Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 11:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exe
Resource
win7-20240729-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exe
-
Size
96KB
-
MD5
122982857e4c3ffdbf638d82bd5de3f0
-
SHA1
d4c04b10ac7281bbce44e57ff156486180266cdc
-
SHA256
bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387b
-
SHA512
e3ebb69f8ef15d9f3f0a47137bb70b8849f5f3af1fa5053cc41fcfdcc26aae896f59552f5ac810d80d88a97f308de79a6367e56919af3d1ac6f3dbea9e6b0650
-
SSDEEP
1536:9Xfbo7B9H4xVIJyvASoeYcen7n2MI2Ln7RZObZUUWaegPYA:Jf4B9YxVIAvASoJfn7nRnClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fkambhgf.exeFikgda32.exeBmohjooe.exeDdnfql32.exeFfkncf32.exeJcocgkbp.exeLighjd32.exeMnijnjbh.exeOheppe32.exePdcgeejf.exeFipdqmje.exeGeddoa32.exeMffkgl32.exeAjgfnk32.exeAilboh32.exeAioodg32.exeAkphfbbl.exeCppakj32.exeFfpkob32.exeHdeall32.exeJjgonf32.exeKjkehhjf.exeBllomg32.exeCmfnjnin.exeLoocanbe.exeMalpee32.exeMpalfabn.exePaghojip.exeGjkcod32.exeHjkpng32.exeJofdll32.exePqjhjf32.exeHlqfqo32.exeHmpbja32.exeKfgcieii.exeOdoakckp.exeAjibckpc.exeBcmjpd32.exeCimooo32.exeCojghf32.exeDcjmcd32.exeIebmpcjc.exeIdemkp32.exePgdpgqgg.exeImkeneja.exeLfdbcing.exeLpcmlnnp.exeDkeahf32.exeDgoobg32.exeHfdmhh32.exePenjdien.exeEpipql32.exeHibidc32.exeHplbamdf.exeJpnkep32.exeJfpmifoa.exeKgjlgm32.exebb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exeCpbnaj32.exeIoheci32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkambhgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikgda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmohjooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnfql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkncf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcocgkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lighjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnijnjbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oheppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdcgeejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipdqmje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geddoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mffkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajgfnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ailboh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aioodg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akphfbbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpkob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdeall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjgonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkehhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmfnjnin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loocanbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpalfabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paghojip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailboh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjkcod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjkpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofdll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paghojip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqjhjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlqfqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfgcieii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odoakckp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajibckpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcmjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cimooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcjmcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebmpcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idemkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgdpgqgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdeall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imkeneja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfdbcing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcmlnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkeahf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgoobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfdmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Penjdien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epipql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibidc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplbamdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpnkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfpmifoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjlgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbnaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioheci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odoakckp.exe -
