgicg32.exe Ichmgl32.exe File created C:\Windows\SysWOW64\Mfgnnhkc.exe Mblbnj32.exe File opened for modification C:\Windows\SysWOW64\Gmlablaa.exe Ggbieb32.exe File created C:\Windows\SysWOW64\Ipdolbbj.exe File created C:\Windows\SysWOW64\Cnklgkap.exe Ckmpkpbl.exe File created C:\Windows\SysWOW64\Nabcho32.dll Immjnj32.exe File opened for modification C:\Windows\SysWOW64\Lnjldf32.exe Lfbdci32.exe File created C:\Windows\SysWOW64\Qgfnod32.dll Mneaacno.exe File opened for modification C:\Windows\SysWOW64\Monjcp32.exe File created C:\Windows\SysWOW64\Doempm32.dll Khghgchk.exe File created C:\Windows\SysWOW64\Bkjdndjo.exe Bccmmf32.exe File created C:\Windows\SysWOW64\Edmhlpjl.dll Glfgnh32.exe File opened for modification C:\Windows\SysWOW64\Mjqmig32.exe Mcfemmna.exe File created C:\Windows\SysWOW64\Qaapcj32.exe Qejpoi32.exe File created C:\Windows\SysWOW64\Fihfnp32.exe Fgjjad32.exe File created C:\Windows\SysWOW64\Allgoa32.exe Ainkcf32.exe File created C:\Windows\SysWOW64\Pjfdnp32.dll Imhqbkbm.exe File created C:\Windows\SysWOW64\Jlqogi32.dll Joppeeif.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 6536 6804 1551 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cqjhcfpc.exeEaqkcimg.exeIdohdhbo.exeLklgbadb.exeMopbgn32.exeObokcqhk.exeCchbgi32.exeDqaode32.exeMeljbqna.exeAdifpk32.exeHcgmfgfd.exeQkielpdf.exeAhedjb32.exeCnipak32.exeFdfmpc32.exeFhmldfdm.exeAejnfe32.exePaiaplin.exeAlihaioe.exeEdaalk32.exeJlkglm32.exeMfjkdh32.exeDmkcil32.exeGpidki32.exeAhpifj32.exeDilapopb.exeBkkgfm32.exeKmclmm32.exeMcidkf32.exeFmlbjq32.exeOfqmcj32.exeKdkelolf.exeNoohlkpc.exeOadkej32.exeHegpjaac.exeFdqnkoep.exeJlhkgm32.exeQejpoi32.exeGglbfg32.exeObjaha32.exeApgagg32.exeFlabdecn.exeHagianlf.exeDcmnja32.exeIqfiii32.exeAkadpn32.exeCcmblnif.exeEdlafebn.exeEihjolae.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqjhcfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaqkcimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idohdhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklgbadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obokcqhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchbgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqaode32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meljbqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adifpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcgmfgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahedjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnipak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdfmpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmldfdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejnfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiaplin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alihaioe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edaalk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjkdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpidki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilapopb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmclmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcidkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlbjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkelolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noohlkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegpjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqnkoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlhkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qejpoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flabdecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagianlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmnja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqfiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akadpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmblnif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlafebn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihjolae.exe -
Modifies registry class 64 IoCs
Processes:
Alddjg32.exeAjmijmnn.exeAhbekjcf.exeOlkifaen.exeJeoeclek.exeQkielpdf.exeDjmiejji.exeKcgphp32.exeFcmdnfad.exeDnpciaef.exeHbofmcij.exeEibgpnjk.exeLilfgq32.exeHegpjaac.exeBnochnpm.exePhobjp32.exeDgfmep32.exeMlmoilni.exePlbmom32.exeCagienkb.exeDfbnoc32.exeCkbpqe32.exeFhbpkh32.exeDkjpdcfj.exeHdefnjkj.exeKlpdaf32.exeOpihgfop.exeEaqkcimg.exeKjbclamj.exeBoemlbpk.exeAedlhg32.exeCdnncfoe.exeNnlhab32.exeAlqnah32.exeGpjkeoha.exeOmphocck.exeNhkbmo32.exeIphgln32.exeNcfjajma.exeGconbj32.exeCjljnn32.exeBccoeo32.exeMkgeehnl.exeObmnna32.exePnhjgj32.exeNenkqi32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll" Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeadqq32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olkifaen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeoeclek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgefgpha.dll" Qkielpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djmiejji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpehnpj.dll" Fcmdnfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll" Dnpciaef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbofmcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flffpf32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lilfgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hegpjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclknm32.dll" Bnochnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaihlkop.dll" Phobjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgfmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfdfc32.dll" Mlmoilni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeppfdk.dll" Plbmom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagienkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfbnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlbi32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcjcekp.dll" Fhbpkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkjpdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdefnjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmacbm.