Analysis
-
max time kernel
20s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-10-2024 16:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exe
Resource
win7-20240708-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exe
-
Size
96KB
-
MD5
fa876328c5f363f7241c0615ca1fb7f0
-
SHA1
21625552bb52a1cb8546a7e227c63d89aa8c4246
-
SHA256
1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524c
-
SHA512
942b48f1985ff6d849b95ead8dc1c9819be7ee590b3acecea215ce78e759ce8cf6918e32cc07f405a495e743bfafef50b0f25a0ab17a53683c2ab1d4ef47463d
-
SSDEEP
1536:Cfajobr9+rZ4MwbFa22Lk7RZObZUUWaegPYA:G5SZjMqkClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hqnjek32.exeIinhdmma.exeMjqmig32.exeBhdhefpc.exeCcpeld32.exePfnmmn32.exeBknjfb32.exeGdkjdl32.exeIaegpaao.exeOeaqig32.exePdppqbkn.exeCdmepgce.exeEmaijk32.exeDmijfmfi.exeKechdf32.exeCgidfcdk.exeOefjdgjk.exeAnadojlo.exeJlnmel32.exeKdnkdmec.exeJpmmfp32.exeNmflee32.exeOnlahm32.exeLcdhgn32.exeNpbklabl.exeOjeobm32.exeColpld32.exeHgnokgcc.exeEkhmcelc.exeKpafapbk.exeKpfplo32.exeKpieengb.exeOnnnml32.exeKpojkp32.exeLpcoeb32.exeOajndh32.exeFliook32.exeElacliin.exeNmabjfek.exePonklpcg.exeBfcodkcb.exeBhbkpgbf.exeCceogcfj.exeEfjmbaba.exeGcjmmdbf.exeJpajbl32.exeLaleof32.exeOfnpnkgf.exeIfmocb32.exeKmkihbho.exeJfohgepi.exeBceibfgj.exeEheglk32.exeLopfhk32.exeFmlbjq32.exeDpklkgoj.exeJbfilffm.exeHiclkp32.exeKbbobkol.exeDadbdkld.exeFhdmph32.exeFhjmfnok.exeHfepod32.exeKofcbl32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqnjek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinhdmma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjqmig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfnmmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdkjdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaegpaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeaqig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdppqbkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmepgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emaijk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmijfmfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kechdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgidfcdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anadojlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlnmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpmmfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmflee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onlahm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbklabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojeobm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colpld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnokgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhmcelc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpafapbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpfplo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onnnml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpojkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcoeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oajndh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fliook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elacliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmabjfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponklpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbkpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cceogcfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcjmmdbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpajbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laleof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnpnkgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkihbho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfohgepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eheglk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlbjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpklkgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiclkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbobkol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadbdkld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdmph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjmfnok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfepod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kofcbl32.exe -