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001dbab-2381.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Bebfpm32.exeBllomg32.exeBjoohdbd.exeBhbpahan.exeBmohjooe.exeBhelghol.exeCfhlbe32.exeCppakj32.exeChgimh32.exeCpbnaj32.exeCdnjaibm.exeCmfnjnin.exeCdqfgh32.exeCimooo32.exeCllkkk32.exeCojghf32.exeCgaoic32.exeCpidai32.exeDchpnd32.exeDakpiajj.exeDibhjokm.exeDkcebg32.exeDcjmcd32.exeDdliklgk.exeDlbaljhn.exeDkeahf32.exeDekeeonn.exeDdnfql32.exeDkhnmfle.exeDdpbfl32.exeDgoobg32.exeDadcppbp.exeDdbolkac.exeDgalhgpg.exeEnkdda32.exeEpipql32.exeEjadibmh.exeEfhenccl.exeEhgaknbp.exeEbofcd32.exeEfkbdbai.exeElejqm32.exeEocfmh32.exeEdpoeoea.exeEhlkfn32.exeEkjgbi32.exeEbdoocdk.exeFfpkob32.exeFdblkoco.exeFhngkm32.exeFgqhgjbb.exeFohphgce.exeFnkpcd32.exeFbfldc32.exeFipdqmje.exeFjaqhe32.exeFqkieogp.exeFgeabi32.exeFkambhgf.exeFjdnne32.exeFqnfkoen.exeFeiaknmg.exeFghngimj.exeFfkncf32.exepid Process 2696 Bebfpm32.exe 2844 Bllomg32.exe 2280 Bjoohdbd.exe 2920 Bhbpahan.exe 2608 Bmohjooe.exe 3052 Bhelghol.exe 1680 Cfhlbe32.exe 1432 Cppakj32.exe 2932 Chgimh32.exe 1976 Cpbnaj32.exe 2260 Cdnjaibm.exe 1064 Cmfnjnin.exe 592 Cdqfgh32.exe 2392 Cimooo32.exe 2204 Cllkkk32.exe 2192 Cojghf32.exe 1084 Cgaoic32.exe 1760 Cpidai32.exe 1356 Dchpnd32.exe 1652 Dakpiajj.exe 2224 Dibhjokm.exe 1696 Dkcebg32.exe 2032 Dcjmcd32.exe 1888 Ddliklgk.exe 3020 Dlbaljhn.exe 2748 Dkeahf32.exe 2612 Dekeeonn.exe 2064 Ddnfql32.exe 2908 Dkhnmfle.exe 2600 Ddpbfl32.exe 2616 Dgoobg32.exe 2108 Dadcppbp.exe 2568 Ddbolkac.exe 2148 Dgalhgpg.exe 2992 Enkdda32.exe 2904 Epipql32.exe 2084 Ejadibmh.exe 496 Efhenccl.exe 2228 Ehgaknbp.exe 2396 Ebofcd32.exe 2200 Efkbdbai.exe 1804 Elejqm32.exe 2040 Eocfmh32.exe 400 Edpoeoea.exe 1528 Ehlkfn32.exe 264 Ekjgbi32.exe 2068 Ebdoocdk.exe 1108 Ffpkob32.exe 2124 Fdblkoco.exe 1968 Fhngkm32.exe 1992 Fgqhgjbb.exe 2172 Fohphgce.exe 2788 Fnkpcd32.exe 1440 Fbfldc32.exe 2024 Fipdqmje.exe 2700 Fjaqhe32.exe 996 Fqkieogp.exe 2916 Fgeabi32.exe 2952 Fkambhgf.exe 2420 Fjdnne32.exe 2560 Fqnfkoen.exe 2308 Feiaknmg.exe 768 Fghngimj.exe 1008 Ffkncf32.exe -
Loads dropped DLL 64 IoCs
Processes:
bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exeBebfpm32.exeBllomg32.exeBjoohdbd.exeBhbpahan.exeBmohjooe.exeBhelghol.exeCfhlbe32.exeCppakj32.exeChgimh32.exeCpbnaj32.exeCdnjaibm.exeCmfnjnin.exeCdqfgh32.exeCimooo32.exeCllkkk32.exeCojghf32.exeCgaoic32.exeCpidai32.exeDchpnd32.exeDakpiajj.exeDibhjokm.exeDkcebg32.exeDcjmcd32.exeDdliklgk.exeDlbaljhn.exeDkeahf32.exeDekeeonn.exeDdnfql32.exeDkhnmfle.exeDdpbfl32.exeDgoobg32.exepid Process 2508 bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exe 2508 bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exe 2696 Bebfpm32.exe 2696 Bebfpm32.exe 2844 Bllomg32.exe 2844 Bllomg32.exe 2280 Bjoohdbd.exe 2280 Bjoohdbd.exe 2920 Bhbpahan.exe 2920 Bhbpahan.exe 2608 Bmohjooe.exe 2608 Bmohjooe.exe 3052 Bhelghol.exe 3052 Bhelghol.exe 1680 Cfhlbe32.exe 1680 Cfhlbe32.exe 1432 Cppakj32.exe 1432 Cppakj32.exe 2932 Chgimh32.exe 2932 Chgimh32.exe 1976 Cpbnaj32.exe 1976 Cpbnaj32.exe 2260 Cdnjaibm.exe 2260 Cdnjaibm.exe 1064 Cmfnjnin.exe 1064 Cmfnjnin.exe 592 Cdqfgh32.exe 592 Cdqfgh32.exe 2392 Cimooo32.exe 2392 Cimooo32.exe 2204 Cllkkk32.exe 2204 Cllkkk32.exe 2192 Cojghf32.exe 2192 Cojghf32.exe 1084 Cgaoic32.exe 1084 Cgaoic32.exe 1760 Cpidai32.exe 1760 Cpidai32.exe 1356 Dchpnd32.exe 1356 Dchpnd32.exe 1652 Dakpiajj.exe 1652 Dakpiajj.exe 2224 Dibhjokm.exe 2224 Dibhjokm.exe 1696 Dkcebg32.exe 1696 Dkcebg32.exe 2032 Dcjmcd32.exe 2032 Dcjmcd32.exe 1888 Ddliklgk.exe 1888 Ddliklgk.exe 3020 Dlbaljhn.exe 3020 Dlbaljhn.exe 2748 Dkeahf32.exe 2748 Dkeahf32.exe 2612 Dekeeonn.exe 2612 Dekeeonn.exe 2064 Ddnfql32.exe 2064 Ddnfql32.exe 2908 Dkhnmfle.exe 2908 Dkhnmfle.exe 2600 Ddpbfl32.exe 2600 Ddpbfl32.exe 2616 Dgoobg32.exe 2616 Dgoobg32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hmpbja32.exeMffkgl32.exeOmgfdhbq.exeJpcdqpqj.exeKhcbpa32.exeNinjjf32.exePiemih32.exeCgaoic32.exeHjkpng32.exeIigcobid.exeQckalamk.exeQfimhmlo.exeNejdjf32.exeGabofn32.exeKkaolm32.exeMiiaogio.exeDdnfql32.exeHfaqbh32.exeMmngof32.exeAnndbnao.exeLpcmlnnp.exeMjpkbk32.exeNoifmmec.exeIljifm32.exeJndhddaf.exeAmjkefmd.exeAkphfbbl.exeBmohjooe.exeAfbpnlcd.exeAaondi32.exeGiejkp32.exeMgoaap32.exePchdfb32.exeCppakj32.exeJfpmifoa.exeNgkaaolf.exeAioodg32.exeEnkdda32.exeFnkpcd32.exeOcdnloph.exeOingii32.exeGekkpqnp.exeJcocgkbp.exeKfgcieii.exeOllcee32.exeQnpeijla.exeGbkaneao.exeHlqfqo32.exeJpnkep32.exeKheofahm.exeOkkfmmqj.exeOophlpag.exeQoaaqb32.exeEbdoocdk.exeFdblkoco.exeHabkeacd.exeAqanke32.exeLoocanbe.