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihnijmcj.dll" Klpdaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opihgfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaqkcimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmjemjh.dll" Kjbclamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boemlbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aedlhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdnncfoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnlhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpjkeoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omphocck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhkbmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iphgln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncfjajma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gconbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjljnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccoeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgeehnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnhjgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkebebd.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nenkqi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exeKhghgchk.exeKoaqcn32.exeKocmim32.exeKpdjaecc.exeKadfkhkf.exeKjokokha.exeKcgphp32.exeKlpdaf32.exeLgehno32.exeLlbqfe32.exeLfkeokjp.exeLocjhqpa.exeLdpbpgoh.exeLkjjma32.exeLfoojj32.exedescription pid Process procid_target PID 2128 wrote to memory of 2692 2128 f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exe 31 PID 2128 wrote to memory of 2692 2128 f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exe 31 PID 2128 wrote to memory of 2692 2128 f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exe 31 PID 2128 wrote to memory of 2692 2128 f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exe 31 PID 2692 wrote to memory of 2112 2692 Khghgchk.exe 32 PID 2692 wrote to memory of 2112 2692 Khghgchk.exe 32 PID 2692 wrote to memory of 2112 2692 Khghgchk.exe 32 PID 2692 wrote to memory of 2112 2692 Khghgchk.exe 32 PID 2112 wrote to memory of 2716 2112 Koaqcn32.exe 33 PID 2112 wrote to memory of 2716 2112 Koaqcn32.exe 33 PID 2112 wrote to memory of 2716 2112 Koaqcn32.exe 33 PID 2112 wrote to memory of 2716 2112 Koaqcn32.exe 33 PID 2716 wrote to memory of 2980 2716 Kocmim32.exe 34 PID 2716 wrote to memory of 2980 2716 Kocmim32.exe 34 PID 2716 wrote to memory of 2980 2716 Kocmim32.exe 34 PID 2716 wrote to memory of 2980 2716 Kocmim32.exe 34 PID 2980 wrote to memory of 2868 2980 Kpdjaecc.exe 35 PID 2980 wrote to memory of 2868 2980 Kpdjaecc.exe 35 PID 2980 wrote to memory of 2868 2980 Kpdjaecc.exe 35 PID 2980 wrote to memory of 2868 2980 Kpdjaecc.exe 35 PID 2868 wrote to memory of 2772 2868 Kadfkhkf.exe 36 PID 2868 wrote to memory of 2772 2868 Kadfkhkf.exe 36 PID 2868 wrote to memory of 2772 2868 Kadfkhkf.exe 36 PID 2868 wrote to memory of 2772 2868 Kadfkhkf.exe 36 PID 2772 wrote to memory of 2648 2772 Kjokokha.exe 37 PID 2772 wrote to memory of 2648 2772 Kjokokha.exe 37 PID 2772 wrote to memory of 2648 2772 Kjokokha.exe 37 PID 2772 wrote to memory of 2648 2772 Kjokokha.exe 37 PID 2648 wrote to memory of 2212 2648 Kcgphp32.exe 38 PID 2648 wrote to memory of 2212 2648 Kcgphp32.exe 38 PID 2648 wrote to memory of 2212 2648 Kcgphp32.exe 38 PID 2648 wrote to memory of 2212 2648 Kcgphp32.exe 38 PID 2212 wrote to memory of 1144 2212 Klpdaf32.exe 39 PID 2212 wrote to memory of 1144 2212 Klpdaf32.exe 39 PID 2212 wrote to memory of 1144 2212 Klpdaf32.exe 39 PID 2212 wrote to memory of 1144 2212 Klpdaf32.exe 39 PID 1144 wrote to memory of 1392 1144 Lgehno32.exe 40 PID 1144 wrote to memory of 1392 1144 Lgehno32.exe 40 PID 1144 wrote to memory of 1392 1144 Lgehno32.exe 40 PID 1144 wrote to memory of 1392 1144 Lgehno32.exe 40 PID 1392 wrote to memory of 1852 1392 Llbqfe32.exe 41 PID 1392 wrote to memory of 1852 1392 Llbqfe32.exe 41 PID 1392 wrote to memory of 1852 1392 Llbqfe32.exe 41 PID 1392 wrote to memory of 1852 1392 Llbqfe32.exe 41 PID 1852 wrote to memory of 2004 1852 Lfkeokjp.exe 42 PID 1852 wrote to memory of 2004 1852 Lfkeokjp.exe 42 PID 1852 wrote to memory of 2004 1852 Lfkeokjp.exe 42 PID 1852 wrote to memory of 2004 1852 Lfkeokjp.exe 42 PID 2004 wrote to memory of 1316 2004 Locjhqpa.exe 43 PID 2004 wrote to memory of 1316 2004 Locjhqpa.exe 43 PID 2004 wrote to memory of 1316 2004 Locjhqpa.exe 43 PID 2004 wrote to memory of 1316 2004 Locjhqpa.exe 43 PID 1316 wrote to memory of 2668 1316 Ldpbpgoh.exe 44 PID 1316 wrote to memory of 2668 1316 Ldpbpgoh.exe 44 PID 1316 wrote to memory of 2668 1316 Ldpbpgoh.exe 44 PID 1316 wrote to memory of 2668 1316 Ldpbpgoh.exe 44 PID 2668 wrote to memory of 2192 2668 Lkjjma32.exe 45 PID 2668 wrote to memory of 2192 2668 Lkjjma32.exe 45 PID 2668 wrote to memory of 2192 2668 Lkjjma32.exe 45 PID 2668 wrote to memory of 2192 2668 Lkjjma32.exe 45 PID 2192 wrote to memory of 620 2192 Lfoojj32.exe 46 PID 2192 wrote to memory of 620 2192 Lfoojj32.exe 46 