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Detect BruteRatel badger 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001d051-1533.dat family_bruteratel behavioral1/files/0x000400000001ea31-3669.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Akfkbd32.exeAndgop32.exeBhjlli32.exeBgllgedi.exeBccmmf32.exeBjmeiq32.exeBmlael32.exeBceibfgj.exeBfdenafn.exeBnknoogp.exeBoljgg32.exeBjbndpmd.exeBmpkqklh.exeBoogmgkl.exeBcjcme32.exeBbmcibjp.exeBmbgfkje.exeBkegah32.exeCoacbfii.exeCfkloq32.exeCenljmgq.exeCkhdggom.exeCocphf32.exeCbblda32.exeCfmhdpnc.exeCileqlmg.exeCpfmmf32.exeCebeem32.exeCinafkkd.exeCaifjn32.exeCeebklai.exeCjakccop.exeCnmfdb32.exeCalcpm32.exeCegoqlof.exeCgfkmgnj.exeDmbcen32.exeDcllbhdn.exeDhhhbg32.exeDmepkn32.exeDpcmgi32.exeDjiqdb32.exeDmgmpnhl.exeDljmlj32.exeDdaemh32.exeDmijfmfi.exeDlljaj32.exeDokfme32.exeDeenjpcd.exeDipjkn32.exeDlofgj32.exeDomccejd.exeEakooqih.exeEegkpo32.exeEheglk32.exeElacliin.exeEopphehb.exeEbklic32.exeEdlhqlfi.exeEkfpmf32.exeEmdmjamj.exeEaphjp32.exeEdoefl32.exeEgmabg32.exepid Process 2188 Akfkbd32.exe 2320 Andgop32.exe 2204 Bhjlli32.exe 2756 Bgllgedi.exe 2904 Bccmmf32.exe 2688 Bjmeiq32.exe 2568 Bmlael32.exe 2980 Bceibfgj.exe 1844 Bfdenafn.exe 1308 Bnknoogp.exe 2032 Boljgg32.exe 2440 Bjbndpmd.exe 2612 Bmpkqklh.exe 2852 Boogmgkl.exe 2380 Bcjcme32.exe 2372 Bbmcibjp.exe 2300 Bmbgfkje.exe 2212 Bkegah32.exe 1748 Coacbfii.exe 1652 Cfkloq32.exe 2376 Cenljmgq.exe 1472 Ckhdggom.exe 1784 Cocphf32.exe 2052 Cbblda32.exe 1324 Cfmhdpnc.exe 2892 Cileqlmg.exe 1528 Cpfmmf32.exe 800 Cebeem32.exe 2780 Cinafkkd.exe 2096 Caifjn32.exe 3012 Ceebklai.exe 2564 Cjakccop.exe 2984 Cnmfdb32.exe 1040 Calcpm32.exe 1444 Cegoqlof.exe 1648 Cgfkmgnj.exe 1368 Dmbcen32.exe 1436 Dcllbhdn.exe 3000 Dhhhbg32.exe 556 Dmepkn32.exe 2416 Dpcmgi32.exe 408 Djiqdb32.exe 1716 Dmgmpnhl.exe 1320 Dljmlj32.exe 1008 Ddaemh32.exe 3048 Dmijfmfi.exe 2156 Dlljaj32.exe 2436 Dokfme32.exe 2460 Deenjpcd.exe 2744 Dipjkn32.exe 2276 Dlofgj32.exe 2660 Domccejd.exe 2676 Eakooqih.exe 2576 Eegkpo32.exe 2604 Eheglk32.exe 2672 Elacliin.exe 2988 Eopphehb.exe 1360 Ebklic32.exe 2028 Edlhqlfi.exe 1512 Ekfpmf32.exe 2864 Emdmjamj.exe 2104 Eaphjp32.exe 2932 Edoefl32.exe 1604 Egmabg32.exe -
Loads dropped DLL 64 IoCs
Processes:
1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exeAkfkbd32.exeAndgop32.exeBhjlli32.exeBgllgedi.exeBccmmf32.exeBjmeiq32.exeBmlael32.exeBceibfgj.exeBfdenafn.exeBnknoogp.exeBoljgg32.exeBjbndpmd.exeBmpkqklh.exeBoogmgkl.exeBcjcme32.exeBbmcibjp.exeBmbgfkje.exeBkegah32.exeCoacbfii.exeCfkloq32.exeCenljmgq.exeCkhdggom.exeCocphf32.exeCbblda32.exeCfmhdpnc.exeCileqlmg.exeCpfmmf32.exeCebeem32.exeCinafkkd.exeCaifjn32.exeCeebklai.exepid Process 2968 1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exe 2968 1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exe 2188 Akfkbd32.exe 2188 Akfkbd32.exe 2320 Andgop32.exe 2320 Andgop32.exe 2204 Bhjlli32.exe 2204 Bhjlli32.exe 2756 Bgllgedi.exe 2756 Bgllgedi.exe 2904 Bccmmf32.exe 2904 Bccmmf32.exe 2688 Bjmeiq32.exe 2688 Bjmeiq32.exe 2568 Bmlael32.exe 2568 Bmlael32.exe 2980 Bceibfgj.exe 2980 Bceibfgj.exe 1844 Bfdenafn.exe 1844 Bfdenafn.exe 1308 Bnknoogp.exe 1308 Bnknoogp.exe 2032 Boljgg32.exe 2032 Boljgg32.exe 2440 Bjbndpmd.exe 2440 Bjbndpmd.exe 2612 Bmpkqklh.exe 2612 Bmpkqklh.exe 2852 Boogmgkl.exe 2852 Boogmgkl.exe 2380 Bcjcme32.exe 2380 Bcjcme32.exe 2372 Bbmcibjp.exe 2372 Bbmcibjp.exe 2300 Bmbgfkje.exe 2300 Bmbgfkje.exe 2212 Bkegah32.exe 2212 Bkegah32.exe 1748 Coacbfii.exe 1748 Coacbfii.exe 1652 Cfkloq32.exe 1652 Cfkloq32.exe 2376 Cenljmgq.exe 2376 Cenljmgq.exe 1472 Ckhdggom.exe 1472 Ckhdggom.exe 1784 Cocphf32.exe 1784 Cocphf32.exe 2052 Cbblda32.exe 2052 Cbblda32.exe 1324 Cfmhdpnc.exe 1324 Cfmhdpnc.exe 2892 Cileqlmg.exe 2892 Cileqlmg.exe 1528 Cpfmmf32.exe 1528 Cpfmmf32.exe 800 Cebeem32.exe 800 Cebeem32.exe 2780 Cinafkkd.exe 2780 Cinafkkd.exe 2096 Caifjn32.exe 2096 Caifjn32.exe 3012 Ceebklai.exe 3012 Ceebklai.