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Ioaobjin.exe Hmpbja32.exe File opened for modification C:\Windows\SysWOW64\Mnncii32.exe Mffkgl32.exe File created C:\Windows\SysWOW64\Oacbdg32.exe Omgfdhbq.exe File created C:\Windows\SysWOW64\Npbcjjnl.dll Jpcdqpqj.exe File opened for modification C:\Windows\SysWOW64\Klonqpbi.exe Khcbpa32.exe File created C:\Windows\SysWOW64\Ikmfgnde.dll Ninjjf32.exe File opened for modification C:\Windows\SysWOW64\Oacbdg32.exe Omgfdhbq.exe File created C:\Windows\SysWOW64\Ckfhogfe.dll Piemih32.exe File created C:\Windows\SysWOW64\Enlhahnp.dll Cgaoic32.exe File opened for modification C:\Windows\SysWOW64\Hmiljb32.exe Hjkpng32.exe File created C:\Windows\SysWOW64\Lmkcfaod.dll Iigcobid.exe File created C:\Windows\SysWOW64\Qfimhmlo.exe Qckalamk.exe File created C:\Windows\SysWOW64\Hncklnkp.dll Qfimhmlo.exe File opened for modification C:\Windows\SysWOW64\Ndmeecmb.exe Nejdjf32.exe File created C:\Windows\SysWOW64\Bfhpbo32.dll Gabofn32.exe File created C:\Windows\SysWOW64\Kbkgig32.exe Kkaolm32.exe File created C:\Windows\SysWOW64\Bblkmipo.dll Miiaogio.exe File opened for modification C:\Windows\SysWOW64\Dkhnmfle.exe Ddnfql32.exe File created C:\Windows\SysWOW64\Ceicae32.dll Hfaqbh32.exe File opened for modification C:\Windows\SysWOW64\Majcoepi.exe Mmngof32.exe File created C:\Windows\SysWOW64\Polhjf32.dll Anndbnao.exe File created C:\Windows\SysWOW64\Mfbokqlp.dll Lpcmlnnp.exe File created C:\Windows\SysWOW64\Kmnnepij.dll Mjpkbk32.exe File opened for modification C:\Windows\SysWOW64\Nfpnnk32.exe Noifmmec.exe File opened for modification C:\Windows\SysWOW64\Ioheci32.exe Iljifm32.exe File opened for modification C:\Windows\SysWOW64\Jpcdqpqj.exe Jndhddaf.exe File opened for modification C:\Windows\SysWOW64\Kbkgig32.exe Kkaolm32.exe File created C:\Windows\SysWOW64\Aoihaa32.exe Amjkefmd.exe File created C:\Windows\SysWOW64\Anndbnao.exe Akphfbbl.exe File created C:\Windows\SysWOW64\Hpomlhqo.dll Bmohjooe.exe File opened for modification C:\Windows\SysWOW64\Aeepjh32.exe Afbpnlcd.exe File opened for modification C:\Windows\SysWOW64\Bcmjpd32.exe Aaondi32.exe File opened for modification C:\Windows\SysWOW64\Glcfgk32.exe Giejkp32.exe File created C:\Windows\SysWOW64\Jhdlcl32.dll Mgoaap32.exe File opened for modification C:\Windows\SysWOW64\Pgdpgqgg.exe Pchdfb32.exe File created C:\Windows\SysWOW64\Chgimh32.exe Cppakj32.exe File opened for modification C:\Windows\SysWOW64\Jjkiie32.exe Jfpmifoa.exe File created C:\Windows\SysWOW64\Okfmbm32.exe Ngkaaolf.exe File opened for modification C:\Windows\SysWOW64\Amjkefmd.exe Aioodg32.exe File opened for modification C:\Windows\SysWOW64\Epipql32.exe Enkdda32.exe File created C:\Windows\SysWOW64\Fbfldc32.exe Fnkpcd32.exe File created C:\Windows\SysWOW64\Nggbjggc.dll Ocdnloph.exe File opened for modification C:\Windows\SysWOW64\Ollcee32.exe Oingii32.exe File created C:\Windows\SysWOW64\Bhpjqhld.dll Gekkpqnp.exe File created C:\Windows\SysWOW64\Jempcgad.exe Jcocgkbp.exe File created C:\Windows\SysWOW64\Kicqkb32.dll Kfgcieii.exe File created C:\Windows\SysWOW64\Hgeahj32.dll Qckalamk.exe File opened for modification C:\Windows\SysWOW64\Ophoecoa.exe Ollcee32.exe File created C:\Windows\SysWOW64\Hegfajbc.dll Qnpeijla.exe File created C:\Windows\SysWOW64\Ganbjb32.exe Gbkaneao.exe File created C:\Windows\SysWOW64\Cflibl32.dll Hlqfqo32.exe File created C:\Windows\SysWOW64\Pcbqhkfi.dll Mmngof32.exe File opened for modification C:\Windows\SysWOW64\Jdjgfomh.exe Jpnkep32.exe File created C:\Windows\SysWOW64\Jhlidkdc.dll Kheofahm.exe File created C:\Windows\SysWOW64\Dcihik32.dll Okkfmmqj.exe File opened for modification C:\Windows\SysWOW64\Panehkaj.exe Oophlpag.exe File opened for modification C:\Windows\SysWOW64\Qgiibp32.exe Qoaaqb32.exe File created C:\Windows\SysWOW64\Ffpkob32.exe Ebdoocdk.exe File created C:\Windows\SysWOW64\Fhngkm32.exe Fdblkoco.exe File opened for modification C:\Windows\SysWOW64\Hdqhambg.exe Habkeacd.exe File created C:\Windows\SysWOW64\Acpjga32.exe Aqanke32.exe File created C:\Windows\SysWOW64\Ioheci32.exe