Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe
-
Size
96KB
-
MD5
d8054809d8fbdd647ec9fc65ccd34796
-
SHA1
c0eff18c26d67ff6d3d0e13e3c21ca77f4d7ba39
-
SHA256
ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118
-
SHA512
d1294f5ff59fdda12b70872f360eabff6a777bbe8a58df16419d96331a90e68fb94983c782aebb4295c5a1d6d026442984c30233a28f4624e80fd524246e686d
-
SSDEEP
1536:PBtc/GmhYa8j34e2rUY1bdSoQpAXi9r589Q3aBH2LD7RZObZUUWaegPYA:PBgG28jR2rn1PIAyg+3aBsDClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lfbbjpgd.exeLqhfhigj.exeCmhglq32.exePkoicb32.exeKkgahoel.exeNefdpjkl.exeBkegah32.exeFigmjq32.exeFjegog32.exeBmhkmm32.exeOadkej32.exePkaehb32.exeIfgicg32.exeCbdgqimc.exeDogpdg32.exeLjddjj32.exeKindeddf.exePlolgk32.exeHgbfnngi.exeOidiekdn.exeAdifpk32.exeFnipkkdl.exeOagoep32.exeAmohfo32.exeDmhdkdlg.exeIpeaco32.exeAlnalh32.exeKdhcli32.exeNbpeoc32.exePcbncfjd.exeCnnnnh32.exePaiaplin.exeEgonhf32.exeGljpncgc.exeEejopecj.exeGjicfk32.exeKohnoc32.exeMiehak32.exeBiolanld.exeMmicfh32.exeDgeaoinb.exeEaeipfei.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbbjpgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhfhigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhglq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgahoel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdgqimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogpdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljddjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kindeddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plolgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adifpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnipkkdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amohfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmhdkdlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeaco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbpeoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbncfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paiaplin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egonhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljpncgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejopecj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjicfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kohnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmicfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiaplin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeaoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 6 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001e394-3379.dat family_bruteratel behavioral1/files/0x00050000000201ab-3880.dat family_bruteratel behavioral1/files/0x00030000000213fb-9350.dat family_bruteratel behavioral1/files/0x00030000000213ff-9366.dat family_bruteratel behavioral1/files/0x0003000000021513-9814.dat family_bruteratel behavioral1/files/0x00030000000219bb-12067.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Agljom32.exeBnfblgca.exeBgnfdm32.exeBnhoag32.exeBpjkiogm.exeBgqcjlhp.exeBibpad32.exeBbjdjjdn.exeBidlgdlk.exeBbmapj32.exeBfhmqhkd.exeBmbemb32.exeBpqain32.exeCiifbchf.exeClgbno32.exeCbajkiof.exeCikbhc32.exeChnbcpmn.exeCohkpj32.exeCbdgqimc.exeCdecha32.exeChqoipkk.exeCkolek32.exeCojhejbh.exeCaidaeak.exeCdgpnqpo.exeComdkipe.exeCheido32.exeCkcepj32.exeDdliip32.exeDbojdmcd.exeDpcjnabn.exeDdnfop32.exeDmgkgeah.exeDljkcb32.exeDgoopkgh.exeDinklffl.exeDhplhc32.exeDojddmec.exeDcfpel32.exeDhbhmb32.exeDakmfh32.exeDegiggjm.exeEheecbia.exeElqaca32.exeEeielfhk.exeEdlfhc32.exeEgjbdo32.exeEapfagno.exeEpbfmd32.exeEhjona32.exeEkhkjm32.exeEjkkfjkj.exeEabcggll.exeEpecbd32.exeEdqocbkp.exeEgokonjc.exeEkjgpm32.exeEniclh32.exeElldgehk.exeEpgphcqd.exeEdclib32.exeEgahen32.exeEfdhpjok.exepid Process 2380 Agljom32.exe 2944 Bnfblgca.exe 2868 Bgnfdm32.exe 2096 Bnhoag32.exe 2904 Bpjkiogm.exe 2668 Bgqcjlhp.exe 2116 Bibpad32.exe 1848 Bbjdjjdn.exe 2208 Bidlgdlk.exe 2824 Bbmapj32.exe 2852 Bfhmqhkd.exe 1056 Bmbemb32.exe 2080 Bpqain32.exe 532 Ciifbchf.exe 2084 Clgbno32.exe 2056 Cbajkiof.exe 3068 Cikbhc32.exe 2324 Chnbcpmn.exe 2584 Cohkpj32.exe 2200 Cbdgqimc.exe 1184 Cdecha32.exe 900 Chqoipkk.exe 1520 Ckolek32.exe 2452 Cojhejbh.exe 2284 Caidaeak.exe 1776 Cdgpnqpo.exe 1296 Comdkipe.exe 2264 Cheido32.exe 2764 Ckcepj32.exe 1932 Ddliip32.exe 2036 Dbojdmcd.exe 2616 Dpcjnabn.exe 2152 Ddnfop32.exe 2984 Dmgkgeah.exe 2680 Dljkcb32.exe 3000 Dgoopkgh.exe 1556 Dinklffl.exe 1904 Dhplhc32.exe 844 Dojddmec.exe 780 Dcfpel32.exe 1624 Dhbhmb32.exe 1480 Dakmfh32.exe 1924 Degiggjm.exe 1608 Eheecbia.exe 1860 Elqaca32.exe 1852 Eeielfhk.exe 2336 Edlfhc32.exe 1816 Egjbdo32.exe 2856 Eapfagno.exe 1152 Epbfmd32.exe 1688 Ehjona32.exe 3048 Ekhkjm32.exe 2736 Ejkkfjkj.exe 2836 Eabcggll.exe 2892 Epecbd32.exe 1928 Edqocbkp.exe 1032 Egokonjc.exe 2244 Ekjgpm32.exe 2844 Eniclh32.exe 304 Elldgehk.exe 2132 Epgphcqd.exe 1100 Edclib32.exe 1068 Egahen32.exe 1920 Efdhpjok.exe -