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kdmban32.exeAognbnkm.exeAcnlgajg.exeDdaemh32.exeHokhbj32.exeNcpdbohb.exePpfafcpb.exeCjogcm32.exeGlbaei32.exeKdnkdmec.exeCeebklai.exeMciabmlo.exeAiaoclgl.exeAjhddk32.exeBnlgbnbp.exeCncmcm32.exeFolhgbid.exeJapciodd.exeKcginj32.exeNcinap32.exeKmqmod32.exeJpmmfp32.exeDnjoco32.exeBhonjg32.exeElgfkhpi.exeLkggmldl.exeMjcjog32.exeOmckoi32.exeCcgklc32.exeEakhdj32.exeEimcjl32.exeCebeem32.exeJfieigio.exeKmfpmc32.exeFmohco32.exeJedehaea.exeFiepea32.exeCfehhn32.exeNijpdfhm.exeCjjnhnbl.exeBoljgg32.exeGlchpp32.exeDhpgfeao.exeHclfag32.exeKeioca32.exeBoogmgkl.exePiliii32.exeKhjgel32.exeAgglbp32.exeCnejim32.exeAnadojlo.exeFimoiopk.exeKocpbfei.exePfnmmn32.exePpmgfb32.exePmehdh32.exeJhenjmbb.exeKjhcag32.exeBmlael32.exeBmbgfkje.exeNpdhaq32.exeCiagojda.exeDfcgbb32.exeFadndbci.exedescription ioc Process File created C:\Windows\SysWOW64\Kbpbmkan.exe Kdmban32.exe File opened for modification C:\Windows\SysWOW64\Aaejojjq.exe Aognbnkm.exe File opened for modification C:\Windows\SysWOW64\Afliclij.exe Acnlgajg.exe File created C:\Windows\SysWOW64\Plmcfpfk.dll Ddaemh32.exe File created C:\Windows\SysWOW64\Ibbclaqa.dll Hokhbj32.exe File opened for modification C:\Windows\SysWOW64\Ofnpnkgf.exe Ncpdbohb.exe File opened for modification C:\Windows\SysWOW64\Pbemboof.exe Ppfafcpb.exe File created C:\Windows\SysWOW64\Nedamakn.dll Cjogcm32.exe File opened for modification C:\Windows\SysWOW64\Gkebafoa.exe Glbaei32.exe File created C:\Windows\SysWOW64\Khjgel32.exe Kdnkdmec.exe File opened for modification C:\Windows\SysWOW64\Cjakccop.exe Ceebklai.exe File opened for modification C:\Windows\SysWOW64\Mfgnnhkc.exe Mciabmlo.exe File opened for modification C:\Windows\SysWOW64\Anljck32.exe Aiaoclgl.exe File created C:\Windows\SysWOW64\Chfkee32.dll Ajhddk32.exe File created C:\Windows\SysWOW64\Aamhcmdo.dll Bnlgbnbp.exe File created C:\Windows\SysWOW64\Cqaiph32.exe Cncmcm32.exe File opened for modification C:\Windows\SysWOW64\Fmohco32.exe Folhgbid.exe File created C:\Windows\SysWOW64\Jcnoejch.exe Japciodd.exe File opened for modification C:\Windows\SysWOW64\Keeeje32.exe Kcginj32.exe File opened for modification C:\Windows\SysWOW64\Ngdjaofc.exe Ncinap32.exe File created C:\Windows\SysWOW64\Kpojkp32.exe Kmqmod32.exe File opened for modification C:\Windows\SysWOW64\Jdhifooi.exe Jpmmfp32.exe File created C:\Windows\SysWOW64\Dmmpolof.exe Dnjoco32.exe File created C:\Windows\SysWOW64\Bknjfb32.exe Bhonjg32.exe File created C:\Windows\SysWOW64\Epbbkf32.exe Elgfkhpi.exe File created C:\Windows\SysWOW64\Ljigih32.exe Lkggmldl.exe File created C:\Windows\SysWOW64\Bipalg32.dll Mjcjog32.exe File created C:\Windows\SysWOW64\Oaogognm.exe Omckoi32.exe File opened for modification C:\Windows\SysWOW64\Cfehhn32.exe Ccgklc32.exe File created C:\Windows\SysWOW64\Edidqf32.exe Eakhdj32.exe File created C:\Windows\SysWOW64\Blghgj32.dll Eimcjl32.exe File opened for modification C:\Windows\SysWOW64\Cinafkkd.exe Cebeem32.exe File created C:\Windows\SysWOW64\Ggknna32.dll Jfieigio.exe File opened for modification C:\Windows\SysWOW64\Kenhopmf.exe Kmfpmc32.exe File opened for modification C:\Windows\SysWOW64\Fefqdl32.exe Fmohco32.exe File opened for modification C:\Windows\SysWOW64\Jmkmjoec.exe Jedehaea.exe File opened for modification C:\Windows\SysWOW64\Flclam32.exe Fiepea32.exe File created C:\Windows\SysWOW64\Pofhpf32.dll Cfehhn32.exe File opened for modification C:\Windows\SysWOW64\Nmflee32.exe Nijpdfhm.exe File created C:\Windows\SysWOW64\Cnejim32.exe Cjjnhnbl.exe File created C:\Windows\SysWOW64\Gfikmo32.dll Boljgg32.exe File created C:\Windows\SysWOW64\Gqodqodl.exe Glchpp32.exe File opened for modification C:\Windows\SysWOW64\Dfcgbb32.exe Dhpgfeao.exe File created C:\Windows\SysWOW64\Ekdjjm32.dll Hclfag32.exe File created C:\Windows\SysWOW64\Aiomcb32.dll Keioca32.exe File opened for modification C:\Windows\SysWOW64\Bcjcme32.exe Boogmgkl.exe File created C:\Windows\SysWOW64\Pacajg32.exe Piliii32.exe File created C:\Windows\SysWOW64\Gpcafifg.dll Khjgel32.exe File created C:\Windows\SysWOW64\Aejlnmkm.exe Agglbp32.exe File created C:\Windows\SysWOW64\Fdeonhfo.dll Cnejim32.exe File created C:\Windows\SysWOW64\Phoogg32.dll Anadojlo.exe File created C:\Windows\SysWOW64\Gmhkin32.exe Fimoiopk.exe File created C:\Windows\SysWOW64\Kcadppco.dll Kocpbfei.exe File created C:\Windows\SysWOW64\Pjihmmbk.exe Pfnmmn32.exe File created C:\Windows\SysWOW64\Dmidng32.dll Ppmgfb32.exe File opened for modification C:\Windows\SysWOW64\Paaddgkj.exe Pmehdh32.exe File created C:\Windows\SysWOW64\Ibodnd32.dll Jhenjmbb.exe File created C:\Windows\SysWOW64\Ffakjm32.dll Kjhcag32.exe File created C:\Windows\SysWOW64\Bceibfgj.exe Bmlael32.exe File created C:\Windows\SysWOW64\Bnjdhe32.dll Bmbgfkje.exe File created C:\Windows\SysWOW64\Djdhoc32.dll Npdhaq32.exe File created C:\Windows\SysWOW64\Dohindnd.dll Ciagojda.exe File opened for modification C:\Windows\SysWOW64\Dnjoco32.exe Dfcgbb32.exe File created C:\Windows\SysWOW64\Kndccd32.dll Fadndbci.