Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 23:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exe
-
Size
96KB
-
MD5
d3680a499a0c6f4f26ee6cb9f3e65fc0
-
SHA1
ff4ca21321929adabb90c5eeff2443e100360582
-
SHA256
3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74
-
SHA512
334ef3bd0dfd218a192b5261b962f3f869118cdcfade280e3ede8e5410787b9895d9d423698e9abc3c73c0352150e9fe898dd2bfe7130a35606a46b2db465501
-
SSDEEP
1536:TIA7ezeDFV+ghaAz6/Dp/SmspRb2Ll7RZObZUUWaegPYA:MA7ezuFVKAzaDpipR4lClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Aiaoclgl.exeFhgifgnb.exeHmjoqo32.exePaaddgkj.exeDblhmoio.exeJgjkfi32.exeAkcomepg.exeBcjcme32.exeJipaip32.exeCbgobp32.exeFgjjad32.exeBddbjhlp.exeMkdffoij.exePblcbn32.exeQobdgo32.exeDjlfma32.exeGpidki32.exeHifbdnbi.exeCnfqccna.exeFmnopp32.exeNpbklabl.exeAcicla32.exeBnochnpm.exeDihmpinj.exeGoldfelp.exeJjfkmdlg.exeFabaocfl.exeNdcapd32.exeJabponba.exeMneohj32.exeOjeobm32.exeOejcpf32.exeDjocbqpb.exeDcllbhdn.exeFhgppnan.exeKajiigba.exeBoemlbpk.exeBaefnmml.exeFdpgph32.exeGnfkba32.exeEibgpnjk.exeKokmmkcm.exeLdahkaij.exeLgpdglhn.exeMobomnoq.exeOpfegp32.exePnchhllf.exeEakhdj32.exeDilapopb.exeIlcalnii.exeKageia32.exeNfigck32.exeBolcma32.exeDpnladjl.exeDeakjjbk.exeGekfnoog.exeHffibceh.exeAqbdkk32.exeNqmnjd32.exeJelfdc32.exeJlkglm32.exeAhpbkd32.exeBjedmo32.exeBqeqqk32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgifgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmjoqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paaddgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dblhmoio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jipaip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddbjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkdffoij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblcbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djlfma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpidki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifbdnbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfqccna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbklabl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acicla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnochnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihmpinj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabaocfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mneohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojeobm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djocbqpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcllbhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgppnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajiigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boemlbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baefnmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kokmmkcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldahkaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpdglhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnchhllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakhdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilapopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcalnii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfigck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bolcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnladjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deakjjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekfnoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffibceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqbdkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmnjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelfdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkglm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjedmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqeqqk32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001cd9c-1301.dat family_bruteratel behavioral1/files/0x000400000001e0b5-3258.dat family_bruteratel behavioral1/files/0x0003000000020957-5126.