Loads dropped DLL 64 IoCs
Processes:
ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exeAgljom32.exeBnfblgca.exeBgnfdm32.exeBnhoag32.exeBpjkiogm.exeBgqcjlhp.exeBibpad32.exeBbjdjjdn.exeBidlgdlk.exeBbmapj32.exeBfhmqhkd.exeBmbemb32.exeBpqain32.exeCiifbchf.exeClgbno32.exeCbajkiof.exeCikbhc32.exeChnbcpmn.exeCohkpj32.exeCbdgqimc.exeCdecha32.exeChqoipkk.exeCkolek32.exeCojhejbh.exeCaidaeak.exeCdgpnqpo.exeComdkipe.exeCheido32.exeCkcepj32.exeDdliip32.exeDbojdmcd.exepid Process 2408 ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe 2408 ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe 2380 Agljom32.exe 2380 Agljom32.exe 2944 Bnfblgca.exe 2944 Bnfblgca.exe 2868 Bgnfdm32.exe 2868 Bgnfdm32.exe 2096 Bnhoag32.exe 2096 Bnhoag32.exe 2904 Bpjkiogm.exe 2904 Bpjkiogm.exe 2668 Bgqcjlhp.exe 2668 Bgqcjlhp.exe 2116 Bibpad32.exe 2116 Bibpad32.exe 1848 Bbjdjjdn.exe 1848 Bbjdjjdn.exe 2208 Bidlgdlk.exe 2208 Bidlgdlk.exe 2824 Bbmapj32.exe 2824 Bbmapj32.exe 2852 Bfhmqhkd.exe 2852 Bfhmqhkd.exe 1056 Bmbemb32.exe 1056 Bmbemb32.exe 2080 Bpqain32.exe 2080 Bpqain32.exe 532 Ciifbchf.exe 532 Ciifbchf.exe 2084 Clgbno32.exe 2084 Clgbno32.exe 2056 Cbajkiof.exe 2056 Cbajkiof.exe 3068 Cikbhc32.exe 3068 Cikbhc32.exe 2324 Chnbcpmn.exe 2324 Chnbcpmn.exe 2584 Cohkpj32.exe 2584 Cohkpj32.exe 2200 Cbdgqimc.exe 2200 Cbdgqimc.exe 1184 Cdecha32.exe 1184 Cdecha32.exe 900 Chqoipkk.exe 900 Chqoipkk.exe 1520 Ckolek32.exe 1520 Ckolek32.exe 2452 Cojhejbh.exe 2452 Cojhejbh.exe 2284 Caidaeak.exe 2284 Caidaeak.exe 1776 Cdgpnqpo.exe 1776 Cdgpnqpo.exe 1296 Comdkipe.exe 1296 Comdkipe.exe 2264 Cheido32.exe 2264 Cheido32.exe 2764 Ckcepj32.exe 2764 Ckcepj32.exe 1932 Ddliip32.exe 1932 Ddliip32.exe 2036 Dbojdmcd.exe 2036 Dbojdmcd.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lbicoamh.exeLkicbk32.exeIinmfk32.exeDgeaoinb.exeFhdjgoha.exeHebnlb32.exeLoqmba32.exeMgjebg32.exeEnlidg32.exeHmkeke32.exeKofcbl32.exeDanpemej.exeEggndi32.exeGkbcbn32.exeIedfqeka.exePifbjn32.exeAdlcfjgh.exeKjleflod.exeNenakoho.exeHfpfdeon.exeKljdkpfl.exeKjihalag.exeLdoimh32.exeIllbhp32.exeElacliin.exeCmjdaqgi.exeOhiffh32.exeOhojmjep.exeCbdiia32.exeEheglk32.exeKindeddf.exeLnecigcp.exeImiigiab.exeJbefcm32.exeGnnlocgk.exeOdjdmjgo.exeMnaiol32.exeNbmaon32.exeKlfjpa32.exeIbkkjp32.exeLqcmmjko.exeBkjdndjo.exeEhmdgp32.exeJbjpom32.exeKkjnnn32.exeLcofio32.exeJajmjcoe.exeElqaca32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Mfdopp32.exe Lbicoamh.exe File created C:\Windows\SysWOW64\Eiilephi.dll Lkicbk32.exe File opened for modification C:\Windows\SysWOW64\Imiigiab.exe Iinmfk32.exe File created C:\Windows\SysWOW64\Kkjpggkn.exe File opened for modification C:\Windows\SysWOW64\Dkqnoh32.exe Dgeaoinb.exe File created C:\Windows\SysWOW64\Fggkcl32.exe Fhdjgoha.exe File opened for modification C:\Windows\SysWOW64\Hgpjhn32.exe Hebnlb32.exe File created C:\Windows\SysWOW64\Mmmjebjg.dll Loqmba32.exe File created C:\Windows\SysWOW64\Iecbnqcj.dll File created C:\Windows\SysWOW64\Mpamde32.exe Mgjebg32.exe File opened for modification C:\Windows\SysWOW64\Eaheeecg.exe Enlidg32.exe File opened for modification C:\Windows\SysWOW64\Hqfaldbo.exe Hmkeke32.exe File created C:\Windows\SysWOW64\Aehlpleg.dll Kofcbl32.exe File created C:\Windows\SysWOW64\Fnpmhc32.dll Danpemej.exe File created C:\Windows\SysWOW64\Daaenlng.exe File created C:\Windows\SysWOW64\Foibdham.dll Eggndi32.exe File created C:\Windows\SysWOW64\Mkaohl32.dll Gkbcbn32.exe File created C:\Windows\SysWOW64\Apgahbgk.dll Iedfqeka.exe File created C:\Windows\SysWOW64\Pleofj32.exe Pifbjn32.exe File opened for modification C:\Windows\SysWOW64\Ahgofi32.exe Adlcfjgh.exe File opened for modification C:\Windows\SysWOW64\Kljabgnh.exe Kjleflod.exe File created C:\Windows\SysWOW64\Nijnln32.exe Nenakoho.exe File created C:\Windows\SysWOW64\Qnhhline.dll Hfpfdeon.exe File created C:\Windows\SysWOW64\Koipglep.exe Kljdkpfl.exe File created C:\Windows\SysWOW64\Igbnok32.dll File created C:\Windows\SysWOW64\Ldpeabpb.dll Kjihalag.exe File created