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 6236 7120 WerFault.exe 699 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ekmfne32.exeHgflflqg.exeEdidqf32.exeFhgifgnb.exeFdpgph32.exeKfodfh32.exeCjakccop.exeFlapkmlj.exeHieiqo32.exeBcpimq32.exeFcqjfeja.exeCfmhdpnc.exeKmcjedcg.exeAacmij32.exeGkalhgfd.exeOlpbaa32.exeEinjdb32.exeLopfhk32.exeJbfilffm.exeHgeelf32.exeIacjjacb.exeIjkocg32.exeKbbobkol.exeLdheebad.exeOecmogln.exeHcjilgdb.exeKlhgfq32.exeBfcodkcb.exeFolhgbid.exeKidjdpie.exeBgllgedi.exeBbmcibjp.exeLljpjchg.exeNijpdfhm.exeAgeompfe.exeCcpeld32.exeFhljkm32.exeMfeaiime.exeAjhddk32.exeGfnjne32.exeNjnmbk32.exeNpdhaq32.exeOniebmda.exeEeojcmfi.exeFennoa32.exeOlmela32.exeBkpglbaj.exeFhbpkh32.exeJcnoejch.exeJbclgf32.exeBkegah32.exeFepjea32.exeOalkih32.exeOjeobm32.exeDgiaefgg.exeFdkmeiei.exeIjaaae32.exeGqcnln32.exeKdkelolf.exePhfoee32.exeCcgklc32.exeFaonom32.exeHklhae32.exeCocphf32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmfne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgflflqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgifgnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flapkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hieiqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpimq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqjfeja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhdpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmcjedcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aacmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkalhgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einjdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopfhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfilffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iacjjacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkocg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbobkol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldheebad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oecmogln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhgfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcodkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folhgbid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjdpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgllgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmcibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljpjchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageompfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhljkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeaiime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnmbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdhaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oniebmda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeojcmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fennoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmela32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkpglbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbpkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnoejch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbclgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkegah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepjea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojeobm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiaefgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkmeiei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijaaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqcnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkelolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faonom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe -
Modifies registry class 64 IoCs
Processes:
Hegpjaac.exeBdkhjgeh.exeCidddj32.exeFaonom32.exeHklhae32.exeKidjdpie.exeKadica32.exe1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exeFhljkm32.exeHeliepmn.exeFmnopp32.exeJdhifooi.exeOjeobm32.exeHfbcidmk.exeKhohkamc.exeCnejim32.exeFliook32.exeIcifjk32.exeKdeaelok.exeIjkocg32.exeGoiongbc.exeDppigchi.exeJibnop32.exeFadndbci.exeOlmela32.exeLdheebad.exePpinkcnp.exeGajqbakc.exeHdbpekam.exeHffibceh.exeIngkdeak.exeKkojbf32.exeAnogijnb.exeNcfalqpm.exeDipjkn32.exeCjakccop.exeCegoqlof.exeIndnnfdn.exeJmnqje32.exeDgknkf32.exeDfcgbb32.exeKoflgf32.exeCaifjn32.exeMgbaml32.exeNmofdf32.exeNqokpd32.exeOimmjffj.exeGaagcpdl.exeGaojnq32.exeDdaemh32.exeLkicbk32.exeOmckoi32.exeDhhhbg32.exeIfdlng32.exeBoljgg32.exeJhdegn32.exeNflchkii.exeEmoldlmc.exeGcgqgd32.exeEkfpmf32.exeFdekgjno.exeBfcodkcb.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hegpjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbhljb32.dll" Bdkhjgeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cidddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnebcm32.dll" Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hklhae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll" Kadica32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhljkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heliepmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmnopp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjhknaf.dll" Ojeobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfbcidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmidcdi.dll" Khohkamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdeonhfo.dll" Cnejim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fliook32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icifjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" Kdeaelok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijkocg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goiongbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dppigchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll" Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fadndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meoaif32.dll" Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hegpjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppinkcnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpkfe32.dll" Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hffibceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknaqdia.dll" Ingkdeak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anogijnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncfalqpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dipjkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Indnnfdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmnqje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgknkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caifjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmofdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oimmjffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ingkdeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddaemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbcafk32.dll" Lkicbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphaobfe.dll" Omckoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnppof32.dll" Dhhhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifdlng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhdegn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emoldlmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcgqgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekfpmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajngeelc.dll" Fdekgjno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfcodkcb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exeAkfkbd32.exeAndgop32.exeBhjlli32.exeBgllgedi.exeBccmmf32.exeBjmeiq32.exeBmlael32.exeBceibfgj.exeBfdenafn.exeBnknoogp.exeBoljgg32.exeBjbndpmd.exeBmpkqklh.exeBoogmgkl.exeBcjcme32.exedescription pid Process procid_target PID 2968 wrote to memory of 2188 2968 1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exe 31 PID 2968 wrote to memory of 2188 2968 1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exe 31 PID 2968 wrote to memory of 2188 2968 1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exe 31 PID 2968 