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Aomnhd32.exeAakjdo32.exeAkcomepg.exeAbmgjo32.exeAgjobffl.exeAoagccfn.exeAqbdkk32.exeBhjlli32.exeBjkhdacm.exeBqeqqk32.exeBdqlajbb.exeBjmeiq32.exeBqgmfkhg.exeBfdenafn.exeBmnnkl32.exeBoljgg32.exeBjbndpmd.exeBieopm32.exeBcjcme32.exeBbmcibjp.exeBjdkjpkb.exeBmbgfkje.exeCbppnbhm.exeCenljmgq.exeCmedlk32.exeCnfqccna.exeCgoelh32.exeCnimiblo.exeCagienkb.exeCkmnbg32.exeCeebklai.exeCgcnghpl.exeCjakccop.exeCmpgpond.exeCfhkhd32.exeDjdgic32.exeDanpemej.exeDcllbhdn.exeDiidjpbe.exeDaplkmbg.exeDcohghbk.exeDjiqdb32.exeDilapopb.exeDpeiligo.exeDinneo32.exeDokfme32.exeDbfbnddq.exeDlofgj32.exeEakooqih.exeEibgpnjk.exeEkdchf32.exeEbklic32.exeEanldqgf.exeEdlhqlfi.exeEkfpmf32.exeEoblnd32.exeEdoefl32.exeEhjqgjmp.exeEgmabg32.exeEmgioakg.exeEabepp32.exeEdaalk32.exeEhlmljkm.exeEkkjheja.exepid Process 3000 Aomnhd32.exe 2880 Aakjdo32.exe 2244 Akcomepg.exe 2804 Abmgjo32.exe 2552 Agjobffl.exe 2568 Aoagccfn.exe 2556 Aqbdkk32.exe 3056 Bhjlli32.exe 1088 Bjkhdacm.exe 1028 Bqeqqk32.exe 796 Bdqlajbb.exe 676 Bjmeiq32.exe 1272 Bqgmfkhg.exe 2004 Bfdenafn.exe 2408 Bmnnkl32.exe 2388 Boljgg32.exe 2724 Bjbndpmd.exe 1188 Bieopm32.exe 2248 Bcjcme32.exe 1812 Bbmcibjp.exe 1428 Bjdkjpkb.exe 1896 Bmbgfkje.exe 1424 Cbppnbhm.exe 2452 Cenljmgq.exe 628 Cmedlk32.exe 1804 Cnfqccna.exe 2108 Cgoelh32.exe 2892 Cnimiblo.exe 2676 Cagienkb.exe 2580 Ckmnbg32.exe 2548 Ceebklai.exe 3012 Cgcnghpl.exe 1032 Cjakccop.exe 1148 Cmpgpond.exe 784 Cfhkhd32.exe 980 Djdgic32.exe 1712 Danpemej.exe 2616 Dcllbhdn.exe 2128 Diidjpbe.exe 3052 Daplkmbg.exe 408 Dcohghbk.exe 1044 Djiqdb32.exe 2416 Dilapopb.exe 2348 Dpeiligo.exe 1552 Dinneo32.exe 2188 Dokfme32.exe 992 Dbfbnddq.exe 2304 Dlofgj32.exe 1948 Eakooqih.exe 2704 Eibgpnjk.exe 2836 Ekdchf32.exe 2720 Ebklic32.exe 2596 Eanldqgf.exe 1108 Edlhqlfi.exe 1756 Ekfpmf32.exe 1152 Eoblnd32.exe 2796 Edoefl32.exe 2996 Ehjqgjmp.exe 2856 Egmabg32.exe 2516 Emgioakg.exe 1540 Eabepp32.exe 1736 Edaalk32.exe 2236 Ehlmljkm.exe 1524 Ekkjheja.exe -
Loads dropped DLL 64 IoCs
Processes:
3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exeAomnhd32.exeAakjdo32.exeAkcomepg.exeAbmgjo32.exeAgjobffl.exeAoagccfn.exeAqbdkk32.exeBhjlli32.exeBjkhdacm.exeBqeqqk32.exeBdqlajbb.exeBjmeiq32.exeBqgmfkhg.exeBfdenafn.exeBmnnkl32.exeBoljgg32.exeBjbndpmd.exeBieopm32.exeBcjcme32.exeBbmcibjp.exeBjdkjpkb.exeBmbgfkje.exeCbppnbhm.exeCenljmgq.exeCmedlk32.exeCnfqccna.exeCgoelh32.exeCnimiblo.exeCagienkb.exeCkmnbg32.exeCeebklai.exepid Process 2316 3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exe 2316 3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exe 3000 Aomnhd32.exe 3000 Aomnhd32.exe 2880 Aakjdo32.exe 2880 Aakjdo32.exe 2244 Akcomepg.exe 2244 Akcomepg.exe 2804 Abmgjo32.exe 2804 Abmgjo32.exe 2552 Agjobffl.exe 2552 Agjobffl.exe 2568 Aoagccfn.exe 2568 Aoagccfn.exe 2556 Aqbdkk32.exe 2556 Aqbdkk32.exe 3056 Bhjlli32.exe 3056 Bhjlli32.exe 1088 Bjkhdacm.exe 1088 Bjkhdacm.exe 1028 Bqeqqk32.exe 1028 Bqeqqk32.exe 796 Bdqlajbb.exe 796 Bdqlajbb.exe 676 Bjmeiq32.exe 676 Bjmeiq32.exe 1272 Bqgmfkhg.exe 1272 Bqgmfkhg.exe 2004 Bfdenafn.exe 2004 Bfdenafn.exe 2408 Bmnnkl32.exe 2408 Bmnnkl32.exe 2388 Boljgg32.exe 2388 Boljgg32.exe 2724 Bjbndpmd.exe 2724 Bjbndpmd.exe 1188 Bieopm32.exe 1188 Bieopm32.exe 2248 Bcjcme32.exe 2248 Bcjcme32.exe 1812 Bbmcibjp.exe 1812 Bbmcibjp.exe 1428 Bjdkjpkb.exe 1428 Bjdkjpkb.exe 1896 Bmbgfkje.exe 1896 Bmbgfkje.exe 1424 Cbppnbhm.exe 1424 Cbppnbhm.exe 2452 Cenljmgq.exe 2452 Cenljmgq.exe 628 Cmedlk32.exe 628 Cmedlk32.exe 1804 Cnfqccna.exe 1804 Cnfqccna.exe 2108 Cgoelh32.exe 2108 Cgoelh32.exe 2892 Cnimiblo.exe 2892 Cnimiblo.exe 2676 Cagienkb.exe 2676 Cagienkb.exe 2580 Ckmnbg32.exe 2580 Ckmnbg32.exe 2548 Ceebklai.exe 2548 Ceebklai.