C:\Windows\SysWOW64\Jdbfnoac.dll Ldoimh32.exe File opened for modification C:\Windows\SysWOW64\Injndk32.exe Illbhp32.exe File created C:\Windows\SysWOW64\Ekdchf32.exe Elacliin.exe File created C:\Windows\SysWOW64\Fmdpgmhn.dll File created C:\Windows\SysWOW64\Clmdmm32.exe Cmjdaqgi.exe File opened for modification C:\Windows\SysWOW64\Opqoge32.exe Ohiffh32.exe File created C:\Windows\SysWOW64\Bqolji32.exe File created C:\Windows\SysWOW64\Miqnbfnp.dll File opened for modification C:\Windows\SysWOW64\Jedehaea.exe File opened for modification C:\Windows\SysWOW64\Opfbngfb.exe Ohojmjep.exe File created C:\Windows\SysWOW64\Cebeem32.exe Cbdiia32.exe File opened for modification C:\Windows\SysWOW64\Elacliin.exe Eheglk32.exe File created C:\Windows\SysWOW64\Fckkff32.dll Kindeddf.exe File opened for modification C:\Windows\SysWOW64\Lpcoeb32.exe Lnecigcp.exe File created C:\Windows\SysWOW64\Gcedad32.exe File created C:\Windows\SysWOW64\Cgohil32.dll Imiigiab.exe File created C:\Windows\SysWOW64\Hcenjk32.dll Jbefcm32.exe File created C:\Windows\SysWOW64\Gaihob32.exe Gnnlocgk.exe File opened for modification C:\Windows\SysWOW64\Ohdfqbio.exe File created C:\Windows\SysWOW64\Ckeqga32.exe File opened for modification C:\Windows\SysWOW64\Ogiaif32.exe Odjdmjgo.exe File opened for modification C:\Windows\SysWOW64\Mqpflg32.exe Mnaiol32.exe File created C:\Windows\SysWOW64\Napbjjom.exe Nbmaon32.exe File created C:\Windows\SysWOW64\Fmikim32.dll Klfjpa32.exe File created C:\Windows\SysWOW64\Bkknac32.exe File created C:\Windows\SysWOW64\Hembkl32.dll Ibkkjp32.exe File opened for modification C:\Windows\SysWOW64\Ldoimh32.exe Lqcmmjko.exe File created C:\Windows\SysWOW64\Hffhec32.dll File created C:\Windows\SysWOW64\Bniajoic.exe Bkjdndjo.exe File created C:\Windows\SysWOW64\Oejcpf32.exe File created C:\Windows\SysWOW64\Ldoimh32.exe Lqcmmjko.exe File opened for modification C:\Windows\SysWOW64\Eklqcl32.exe Ehmdgp32.exe File created C:\Windows\SysWOW64\Jehlkhig.exe Jbjpom32.exe File created C:\Windows\SysWOW64\Knhjjj32.exe Kkjnnn32.exe File created C:\Windows\SysWOW64\Lfmbek32.exe Lcofio32.exe File opened for modification C:\Windows\SysWOW64\Jpmmfp32.exe Jajmjcoe.exe File created C:\Windows\SysWOW64\Imldmnjj.dll File created C:\Windows\SysWOW64\Eeielfhk.exe Elqaca32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 11436 11344 1405 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nabopjmj.exeFplllkdc.exeKbmfgk32.exeGnmifk32.exeIinmfk32.exeLhelbh32.exePmgbao32.exeCbffoabe.exeDjdgic32.exeHkolakkb.exeCheido32.exeFfmkfifa.exeBjbeofpp.exeFhbnbpjc.exeLgmeid32.exeIdkpganf.exeQppkfhlc.exeBgoime32.exeBgqcjlhp.exeLpabpcdf.exeIjibng32.exeLdllgiek.exeBgffhkoj.exeHgbfnngi.exeBigkel32.exeCmhglq32.exeEacljf32.exeIimfld32.exeBnfddp32.exeEjkkfjkj.exeJkkija32.exeLbicoamh.exeAmfognic.exeKigndekn.exeMpopnejo.exeEaeipfei.exeIdicbbpi.exeOidiekdn.exeMjhjdm32.exeBkjdndjo.exeFhljkm32.exeKalipcmb.exeNijnln32.exeHmdhad32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabopjmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplllkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmfgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmifk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhelbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmgbao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbffoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkolakkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cheido32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmkfifa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbeofpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbnbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgmeid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkpganf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgoime32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgqcjlhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpabpcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijibng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldllgiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffhkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eacljf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfddp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejkkfjkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkija32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbicoamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfognic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigndekn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpopnejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaeipfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idicbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhljkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kalipcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdhad32.exe -