wrote to memory of 2188 2968 1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exe 31 PID 2188 wrote to memory of 2320 2188 Akfkbd32.exe 32 PID 2188 wrote to memory of 2320 2188 Akfkbd32.exe 32 PID 2188 wrote to memory of 2320 2188 Akfkbd32.exe 32 PID 2188 wrote to memory of 2320 2188 Akfkbd32.exe 32 PID 2320 wrote to memory of 2204 2320 Andgop32.exe 33 PID 2320 wrote to memory of 2204 2320 Andgop32.exe 33 PID 2320 wrote to memory of 2204 2320 Andgop32.exe 33 PID 2320 wrote to memory of 2204 2320 Andgop32.exe 33 PID 2204 wrote to memory of 2756 2204 Bhjlli32.exe 34 PID 2204 wrote to memory of 2756 2204 Bhjlli32.exe 34 PID 2204 wrote to memory of 2756 2204 Bhjlli32.exe 34 PID 2204 wrote to memory of 2756 2204 Bhjlli32.exe 34 PID 2756 wrote to memory of 2904 2756 Bgllgedi.exe 35 PID 2756 wrote to memory of 2904 2756 Bgllgedi.exe 35 PID 2756 wrote to memory of 2904 2756 Bgllgedi.exe 35 PID 2756 wrote to memory of 2904 2756 Bgllgedi.exe 35 PID 2904 wrote to memory of 2688 2904 Bccmmf32.exe 36 PID 2904 wrote to memory of 2688 2904 Bccmmf32.exe 36 PID 2904 wrote to memory of 2688 2904 Bccmmf32.exe 36 PID 2904 wrote to memory of 2688 2904 Bccmmf32.exe 36 PID 2688 wrote to memory of 2568 2688 Bjmeiq32.exe 37 PID 2688 wrote to memory of 2568 2688 Bjmeiq32.exe 37 PID 2688 wrote to memory of 2568 2688 Bjmeiq32.exe 37 PID 2688 wrote to memory of 2568 2688 Bjmeiq32.exe 37 PID 2568 wrote to memory of 2980 2568 Bmlael32.exe 38 PID 2568 wrote to memory of 2980 2568 Bmlael32.exe 38 PID 2568 wrote to memory of 2980 2568 Bmlael32.exe 38 PID 2568 wrote to memory of 2980 2568 Bmlael32.exe 38 PID 2980 wrote to memory of 1844 2980 Bceibfgj.exe 39 PID 2980 wrote to memory of 1844 2980 Bceibfgj.exe 39 PID 2980 wrote to memory of 1844 2980 Bceibfgj.exe 39 PID 2980 wrote to memory of 1844 2980 Bceibfgj.exe 39 PID 1844 wrote to memory of 1308 1844 Bfdenafn.exe 40 PID 1844 wrote to memory of 1308 1844 Bfdenafn.exe 40 PID 1844 wrote to memory of 1308 1844 Bfdenafn.exe 40 PID 1844 wrote to memory of 1308 1844 Bfdenafn.exe 40 PID 1308 wrote to memory of 2032 1308 Bnknoogp.exe 41 PID 1308 wrote to memory of 2032 1308 Bnknoogp.exe 41 PID 1308 wrote to memory of 2032 1308 Bnknoogp.exe 41 PID 1308 wrote to memory of 2032 1308 Bnknoogp.exe 41 PID 2032 wrote to memory of 2440 2032 Boljgg32.exe 42 PID 2032 wrote to memory of 2440 2032 Boljgg32.exe 42 PID 2032 wrote to memory of 2440 2032 Boljgg32.exe 42 PID 2032 wrote to memory of 2440 2032 Boljgg32.exe 42 PID 2440 wrote to memory of 2612 2440 Bjbndpmd.exe 43 PID 2440 wrote to memory of 2612 2440 Bjbndpmd.exe 43 PID 2440 wrote to memory of 2612 2440 Bjbndpmd.exe 43 PID 2440 wrote to memory of 2612 2440 Bjbndpmd.exe 43 PID 2612 wrote to memory of 2852 2612 Bmpkqklh.exe 44 PID 2612 wrote to memory of 2852 2612 Bmpkqklh.exe 44 PID 2612 wrote to memory of 2852 2612 Bmpkqklh.exe 44 PID 2612 wrote to memory of 2852 2612 Bmpkqklh.exe 44 PID 2852 wrote to memory of 2380 2852 Boogmgkl.exe 45 PID 2852 wrote to memory of 2380 2852 Boogmgkl.exe 45 PID 2852 wrote to memory of 2380 2852 Boogmgkl.exe 45 PID 2852 wrote to memory of 2380 2852 Boogmgkl.exe 45 PID 2380 wrote to memory of 2372 2380 Bcjcme32.exe 46 PID 2380 wrote to memory of 2372 2380 Bcjcme32.exe 46 PID 2380 wrote to memory of 2372 2380 Bcjcme32.exe 46 PID 2380 wrote to memory of 2372 2380 Bcjcme32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exe"C:\Users\Admin\AppData\Local\Temp\1f4ca768d47b9e0b9da048cadd8b64cdc6d067fbd5e996c723381fa595c6524cN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Bbmcibjp.exeC:\Windows\system32\Bbmcibjp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe34⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe35⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe37⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe38⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe39⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe41⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe42⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe43⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe44⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Dljmlj32.exeC:\Windows\system32\Dljmlj32.exe45⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe48⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe49⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe50⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Dipjkn32.exeC:\Windows\system32\Dipjkn32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe52⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe53⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe54⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe55⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe58⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe59⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe60⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe62⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe63⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe64⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe65⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe67⤵PID:1704
-
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe68⤵PID:2468
-
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe69⤵PID:2112
-
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe70⤵
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe71⤵PID:3036
-
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe72⤵PID:2908
-
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe73⤵PID:1200
-
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe74⤵PID:2592
-
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe75⤵
- System Location Discovery: System Language Discovery
PID:652 -
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1088 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe77⤵PID:2356
-
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe78⤵
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe79⤵PID:2176
-
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe80⤵PID:316
-
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe81⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe82⤵
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe83⤵PID:940
-
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe84⤵PID:1852
-
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe85⤵PID:2148
-
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe86⤵
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe87⤵PID:2972
-
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe88⤵PID:2812
-
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe89⤵PID:2712
-
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe90⤵PID:2616
-
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe91⤵PID:1076
-
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe92⤵PID:2008
-
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe94⤵PID:2736
-
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe95⤵PID:688
-
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe96⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe98⤵PID:1672
-
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe99⤵PID:2752
-
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe102⤵PID:596
-
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe103⤵PID:1660
-
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe104⤵
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe105⤵PID:1976
-
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe106⤵PID:2412
-
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe107⤵PID:780
-
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe108⤵PID:1684
-
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe109⤵PID:1464
-
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe110⤵PID:284
-
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe111⤵PID:2680
-
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe112⤵PID:2824
-
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe113⤵PID:3032
-
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe114⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe115⤵PID:1880
-
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe116⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe117⤵PID:2392
-
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe118⤵PID:824
-
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe119⤵PID:2244
-
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe120⤵PID:1904
-
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe121⤵PID:2388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-