Iljifm32.exe File opened for modification C:\Windows\SysWOW64\Lbmpnjai.exe Loocanbe.exe File created C:\Windows\SysWOW64\Cpidai32.exe Cgaoic32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4464 4444 WerFault.exe 366 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hmgodc32.exeIbmkbh32.exeJjgonf32.exeMnijnjbh.exeMpalfabn.exeAjibckpc.exeJfpmifoa.exeJfbinf32.exeNeghdg32.exePqhkdg32.exePchdfb32.exeIljifm32.exeJpeafo32.exeMgoaap32.exeMnncii32.exeCpidai32.exeDgalhgpg.exeEjadibmh.exeGbmoceol.exeHjhchg32.exeHeijidbn.exeMecbjd32.exePkkblp32.exeAbiqcm32.exeBllomg32.exeJpcdqpqj.exeLaeidfdn.exeMbpibm32.exeLchclmla.exeFcoolj32.exeIebmpcjc.exeIdemkp32.exeIgffmkno.exeKoogbk32.exeLoocanbe.exePiemih32.exeAmjkefmd.exeFqpbpo32.exeIeppjclf.exeJnpoie32.exePqjhjf32.exeFikgda32.exeGlomllkd.exeIainddpg.exeMffkgl32.exeNdoelpid.exePobeao32.exeCojghf32.exeFmgcepio.exePlffkc32.exeCllkkk32.exeDkeahf32.exeIoaobjin.exeOllcee32.exeBnbnnm32.exeEocfmh32.exeHlqfqo32.exeKkaolm32.exeOingii32.exePenjdien.exeBcmjpd32.exeNaionh32.exeBhelghol.exeNepach32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmgodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmkbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgonf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnijnjbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpalfabn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajibckpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpmifoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbinf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neghdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqhkdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpeafo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgoaap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnncii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpidai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgalhgpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejadibmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmoceol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjhchg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heijidbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkkblp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abiqcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllomg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcdqpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laeidfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbpibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchclmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcoolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebmpcjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idemkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igffmkno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koogbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loocanbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piemih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjkefmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqpbpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieppjclf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqjhjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikgda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glomllkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iainddpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndoelpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobeao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojghf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmgcepio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plffkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllkkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeahf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioaobjin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollcee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbnnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eocfmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlqfqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oingii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Penjdien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naionh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhelghol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nepach32.exe -
Modifies registry class 64 IoCs
Processes:
Pniohk32.exeFqnfkoen.exeOcdnloph.exePenjdien.exeEpipql32.exeHfdmhh32.exeLiboodmk.exeLgmekpmn.exeMiiaogio.exePqjhjf32.exeJljeeqfn.exePobeao32.exePgogla32.exeQjeihl32.exePgdpgqgg.exeHdeall32.exeNokcbm32.exeAnkhmncb.exeAgdlfd32.exeGmipko32.exeHmkiobge.exeLpcmlnnp.exeOobiclmh.exeOheppe32.exeIboghh32.exeIdemkp32.exeJcdmbk32.exeAbiqcm32.exeDdpbfl32.exeFfmkhe32.exeJofdll32.exeIhnmfoli.exeOgddhmdl.exeAicipgqe.exeGbmoceol.exeHabkeacd.exeJnpoie32.exeAcpjga32.exeGabofn32.exeNmgjee32.exeOgbgbn32.exeBnbnnm32.exeDkhnmfle.exeMeeopdhb.exeOpjlkc32.exePkfiaqgk.exePapank32.exePgacaaij.exeKlonqpbi.exeCmfnjnin.exeElejqm32.exeLjbkig32.exeAehmoh32.exeDdliklgk.exeNoifmmec.exeOdanqb32.exePofomolo.exePjppmlhm.exeAnndbnao.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmfllng.dll" Pniohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkcdc32.dll" Fqnfkoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocdnloph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Penjdien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdloglhf.dll" Epipql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfdmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liboodmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgmekpmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miiaogio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqjhjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jljeeqfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pobeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfjm32.dll" Pgogla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjeihl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgdpgqgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdeall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjoacao.dll" Nokcbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankhmncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agdlfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jogneifn.dll" Gmipko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmkiobge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpcmlnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oobiclmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oheppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpbkipf.dll" Iboghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ondomh32.dll" Idemkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpgohdb.dll" Jcdmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgelak32.dll" Abiqcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddpbfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffmkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmoqm32.dll" Hfdmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjqik32.dll" Jofdll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocdnloph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkhgnk32.dll" Ihnmfoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncacf32.dll" Ogddhmdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aicipgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbmoceol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajodjfdi.dll" Habkeacd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnpoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acpjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhpbo32.dll" Gabofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hipdajoc.dll" Nmgjee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogbgbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnbnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngedmgdf.dll" Dkhnmfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfhfkhm.dll" Meeopdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opjlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcpnob32.dll" Pkfiaqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Papank32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgacaaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieileaop.dll" Hmkiobge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcbociq.dll" Jnpoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjlbg32.dll" Klonqpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmfnjnin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madfkk32.dll" Elejqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljbkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inceepmo.dll" Aehmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddliklgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epipql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddpfjgq.dll" Noifmmec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odanqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfbimjl.dll" Pofomolo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjppmlhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anndbnao.