Modifies registry class 64 IoCs
Processes:
Cbblda32.exeGdhdkn32.exeDinklffl.exeOlmcchlg.exeDmmmfc32.exeEppcmncq.exeBejfao32.exeJlnklcej.exeCikbhc32.exeLdoimh32.exeLcblan32.exeGeeemeif.exeObgkpb32.exeOmefkplm.exeComdkipe.exeIplnnd32.exeNbbbdcgi.exeQkffng32.exeCkcepj32.exeLqhfhigj.exeMdghaf32.exeChqoipkk.exeHbggif32.exeBkklhjnk.exeEabepp32.exeOabkom32.exeDmepkn32.exeImgnjb32.exeNjbdea32.exeIhniaa32.exeKijkje32.exeMiehak32.exeGoplilpf.exeKpicle32.exeAbegfa32.exeFkecij32.exeBqgmfkhg.exeHidcef32.exeLboiol32.exeCepipm32.exeFodebh32.exeJjpdmi32.exeDmojkc32.exeKgqocoin.exeKffldlne.exeLfmbek32.exeHcajhi32.exeJoiappkp.exeKhabghdl.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdhdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioigi32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dinklffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmcchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmmmfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppcmncq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajjmhne.dll" Bejfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnljlm32.dll" Jlnklcej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joqgkdem.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cikbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbfnoac.dll" Ldoimh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcblan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geeemeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkenb32.dll" Obgkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hngpchih.dll" Comdkipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iplnnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbbbdcgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkffng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckcepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqhfhigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fppnga32.dll" Chqoipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakpkfka.dll" Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eabepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhimbk32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckcepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oabkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmepkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imgnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njbdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedjkeaj.dll" Ihniaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kijkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcijlpq.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkadj32.dll" Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goplilpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palkkl32.dll" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjdhh32.dll" Fkecij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqgmfkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebmjo32.dll" Hidcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gigqol32.dll" Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cepipm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckqmd32.dll" Jjpdmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmojkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andpoahc.dll" Kgqocoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kffldlne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcajhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedohngn.dll" Khabghdl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exeAgljom32.exeBnfblgca.exeBgnfdm32.exeBnhoag32.exeBpjkiogm.exeBgqcjlhp.exeBibpad32.exeBbjdjjdn.exeBidlgdlk.exeBbmapj32.exeBfhmqhkd.exeBmbemb32.exeBpqain32.exeCiifbchf.exeClgbno32.exedescription pid Process procid_target PID 2408 wrote to memory of 2380 2408 ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe 30 PID 2408 wrote to memory of 2380 2408 ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe 30 PID 2408 wrote to memory of 2380 2408 ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe 30 PID 2408 wrote to memory of 2380 2408 ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe 30 PID 2380 wrote to memory of 2944 2380 Agljom32.exe 31 PID 2380 wrote to memory of 2944 2380 Agljom32.exe 31 PID 2380 wrote to memory of 2944 2380 Agljom32.exe 31 PID 2380 wrote to memory of 2944 2380 Agljom32.exe 31 PID 2944 wrote to memory of 2868 2944 Bnfblgca.exe 32 PID 2944 wrote to memory of 2868 2944 Bnfblgca.exe 32 PID 2944 wrote to memory of 2868 2944 Bnfblgca.exe 32 PID 2944 wrote to memory of 2868 2944 Bnfblgca.exe 32 PID 2868 wrote to memory of 2096 2868 Bgnfdm32.exe 33 PID 2868 wrote to memory of 2096 2868 Bgnfdm32.exe 33 PID 2868 wrote to memory of 2096 2868 Bgnfdm32.exe 33 PID 2868 wrote to memory of 2096 2868 Bgnfdm32.exe 33 PID 2096 wrote to memory of 2904 2096 Bnhoag32.exe 34 PID 2096 wrote to memory of 2904 2096 Bnhoag32.exe 34 PID 2096 wrote to memory of 2904 2096 Bnhoag32.exe 34 PID 2096 wrote to memory of 2904 2096 Bnhoag32.exe 34 PID 2904 wrote to memory of 2668 2904 Bpjkiogm.exe 35 PID 2904 wrote to memory of 2668 2904 Bpjkiogm.exe 35 PID 2904 wrote to memory of 2668 2904 Bpjkiogm.exe 35 PID 2904 wrote to memory of 2668 2904 Bpjkiogm.exe 35 PID 2668 wrote to memory of 2116 2668 Bgqcjlhp.exe 36 PID 2668 wrote to memory of 2116 2668 Bgqcjlhp.exe 36 PID 2668 wrote to memory of 2116 2668 Bgqcjlhp.exe 36 PID 2668 wrote to memory of 2116 2668 Bgqcjlhp.exe 36 PID 2116 wrote to memory of 1848 2116 Bibpad32.exe 37 PID 2116 wrote to memory of 1848 2116 Bibpad32.exe 37 PID 2116 wrote to memory of 1848 2116 Bibpad32.exe 37 PID 2116 wrote to memory of 1848 2116 Bibpad32.exe 37 PID 1848 wrote to memory of 2208 1848 Bbjdjjdn.exe 38 PID 1848 wrote to memory of 2208 1848 Bbjdjjdn.exe 38 PID 1848 wrote to memory of 2208 1848 Bbjdjjdn.exe 38 PID 1848 wrote to memory of 2208 1848 Bbjdjjdn.exe 38 PID 2208 wrote to memory of 2824 2208 Bidlgdlk.exe 39 PID 2208 wrote to memory of 2824 2208 Bidlgdlk.exe 39 PID 2208 wrote to memory of 2824 2208 Bidlgdlk.exe 39 PID 2208 wrote to memory of 2824 2208 Bidlgdlk.exe 39 PID 2824 wrote to memory of 2852 2824 Bbmapj32.exe 40 PID 2824 wrote to memory of 2852 2824 Bbmapj32.exe 40 PID 2824 wrote to memory of 2852 2824 Bbmapj32.exe 40 PID 2824 wrote to memory of 2852 2824 Bbmapj32.exe 40 PID 2852 wrote to memory of 1056 2852 Bfhmqhkd.exe 41 PID 2852 wrote to memory of 1056 2852 Bfhmqhkd.exe 41 PID 2852 wrote to memory of 1056 2852 Bfhmqhkd.exe 41 PID 2852 wrote to memory of 1056 2852 Bfhmqhkd.exe 41 PID 1056 wrote to memory of 2080 1056 Bmbemb32.exe 42 PID 1056 wrote to memory of 2080 1056 Bmbemb32.exe 42 PID 1056 wrote to memory of 2080 1056 Bmbemb32.exe 42 PID 1056 wrote to memory of 2080 1056 Bmbemb32.exe 42 PID 2080 wrote to memory of 532 2080 Bpqain32.exe 43 PID 2080 wrote to memory of 532 2080 Bpqain32.exe 43 PID 2080 wrote to memory of 532 2080 Bpqain32.exe 43 PID 2080 wrote to memory of 532 2080 Bpqain32.exe 43 PID 532 wrote to memory of 2084 532 Ciifbchf.exe 44 PID 532 wrote to memory of 2084 532 Ciifbchf.exe 44 PID 532 wrote to memory of 2084 532 Ciifbchf.exe 44 PID 532 wrote to memory of 2084 532 Ciifbchf.exe 44 PID 2084 wrote to memory of 2056 2084 Clgbno32.exe 45 PID 2084 wrote to memory of 2056 2084 Clgbno32.exe 45 PID 2084 wrote to memory of 2056 2084 Clgbno32.exe 45 PID 2084 wrote to memory of 2056 2084 Clgbno32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe"C:\Users\Admin\AppData\Local\Temp\ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe33⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe34⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe35⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe36⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe37⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe39⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe40⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe41⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe42⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe43⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe44⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe45⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe47⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe48⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe49⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe50⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe51⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe52⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe53⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe55⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe56⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe57⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe58⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe59⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe60⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe61⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe62⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe63⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe64⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe65⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe66⤵PID:2068
-
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe67⤵PID:880
-
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe68⤵PID:2480
-
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe69⤵PID:1944
-
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe70⤵PID:1788
-
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe71⤵PID:2860
-
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe72⤵PID:2900
-
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe73⤵PID:2776
-
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe74⤵PID:2360
-
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe75⤵PID:2928
-
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe76⤵PID:2964
-
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe77⤵PID:2140
-
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe78⤵PID:1640
-
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe79⤵PID:1732
-
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe80⤵PID:2320
-
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe81⤵PID:2072
-
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe82⤵PID:1516
-
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe83⤵PID:1356
-
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe84⤵PID:1784
-
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe85⤵
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe86⤵PID:1444
-
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe87⤵PID:1908
-
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe88⤵PID:2912
-
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe90⤵PID:2732
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe91⤵PID:2952
-
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe92⤵PID:2812
-
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe93⤵PID:2376
-
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe94⤵PID:1604
-
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe95⤵PID:2592
-
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe96⤵
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe97⤵PID:1140
-
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe98⤵PID:1708
-
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe100⤵PID:1552
-
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe101⤵PID:2896
-
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe102⤵PID:2940
-
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe103⤵PID:2840
-
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe104⤵PID:3028
-
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe105⤵PID:2700
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe106⤵PID:2328
-
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe107⤵PID:1192
-
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe108⤵PID:2028
-
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe109⤵PID:1696
-
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe110⤵PID:2124
-
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe111⤵PID:2260
-
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe112⤵PID:2920
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:672 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe114⤵PID:2760
-
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1808 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe116⤵PID:2924
-
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe117⤵PID:2076
-
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe118⤵PID:972
-
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe119⤵PID:2304
-
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe120⤵PID:2256
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe121⤵PID:2540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-