PID 2192 wrote to memory of 620 2192 Lfoojj32.exe 46 PID 2192 wrote to memory of 620 2192 Lfoojj32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exe"C:\Users\Admin\AppData\Local\Temp\f3d06a3ac24e0e8894782cdb64781cf867cd00da42b64d1f7cb8e5908470e66aN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe33⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe34⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe36⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe38⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe39⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe41⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe43⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe45⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe47⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe48⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe49⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe50⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Pmkhjncg.exeC:\Windows\system32\Pmkhjncg.exe51⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe52⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe53⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe54⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe56⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe57⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe58⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe59⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe60⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe61⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe62⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe63⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe64⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe65⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe66⤵PID:2896
-
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe67⤵PID:2792
-
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe68⤵PID:2968
-
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe69⤵PID:2872
-
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe70⤵PID:2608
-
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe71⤵PID:592
-
C:\Windows\SysWOW64\Qnghel32.exeC:\Windows\system32\Qnghel32.exe72⤵PID:1512
-
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe73⤵
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe74⤵PID:2384
-
C:\Windows\SysWOW64\Ajmijmnn.exeC:\Windows\system32\Ajmijmnn.exe75⤵
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe76⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe78⤵PID:2472
-
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe79⤵PID:1724
-
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe80⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe81⤵PID:1016
-
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe82⤵PID:1580
-
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe84⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe85⤵PID:2672
-
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe86⤵PID:1268
-
C:\Windows\SysWOW64\Aficjnpm.exeC:\Windows\system32\Aficjnpm.exe87⤵PID:1256
-
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe88⤵PID:1648
-
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe89⤵PID:1492
-
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe90⤵PID:2292
-
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe91⤵PID:2116
-
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe92⤵PID:1996
-
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe93⤵PID:892
-
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe94⤵PID:2520
-
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe95⤵PID:2836
-
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe96⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe97⤵PID:2612
-
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe98⤵PID:1248
-
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe99⤵PID:2092
-
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe100⤵PID:1528
-
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe101⤵PID:2852
-
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe102⤵PID:1344
-
C:\Windows\SysWOW64\Bgcbhd32.exeC:\Windows\system32\Bgcbhd32.exe103⤵PID:2320
-
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe104⤵PID:332
-
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe105⤵PID:2344
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe106⤵PID:344
-
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe107⤵PID:2744
-
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe108⤵PID:2688
-
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe109⤵PID:272
-
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe110⤵PID:1816
-
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe111⤵PID:1700
-
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe112⤵PID:1820
-
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe113⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe114⤵PID:1932
-
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe115⤵PID:676
-
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe116⤵
- System Location Discovery: System Language Discovery
PID:1888 -
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe117⤵PID:936
-
C:\Windows\SysWOW64\Ccjoli32.exeC:\Windows\system32\Ccjoli32.exe118⤵PID:2440
-
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe119⤵PID:2756
-
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe120⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe121⤵PID:2600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-