Analysis
-
max time kernel
27s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 02:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exe
-
Size
96KB
-
MD5
9ec8b622e98b671d88d1d4e39ad118c0
-
SHA1
5a1ef878aeddab52d4aedfa92080ff40ef9363b7
-
SHA256
1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3
-
SHA512
fc465b10ce2f472c13cc8f418766d70aba78d9ab2bc836e5d91467d989a8e74657590a1f3e2e2404e363bbc480ea17917f0bf2cc5a40292b36a582c6500efbaa
-
SSDEEP
1536:s+jdjvHzDpyAYb0wWQh02Lb7RZObZUUWaegPYA:1djvHzNyr0wWQfbClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nfncad32.exeMfdjpo32.exeQkcdigpa.exeBofbih32.exeCnmlpd32.exeEjmljg32.exeGkaljdaf.exeBcpiombe.exeKekkkm32.exeLklmoccl.exeHmlmacfn.exeEcodfogg.exeHndaao32.exeAimkeb32.exeFillabde.exeFldbnb32.exeBkghjq32.exeLjndga32.exeMnneabff.exeAgilkijf.exeBqciha32.exeFalakjag.exeJekoljgo.exeBcjhig32.exeHbkpfa32.exeOdoddlcd.exeEmfbgg32.exeGcimop32.exeKpblne32.exeFeeilbhg.exeMkkpjg32.exeHbafel32.exeJidngh32.exeKbokda32.exePanpgn32.exeLoofjg32.exeQlcgmpkp.exeJiaaaicm.exeGinefe32.exeMfngbq32.exeNbgakd32.exeObgmjh32.exeBoncej32.exeKfcadq32.exeDnbbjf32.exeGnbelong.exeGopnca32.exeHmfkbeoc.exeLgjcdc32.exeAmdmkb32.exeIjenpn32.exeAnfjpa32.exeCkamihfm.exeDjibogkn.exeHgobpd32.exeHkkaik32.exe1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exeFpkdca32.exeAjpgkb32.exeNicfnn32.exeBfcnfh32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfncad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdjpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkcdigpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bofbih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmlpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkaljdaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpiombe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklmoccl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlmacfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecodfogg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hndaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkcdigpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fillabde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fldbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkghjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljndga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnneabff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agilkijf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqciha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Falakjag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekoljgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbkpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ododdlcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emfbgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcimop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeilbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkkpjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbafel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbokda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Panpgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loofjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlcgmpkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiaaaicm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbokda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ginefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfngbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgakd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfcadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnbelong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emfbgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopnca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfkbeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amdmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijenpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckamihfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djibogkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgobpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkkaik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkdca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpgkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nicfnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcnfh32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001dcaa-2677.