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exeBebfpm32.exeBllomg32.exeBjoohdbd.exeBhbpahan.exeBmohjooe.exeBhelghol.exeCfhlbe32.exeCppakj32.exeChgimh32.exeCpbnaj32.exeCdnjaibm.exeCmfnjnin.exeCdqfgh32.exeCimooo32.exeCllkkk32.exedescription pid Process procid_target PID 2508 wrote to memory of 2696 2508 bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exe 30 PID 2508 wrote to memory of 2696 2508 bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exe 30 PID 2508 wrote to memory of 2696 2508 bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exe 30 PID 2508 wrote to memory of 2696 2508 bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exe 30 PID 2696 wrote to memory of 2844 2696 Bebfpm32.exe 31 PID 2696 wrote to memory of 2844 2696 Bebfpm32.exe 31 PID 2696 wrote to memory of 2844 2696 Bebfpm32.exe 31 PID 2696 wrote to memory of 2844 2696 Bebfpm32.exe 31 PID 2844 wrote to memory of 2280 2844 Bllomg32.exe 32 PID 2844 wrote to memory of 2280 2844 Bllomg32.exe 32 PID 2844 wrote to memory of 2280 2844 Bllomg32.exe 32 PID 2844 wrote to memory of 2280 2844 Bllomg32.exe 32 PID 2280 wrote to memory of 2920 2280 Bjoohdbd.exe 33 PID 2280 wrote to memory of 2920 2280 Bjoohdbd.exe 33 PID 2280 wrote to memory of 2920 2280 Bjoohdbd.exe 33 PID 2280 wrote to memory of 2920 2280 Bjoohdbd.exe 33 PID 2920 wrote to memory of 2608 2920 Bhbpahan.exe 34 PID 2920 wrote to memory of 2608 2920 Bhbpahan.exe 34 PID 2920 wrote to memory of 2608 2920 Bhbpahan.exe 34 PID 2920 wrote to memory of 2608 2920 Bhbpahan.exe 34 PID 2608 wrote to memory of 3052 2608 Bmohjooe.exe 35 PID 2608 wrote to memory of 3052 2608 Bmohjooe.exe 35 PID 2608 wrote to memory of 3052 2608 Bmohjooe.exe 35 PID 2608 wrote to memory of 3052 2608 Bmohjooe.exe 35 PID 3052 wrote to memory of 1680 3052 Bhelghol.exe 36 PID 3052 wrote to memory of 1680 3052 Bhelghol.exe 36 PID 3052 wrote to memory of 1680 3052 Bhelghol.exe 36 PID 3052 wrote to memory of 1680 3052 Bhelghol.exe 36 PID 1680 wrote to memory of 1432 1680 Cfhlbe32.exe 37 PID 1680 wrote to memory of 1432 1680 Cfhlbe32.exe 37 PID 1680 wrote to memory of 1432 1680 Cfhlbe32.exe 37 PID 1680 wrote to memory of 1432 1680 Cfhlbe32.exe 37 PID 1432 wrote to memory of 2932 1432 Cppakj32.exe 38 PID 1432 wrote to memory of 2932 1432 Cppakj32.exe 38 PID 1432 wrote to memory of 2932 1432 Cppakj32.exe 38 PID 1432 wrote to memory of 2932 1432 Cppakj32.exe 38 PID 2932 wrote to memory of 1976 2932 Chgimh32.exe 39 PID 2932 wrote to memory of 1976 2932 Chgimh32.exe 39 PID 2932 wrote to memory of 1976 2932 Chgimh32.exe 39 PID 2932 wrote to memory of 1976 2932 Chgimh32.exe 39 PID 1976 wrote to memory of 2260 1976 Cpbnaj32.exe 40 PID 1976 wrote to memory of 2260 1976 Cpbnaj32.exe 40 PID 1976 wrote to memory of 2260 1976 Cpbnaj32.exe 40 PID 1976 wrote to memory of 2260 1976 Cpbnaj32.exe 40 PID 2260 wrote to memory of 1064 2260 Cdnjaibm.exe 41 PID 2260 wrote to memory of 1064 2260 Cdnjaibm.exe 41 PID 2260 wrote to memory of 1064 2260 Cdnjaibm.exe 41 PID 2260 wrote to memory of 1064 2260 Cdnjaibm.exe 41 PID 1064 wrote to memory of 592 1064 Cmfnjnin.exe 42 PID 1064 wrote to memory of 592 1064 Cmfnjnin.exe 42 PID 1064 wrote to memory of 592 1064 Cmfnjnin.exe 42 PID 1064 wrote to memory of 592 1064 Cmfnjnin.exe 42 PID 592 wrote to memory of 2392 592 Cdqfgh32.exe 43 PID 592 wrote to memory of 2392 592 Cdqfgh32.exe 43 PID 592 wrote to memory of 2392 592 Cdqfgh32.exe 43 PID 592 wrote to memory of 2392 592 Cdqfgh32.exe 43 PID 2392 wrote to memory of 2204 2392 Cimooo32.exe 44 PID 2392 wrote to memory of 2204 2392 Cimooo32.exe 44 PID 2392 wrote to memory of 2204 2392 Cimooo32.exe 44 PID 2392 wrote to memory of 2204 2392 Cimooo32.exe 44 PID 2204 wrote to memory of 2192 2204 Cllkkk32.exe 45 PID 2204 wrote to memory of 2192 2204 Cllkkk32.exe 45 PID 2204 wrote to memory of 2192 2204 Cllkkk32.exe 45 PID 2204 wrote to memory of 2192 2204 Cllkkk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exe"C:\Users\Admin\AppData\Local\Temp\bb9ebb3a11e1a1e87c5e9c300480b111cdc30ae9940a52523b5abada55bf387bN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Bebfpm32.exeC:\Windows\system32\Bebfpm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Bjoohdbd.exeC:\Windows\system32\Bjoohdbd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Bhbpahan.exeC:\Windows\system32\Bhbpahan.