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bqgmfkhg.exeFabaocfl.exeOfqmcj32.exeBcbfbp32.exeCceogcfj.exeDpnladjl.exeEhjqgjmp.exeFmnopp32.exeIfbphh32.exeNmcopebh.exeDjlfma32.exeHcgmfgfd.exeMneohj32.exeOflpgnld.exeCkeqga32.exeEbckmaec.exeIkfbbjdj.exeNgdjaofc.exeAgbbgqhh.exeCncmcm32.exeGlnhjjml.exeJipaip32.exeGqodqodl.exeIfdlng32.exeLegaoehg.exeEimcjl32.exeGkalhgfd.exeOhdfqbio.exeApppkekc.exeBlfapfpg.exeBjdkjpkb.exeCjakccop.exeEdlhqlfi.exeFelajbpg.exeMkipao32.exeOefjdgjk.exeAacmij32.exeEbnabb32.exeLncfcgeb.exeKfaalh32.exeHkolakkb.exeKljdkpfl.exeDkdmfe32.exeDilapopb.exePaaddgkj.exeAgeompfe.exeOnnnml32.exeJajmjcoe.exeObgnhkkh.exeAlageg32.exeHklhae32.exeFpohakbp.exeGmeeepjp.exeIaegpaao.exeQobdgo32.exeJjjdhc32.exeKoflgf32.exeElkofg32.exeJdhifooi.exedescription ioc Process File created C:\Windows\SysWOW64\Bfdenafn.exe Bqgmfkhg.exe File created C:\Windows\SysWOW64\Opppqdgk.dll Fabaocfl.exe File created C:\Windows\SysWOW64\Oioipf32.exe Ofqmcj32.exe File created C:\Windows\SysWOW64\Baefnmml.exe Bcbfbp32.exe File created C:\Windows\SysWOW64\Ohpjoahj.dll Cceogcfj.exe File created C:\Windows\SysWOW64\Mcbdnmap.dll Dpnladjl.exe File created C:\Windows\SysWOW64\Egmabg32.exe Ehjqgjmp.exe File created C:\Windows\SysWOW64\Fplllkdc.exe Fmnopp32.exe File created C:\Windows\SysWOW64\Ecqgacgg.dll Ifbphh32.exe File created C:\Windows\SysWOW64\Npbklabl.exe Nmcopebh.exe File created C:\Windows\SysWOW64\Dnhbmpkn.exe Djlfma32.exe File created C:\Windows\SysWOW64\Hffibceh.exe Hcgmfgfd.exe File created C:\Windows\SysWOW64\Mflgih32.exe Mneohj32.exe File created C:\Windows\SysWOW64\Bilfjg32.dll Oflpgnld.exe File created C:\Windows\SysWOW64\Ildhhm32.dll Ckeqga32.exe File opened for modification C:\Windows\SysWOW64\Eeagimdf.exe Ebckmaec.exe File opened for modification C:\Windows\SysWOW64\Indnnfdn.exe Ikfbbjdj.exe File opened for modification C:\Windows\SysWOW64\Njbfnjeg.exe Ngdjaofc.exe File created C:\Windows\SysWOW64\Aiaoclgl.exe Agbbgqhh.exe File created C:\Windows\SysWOW64\Oieqmphd.dll Cncmcm32.exe File created C:\Windows\SysWOW64\Ffadkgnl.dll Glnhjjml.exe File created C:\Windows\SysWOW64\Jlnmel32.exe Jipaip32.exe File opened for modification C:\Windows\SysWOW64\Egmabg32.exe Ehjqgjmp.exe File created C:\Windows\SysWOW64\Gdjqamme.exe Gqodqodl.exe File opened for modification C:\Windows\SysWOW64\Imodkadq.exe Ifdlng32.exe File created C:\Windows\SysWOW64\Lhfnkqgk.exe Legaoehg.exe File created C:\Windows\SysWOW64\Elkofg32.exe Eimcjl32.exe File created C:\Windows\SysWOW64\Gqodqodl.exe Gkalhgfd.exe File opened for modification C:\Windows\SysWOW64\Onnnml32.exe Ohdfqbio.exe File created C:\Windows\SysWOW64\Hloncd32.dll Apppkekc.exe File opened for modification C:\Windows\SysWOW64\Boemlbpk.exe Blfapfpg.exe File created C:\Windows\SysWOW64\Jhgikm32.dll Ebckmaec.exe File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe Bjdkjpkb.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Cjakccop.exe File opened for modification C:\Windows\SysWOW64\Ekfpmf32.exe Edlhqlfi.exe File created C:\Windows\SysWOW64\Fhjmfnok.exe Felajbpg.exe File created C:\Windows\SysWOW64\Mnglnj32.exe Mkipao32.exe File created C:\Windows\SysWOW64\Hlhjdd32.dll Oefjdgjk.exe File created C:\Windows\SysWOW64\Oppkgk32.dll Aacmij32.exe File created C:\Windows\SysWOW64\Imldmnjj.dll Ebnabb32.exe File opened for modification C:\Windows\SysWOW64\Elkofg32.exe Eimcjl32.exe File opened for modification C:\Windows\SysWOW64\Lanbdf32.exe Lncfcgeb.exe File created C:\Windows\SysWOW64\Kipmhc32.exe Kfaalh32.exe File created C:\Windows\SysWOW64\Hokhbj32.exe Hkolakkb.exe File created C:\Windows\SysWOW64\Kjaaeimj.dll Kljdkpfl.exe File created C:\Windows\SysWOW64\Dncibp32.exe Dkdmfe32.exe File created C:\Windows\SysWOW64\Monoflqe.dll Dilapopb.exe File opened for modification C:\Windows\SysWOW64\Pdppqbkn.exe Paaddgkj.exe File created C:\Windows\SysWOW64\Gdecfn32.dll Ageompfe.exe File created C:\Windows\SysWOW64\Objjnkie.exe Onnnml32.exe File created C:\Windows\SysWOW64\Fdqnkoep.exe Fabaocfl.exe File opened for modification C:\Windows\SysWOW64\Jdhifooi.exe Jajmjcoe.exe File created C:\Windows\SysWOW64\Dbkngi32.dll Obgnhkkh.exe File created C:\Windows\SysWOW64\Jqgaapqd.dll Alageg32.exe File created C:\Windows\SysWOW64\Mmichb32.dll Hklhae32.exe File created C:\Windows\SysWOW64\Gjpehnpj.dll Fpohakbp.exe File opened for modification C:\Windows\SysWOW64\Godaakic.exe Gmeeepjp.exe File created C:\Windows\SysWOW64\Bndlbd32.dll Iaegpaao.exe File opened for modification C:\Windows\SysWOW64\Qaapcj32.exe Qobdgo32.exe File opened for modification C:\Windows\SysWOW64\Jimdcqom.exe Jjjdhc32.exe File opened for modification C:\Windows\SysWOW64\Kadica32.exe Koflgf32.exe File opened for modification C:\Windows\SysWOW64\Aeoijidl.exe Aacmij32.exe File opened for modification C:\Windows\SysWOW64\Eojlbb32.exe Elkofg32.exe File created C:\Windows\SysWOW64\Jkbaci32.exe Jdhifooi.