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Bmohjooe.exeC:\Windows\system32\Bmohjooe.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Bhelghol.exeC:\Windows\system32\Bhelghol.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Cppakj32.exeC:\Windows\system32\Cppakj32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Chgimh32.exeC:\Windows\system32\Chgimh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Cpbnaj32.exeC:\Windows\system32\Cpbnaj32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Cdnjaibm.exeC:\Windows\system32\Cdnjaibm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Cdqfgh32.exeC:\Windows\system32\Cdqfgh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Cimooo32.exeC:\Windows\system32\Cimooo32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Cllkkk32.exeC:\Windows\system32\Cllkkk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Cojghf32.exeC:\Windows\system32\Cojghf32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Cgaoic32.exeC:\Windows\system32\Cgaoic32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Dakpiajj.exeC:\Windows\system32\Dakpiajj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Ddliklgk.exeC:\Windows\system32\Ddliklgk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Dlbaljhn.exeC:\Windows\system32\Dlbaljhn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Dkeahf32.exeC:\Windows\system32\Dkeahf32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Ddnfql32.exeC:\Windows\system32\Ddnfql32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Dkhnmfle.exeC:\Windows\system32\Dkhnmfle.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Ddpbfl32.exeC:\Windows\system32\Ddpbfl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe33⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Ddbolkac.exeC:\Windows\system32\Ddbolkac.exe34⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Dgalhgpg.exeC:\Windows\system32\Dgalhgpg.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Enkdda32.exeC:\Windows\system32\Enkdda32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Epipql32.exeC:\Windows\system32\Epipql32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Ejadibmh.exeC:\Windows\system32\Ejadibmh.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Efhenccl.exeC:\Windows\system32\Efhenccl.exe39⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Ehgaknbp.exeC:\Windows\system32\Ehgaknbp.exe40⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe41⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Efkbdbai.exeC:\Windows\system32\Efkbdbai.exe42⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Elejqm32.exeC:\Windows\system32\Elejqm32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Eocfmh32.exeC:\Windows\system32\Eocfmh32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Edpoeoea.exeC:\Windows\system32\Edpoeoea.exe45⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Ehlkfn32.exeC:\Windows\system32\Ehlkfn32.exe46⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe47⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Ebdoocdk.exeC:\Windows\system32\Ebdoocdk.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Fdblkoco.exeC:\Windows\system32\Fdblkoco.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Fhngkm32.exeC:\Windows\system32\Fhngkm32.exe51⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Fgqhgjbb.exeC:\Windows\system32\Fgqhgjbb.exe52⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Fohphgce.exeC:\Windows\system32\Fohphgce.exe53⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Fbfldc32.exeC:\Windows\system32\Fbfldc32.exe55⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe57⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Fqkieogp.exeC:\Windows\system32\Fqkieogp.exe58⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Fgeabi32.exeC:\Windows\system32\Fgeabi32.exe59⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe61⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Fqnfkoen.exeC:\Windows\system32\Fqnfkoen.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Feiaknmg.exeC:\Windows\system32\Feiaknmg.exe63⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Fghngimj.exeC:\Windows\system32\Fghngimj.exe64⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Ffkncf32.exeC:\Windows\system32\Ffkncf32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Fnafdc32.exeC:\Windows\system32\Fnafdc32.exe66⤵PID:1504
-
C:\Windows\SysWOW64\Fqpbpo32.exeC:\Windows\system32\Fqpbpo32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\SysWOW64\Fcoolj32.exeC:\Windows\system32\Fcoolj32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Ffmkhe32.exeC:\Windows\system32\Ffmkhe32.exe69⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Fikgda32.exeC:\Windows\system32\Fikgda32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Fmgcepio.exeC:\Windows\system32\Fmgcepio.exe71⤵
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\Gabofn32.exeC:\Windows\system32\Gabofn32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Gcakbjpl.exeC:\Windows\system32\Gcakbjpl.exe73⤵PID:2776
-
C:\Windows\SysWOW64\Gfogneop.exeC:\Windows\system32\Gfogneop.exe74⤵PID:2056
-
C:\Windows\SysWOW64\Gjkcod32.exeC:\Windows\system32\Gjkcod32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Gmipko32.exeC:\Windows\system32\Gmipko32.exe76⤵
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe77⤵PID:2164
-
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe78⤵PID:1200
-
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Gipqpplq.exeC:\Windows\system32\Gipqpplq.exe80⤵PID:1596
-
C:\Windows\SysWOW64\Glomllkd.exeC:\Windows\system32\Glomllkd.exe81⤵
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Gnmihgkh.exeC:\Windows\system32\Gnmihgkh.exe82⤵PID:2572
-
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe83⤵PID:1636
-
C:\Windows\SysWOW64\Gegaeabe.exeC:\Windows\system32\Gegaeabe.exe84⤵PID:2360
-
C:\Windows\SysWOW64\Glaiak32.exeC:\Windows\system32\Glaiak32.exe85⤵PID:2960
-
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe86⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Ganbjb32.exeC:\Windows\system32\Ganbjb32.exe87⤵PID:2896
-
C:\Windows\SysWOW64\Giejkp32.exeC:\Windows\system32\Giejkp32.exe88⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe89⤵PID:2620
-
C:\Windows\SysWOW64\Gjffbhnj.exeC:\Windows\system32\Gjffbhnj.exe90⤵PID:2240
-
C:\Windows\SysWOW64\Gbmoceol.exeC:\Windows\system32\Gbmoceol.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Gekkpqnp.exeC:\Windows\system32\Gekkpqnp.exe92⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe93⤵PID:2244
-
C:\Windows\SysWOW64\Hlecmkel.exeC:\Windows\system32\Hlecmkel.exe94⤵PID:2380
-
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\Hmgodc32.exeC:\Windows\system32\Hmgodc32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Habkeacd.exeC:\Windows\system32\Habkeacd.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Hdqhambg.exeC:\Windows\system32\Hdqhambg.exe98⤵PID:2092
-
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Hmiljb32.exeC:\Windows\system32\Hmiljb32.exe100⤵PID:864
-
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe101⤵PID:2984
-
C:\Windows\SysWOW64\Hdcdfmqe.exeC:\Windows\system32\Hdcdfmqe.exe102⤵PID:2640
-
C:\Windows\SysWOW64\Hfaqbh32.exeC:\Windows\system32\Hfaqbh32.exe103⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Hipmoc32.exeC:\Windows\system32\Hipmoc32.exe104⤵PID:536
-
C:\Windows\SysWOW64\Hmkiobge.exeC:\Windows\system32\Hmkiobge.exe105⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Hpjeknfi.exeC:\Windows\system32\Hpjeknfi.exe106⤵PID:2072
-
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Hfdmhh32.exeC:\Windows\system32\Hfdmhh32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Hibidc32.exeC:\Windows\system32\Hibidc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Hlqfqo32.exeC:\Windows\system32\Hlqfqo32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe112⤵PID:1692
-
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe113⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Hmpbja32.exeC:\Windows\system32\Hmpbja32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe115⤵
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\Ibmkbh32.exeC:\Windows\system32\Ibmkbh32.exe116⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Iekgod32.exeC:\Windows\system32\Iekgod32.exe117⤵PID:1788
-
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe118⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe119⤵PID:2488
-
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe120⤵PID:2008
-
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe121⤵
- Modifies registry class
PID:608
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-