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 6564 6536 WerFault.exe 613 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gdjqamme.exeJijokbfp.exeLlomfpag.exeAphjjf32.exeIcifjk32.exeBmbgfkje.exeEakooqih.exeIfpcchai.exeKjeglh32.exeBjmeiq32.exeHofngkga.exeHbidne32.exeIbkmchbh.exeKcdlhj32.exeNihcog32.exeKlmqapci.exeEojlbb32.exeGoldfelp.exeIfmocb32.exeAakjdo32.exeFhgppnan.exeDemaoj32.exeHfjbmb32.exeGqlhkofn.exeKmegjdad.exeLgngbmjp.exeMphiqbon.exeNkkmgncb.exeDjocbqpb.exeFeddombd.exeGlnhjjml.exeJgjkfi32.exeJmnqje32.exeMnglnj32.exeNckkgp32.exePmmneg32.exePonklpcg.exeHdpcokdo.exeBjkhdacm.exeIpmqgmcd.exePnchhllf.exeEibgpnjk.exeHfbcidmk.exeJlkglm32.exeLljpjchg.exeMjqmig32.exePeefcjlg.exeAacmij32.exeAfliclij.exeKeioca32.exeCjakccop.exeLjldnhid.exeIbcphc32.exeJefbnacn.exeDaplkmbg.exeJlhkgm32.exeLncfcgeb.exeAhpbkd32.exeAjehnk32.exeBcbfbp32.exeElkofg32.exeFhbpkh32.exeGgapbcne.exeJelfdc32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjqamme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijokbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llomfpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakooqih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpcchai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmeiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofngkga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbidne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkmchbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdlhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihcog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmqapci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojlbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgppnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlhkofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmegjdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgngbmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphiqbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkkmgncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feddombd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnhjjml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmnqje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckkgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmneg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponklpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpcokdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkhdacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmqgmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnchhllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibgpnjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbcidmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljpjchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjqmig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peefcjlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aacmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afliclij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keioca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljldnhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbnacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daplkmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlhkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncfcgeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpbkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajehnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkofg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbpkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggapbcne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelfdc32.exe -
Modifies registry class 64 IoCs
Processes:
Jefbnacn.exeJjnhhjjk.exeMobomnoq.exeAcicla32.exeCiagojda.exeEjaphpnp.exeMfjkdh32.exeHeliepmn.exeJfdhmk32.exeQlfdac32.exeJlhkgm32.exePacajg32.exeFdiqpigl.exeIikkon32.exeGgagmjbq.exeGgapbcne.exeJipaip32.exeEkfpmf32.exeEpbbkf32.exeFolhgbid.exeKapohbfp.exeAfliclij.exeCfhkhd32.exeFeddombd.exeNqhepeai.exeLcdhgn32.exeFhdmph32.exeKoaclfgl.exeFiepea32.exeBoemlbpk.exeFgjjad32.exeHjmlhbbg.exeHoqjqhjf.exeJnmiag32.exeNmabjfek.exeBqgmfkhg.exeGoiongbc.exePdppqbkn.exeBhdhefpc.exeAakjdo32.exeHnbaif32.exeLjnqdhga.exeMflgih32.exeNqjaeeog.exeNmcopebh.exeHklhae32.exeHcdgmimg.exeJcnoejch.exeKhldkllj.exeEkdchf32.exeQaapcj32.exeIbhicbao.exeKalipcmb.exeEcfnmh32.exeGkalhgfd.exeEfljhq32.exeEpeoaffo.exeFglfgd32.exeBjbndpmd.exeMhfjjdjf.exeBolcma32.exeBnochnpm.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjnhhjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mobomnoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acicla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhgoifc.dll" Ciagojda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejaphpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfenf32.dll" Mfjkdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heliepmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfdhmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlfdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlhkgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pacajg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdiqpigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iikkon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmfenoo.dll" Ggapbcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkephg.dll" Jipaip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekfpmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epbbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Folhgbid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kapohbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehiknbl.dll" Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhkhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiggco32.dll" Nqhepeai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcdhgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhdmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koaclfgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiepea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhjhg32.dll" Boemlbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapefloq.dll" Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdofg32.dll" Hjmlhbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdapnj32.dll" Nmabjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" Bqgmfkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goiongbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdppqbkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll" Aakjdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnbaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjpobko.dll" Ljnqdhga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqjaeeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmcopebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll" Khldkllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekdchf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaapcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhicbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqnodo32.dll" Kalipcmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jefbnacn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecfnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelnlcjj.dll" Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efljhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fglfgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epflllfi.dll" Mhfjjdjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bolcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnochnpm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exeAomnhd32.exeAakjdo32.exeAkcomepg.exeAbmgjo32.exeAgjobffl.exeAoagccfn.exeAqbdkk32.exeBhjlli32.exeBjkhdacm.exeBqeqqk32.exeBdqlajbb.exeBjmeiq32.exeBqgmfkhg.exeBfdenafn.exeBmnnkl32.exedescription pid Process procid_target PID 2316 wrote to memory of 3000 2316 3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exe 31 PID 2316 wrote to memory of 3000 2316 3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exe 31 PID 2316 wrote to memory of 3000 2316 3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exe 31 PID 2316 wrote to memory of 3000 2316 3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exe 31 PID 3000 wrote to memory of 2880 3000 Aomnhd32.exe 32 PID 3000 wrote to memory of 2880 3000 Aomnhd32.exe 32 PID 3000 wrote to memory of 2880 3000 Aomnhd32.exe 32 PID 3000 wrote to memory of 2880 3000 Aomnhd32.exe 32 PID 2880 wrote to memory of 2244 2880 Aakjdo32.exe 33 PID 2880 wrote to memory of 2244 2880 Aakjdo32.exe 33 PID 2880 wrote to memory of 2244 2880 Aakjdo32.exe 33 PID 2880 wrote to memory of 2244 2880 Aakjdo32.exe 33 PID 2244 wrote to memory of 2804 2244 Akcomepg.exe 34 PID 2244 wrote to memory of 2804 2244 Akcomepg.exe 34 PID 2244 wrote to memory of 2804 2244 Akcomepg.exe 34 PID 2244 wrote to memory of 2804 2244 Akcomepg.exe 34 PID 2804 wrote to memory of 2552 2804 Abmgjo32.exe 35 PID 2804 wrote to memory of 2552 2804 Abmgjo32.exe 35 PID 2804 wrote to memory of 2552 2804 Abmgjo32.exe 35 PID 2804 wrote to memory of 2552 2804 Abmgjo32.exe 35 PID 2552 wrote to memory of 2568 2552 Agjobffl.exe 36 PID 2552 wrote to memory of 2568 2552 Agjobffl.exe 36 PID 2552 wrote to memory of 2568 2552 Agjobffl.exe 36 PID 2552 wrote to memory of 2568 2552 Agjobffl.exe 36 PID 2568 wrote to memory of 2556 2568 Aoagccfn.exe 37 PID 2568 wrote to memory of 2556 2568 Aoagccfn.exe 37 PID 2568 wrote to memory of 2556 2568 Aoagccfn.exe 37 PID 2568 wrote to memory of 2556 2568 Aoagccfn.exe 37 PID 2556 wrote to memory of 3056 2556 Aqbdkk32.exe 38 PID 2556 wrote to memory of 3056 2556 Aqbdkk32.exe 38 PID 2556 wrote to memory of 3056 2556 Aqbdkk32.exe 38 PID 2556 wrote to memory of 3056 2556 Aqbdkk32.exe 38 PID 3056 wrote to memory of 1088 3056 Bhjlli32.exe 39 PID 3056 wrote to memory of 1088 3056 Bhjlli32.exe 39 PID 3056 wrote to memory of 1088 3056 Bhjlli32.exe 39 PID 3056 wrote to memory of 1088 3056 Bhjlli32.exe 39 PID 1088 wrote to memory of 1028 1088 Bjkhdacm.exe 40 PID 1088 wrote to memory of 1028 1088 Bjkhdacm.exe 40 PID 1088 wrote to memory of 1028 1088 Bjkhdacm.exe 40 PID 1088 wrote to memory of 1028 1088 Bjkhdacm.exe 40 PID 1028 wrote to memory of 796 1028 Bqeqqk32.exe 41 PID 1028 wrote to memory of 796 1028 Bqeqqk32.exe 41 PID 1028 wrote to memory of 796 1028 Bqeqqk32.exe 41 PID 1028 wrote to memory of 796 1028 Bqeqqk32.exe 41 PID 796 wrote to memory of 676 796 Bdqlajbb.exe 42 PID 796 wrote to memory of 676 796 Bdqlajbb.exe 42 PID 796 wrote to memory of 676 796 Bdqlajbb.exe 42 PID 796 wrote to memory of 676 796 Bdqlajbb.exe 42 PID 676 wrote to memory of 1272 676 Bjmeiq32.exe 43 PID 676 wrote to memory of 1272 676 Bjmeiq32.exe 43 PID 676 wrote to memory of 1272 676 Bjmeiq32.exe 43 PID 676 wrote to memory of 1272 676 Bjmeiq32.exe 43 PID 1272 wrote to memory of 2004 1272 Bqgmfkhg.exe 44 PID 1272 wrote to memory of 2004 1272 Bqgmfkhg.exe 44 PID 1272 wrote to memory of 2004 1272 Bqgmfkhg.exe 44 PID 1272 wrote to memory of 2004 1272 Bqgmfkhg.exe 44 PID 2004 wrote to memory of 2408 2004 Bfdenafn.exe 45 PID 2004 wrote to memory of 2408 2004 Bfdenafn.exe 45 PID 2004 wrote to memory of 2408 2004 Bfdenafn.exe 45 PID 2004 wrote to memory of 2408 2004 Bfdenafn.exe 45 PID 2408 wrote to memory of 2388 2408 Bmnnkl32.exe 46 PID 2408 wrote to memory of 2388 2408 Bmnnkl32.exe 46 PID 2408 wrote to memory of 2388 2408 Bmnnkl32.exe 46 PID 2408 wrote to memory of 2388 2408 Bmnnkl32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exe"C:\Users\Admin\AppData\Local\Temp\3815e1609351fc74a505778f87759cd4812ff3753abd4ac06e16e7eebced0a74N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Bbmcibjp.exeC:\Windows\system32\Bbmcibjp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Bjdkjpkb.exeC:\Windows\system32\Bjdkjpkb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe33⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe35⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe37⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe38⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe40⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Dcohghbk.exeC:\Windows\system32\Dcohghbk.exe42⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe43⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe45⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe46⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe47⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Dbfbnddq.exeC:\Windows\system32\Dbfbnddq.exe48⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe49⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe53⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe54⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe57⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe58⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Ehjqgjmp.exeC:\Windows\system32\Ehjqgjmp.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe60⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe61⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe62⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe63⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe64⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe65⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe66⤵PID:2068
-
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe67⤵PID:2084
-
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe68⤵PID:2700
-
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe69⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe70⤵PID:2564
-
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe71⤵PID:2624
-
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe72⤵PID:304
-
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe73⤵PID:1952
-
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe74⤵PID:2024
-
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe76⤵PID:1984
-
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe77⤵PID:664
-
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe78⤵PID:1632
-
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe79⤵
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe81⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe82⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe83⤵PID:2772
-
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe84⤵PID:2572
-
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe85⤵PID:2576
-
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe87⤵PID:952
-
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe88⤵PID:332
-
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe89⤵PID:2432
-
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe90⤵PID:748
-
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe91⤵
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe92⤵
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe93⤵PID:2420
-
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe94⤵PID:2212
-
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe95⤵PID:2788
-
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe96⤵PID:2728
-
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe97⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe98⤵PID:2440
-
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe99⤵PID:1256
-
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe101⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe102⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe103⤵PID:876
-
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe104⤵PID:2260
-
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe105⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe106⤵PID:2752
-
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe107⤵PID:2848
-
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe108⤵PID:1656
-
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe109⤵PID:1732
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe110⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe111⤵PID:2968
-
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe112⤵PID:1344
-
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:600 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe114⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe115⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe116⤵PID:1700
-
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe117⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe118⤵PID:1520
-
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe120⤵PID:344
-
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe121⤵PID:2460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-