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Bkghjq32.exeBikhce32.exeBedene32.exeBbhfgj32.exeCnogmk32.exeCghkepdm.exeCjhdgk32.exeCbcikn32.exeCcceeqfl.exeDfdngl32.exeDeikhhhe.exeDekhnh32.exeDabicikf.exeDpgedepn.exeEmkfmioh.exeEmncci32.exeEidchjbi.exeEghdanac.exeEcodfogg.exeEhlmnfeo.exeFadagl32.exeFebjmj32.exeFdggofgn.exeFjdpgnee.exeFkdlaplh.exeFqqdigko.exeGgmjkapi.exeGccjpb32.exeGfdcbmbn.exeGkaljdaf.exeGdjpcj32.exeGnbelong.exeHndaao32.exeHgmfjdbe.exeHaejcj32.exeHgobpd32.exeHbkpfa32.exeIlceog32.exeIfiilp32.exeIfkfap32.exeIpcjje32.exeIhooog32.exeJhahcjcf.exeKnbjgq32.exeKapbmo32.exeKkigfdjo.exeKpeonkig.exeLjndga32.exeLdchdjom.exeLlomhllh.exeLcieef32.exeLhenmm32.exeLoofjg32.exeLhhjcmpj.exeLobbpg32.exeLdokhn32.exeLkhcdhmk.exeMfngbq32.exeMkkpjg32.exeMdcdcmai.exeMjpmkdpp.exeMgdmeh32.exeMnneabff.exeMcknjidn.exepid Process 2140 Bkghjq32.exe 2972 Bikhce32.exe 3000 Bedene32.exe 1084 Bbhfgj32.exe 2756 Cnogmk32.exe 2708 Cghkepdm.exe 2672 Cjhdgk32.exe 2348 Cbcikn32.exe 2240 Ccceeqfl.exe 3056 Dfdngl32.exe 2416 Deikhhhe.exe 3028 Dekhnh32.exe 1756 Dabicikf.exe 1864 Dpgedepn.exe 2176 Emkfmioh.exe 1564 Emncci32.exe 2620 Eidchjbi.exe 948 Eghdanac.exe 2324 Ecodfogg.exe 756 Ehlmnfeo.exe 2024 Fadagl32.exe 304 Febjmj32.exe 1048 Fdggofgn.exe 816 Fjdpgnee.exe 1628 Fkdlaplh.exe 3020 Fqqdigko.exe 2832 Ggmjkapi.exe 2956 Gccjpb32.exe 924 Gfdcbmbn.exe 2508 Gkaljdaf.exe 2840 Gdjpcj32.exe 2544 Gnbelong.exe 2408 Hndaao32.exe 744 Hgmfjdbe.exe 1240 Haejcj32.exe 2160 Hgobpd32.exe 2360 Hbkpfa32.exe 2636 Ilceog32.exe 1140 Ifiilp32.exe 2276 Ifkfap32.exe 2080 Ipcjje32.exe 2200 Ihooog32.exe 1528 Jhahcjcf.exe 2516 Knbjgq32.exe 1804 Kapbmo32.exe 1780 Kkigfdjo.exe 2008 Kpeonkig.exe 1092 Ljndga32.exe 1740 Ldchdjom.exe 1924 Llomhllh.exe 2616 Lcieef32.exe 2868 Lhenmm32.exe 2332 Loofjg32.exe 2760 Lhhjcmpj.exe 2936 Lobbpg32.exe 2780 Ldokhn32.exe 2220 Lkhcdhmk.exe 2576 Mfngbq32.exe 1264 Mkkpjg32.exe 1832 Mdcdcmai.exe 888 Mjpmkdpp.exe 2184 Mgdmeh32.exe 2144 Mnneabff.exe 572 Mcknjidn.exe -
Loads dropped DLL 64 IoCs
Processes:
1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exeBkghjq32.exeBikhce32.exeBedene32.exeBbhfgj32.exeCnogmk32.exeCghkepdm.exeCjhdgk32.exeCbcikn32.exeCcceeqfl.exeDfdngl32.exeDeikhhhe.exeDekhnh32.exeDabicikf.exeDpgedepn.exeEmkfmioh.exeEmncci32.exeEidchjbi.exeEghdanac.exeEcodfogg.exeEhlmnfeo.exeFadagl32.exeFebjmj32.exeFdggofgn.exeFjdpgnee.exeFkdlaplh.exeFqqdigko.exeGgmjkapi.exeGccjpb32.exeGfdcbmbn.exeGkaljdaf.exeGdjpcj32.exepid Process 2424 1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exe 2424 1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exe 2140 Bkghjq32.exe 2140 Bkghjq32.exe 2972 Bikhce32.exe 2972 Bikhce32.exe 3000 Bedene32.exe 3000 Bedene32.exe 1084 Bbhfgj32.exe 1084 Bbhfgj32.exe 2756 Cnogmk32.exe 2756 Cnogmk32.exe 2708 Cghkepdm.exe 2708 Cghkepdm.exe 2672 Cjhdgk32.exe 2672 Cjhdgk32.exe 2348 Cbcikn32.exe 2348 Cbcikn32.exe 2240 Ccceeqfl.exe 2240 Ccceeqfl.exe 3056 Dfdngl32.exe 3056 Dfdngl32.exe 2416 Deikhhhe.exe 2416 Deikhhhe.exe 3028 Dekhnh32.exe 3028 Dekhnh32.exe 1756 Dabicikf.exe 1756 Dabicikf.exe 1864 Dpgedepn.exe 1864 Dpgedepn.exe 2176 Emkfmioh.exe 2176 Emkfmioh.exe 1564 Emncci32.exe 1564 Emncci32.exe 2620 Eidchjbi.exe 2620 Eidchjbi.exe 948 Eghdanac.exe 948 Eghdanac.exe 2324 Ecodfogg.exe 2324 Ecodfogg.exe 756 Ehlmnfeo.exe 756 Ehlmnfeo.exe 2024 Fadagl32.exe 2024 Fadagl32.exe 304 Febjmj32.exe 304 Febjmj32.exe 1048 Fdggofgn.exe 1048 Fdggofgn.exe 816 Fjdpgnee.exe 816 Fjdpgnee.exe 1628 Fkdlaplh.exe 1628 Fkdlaplh.exe 3020 Fqqdigko.exe 3020 Fqqdigko.exe 2832 Ggmjkapi.exe 2832 Ggmjkapi.exe 2956 Gccjpb32.exe 2956 Gccjpb32.exe 924 Gfdcbmbn.exe 924 Gfdcbmbn.exe 2508 Gkaljdaf.exe 2508 Gkaljdaf.exe 2840 Gdjpcj32.exe 2840 Gdjpcj32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Joepjokm.exeKpblne32.exePikaqppk.exeDnbbjf32.exeFillabde.exeFqqdigko.exeEmfbgg32.exePelpgb32.exeDogbolep.exeCghmni32.exeGinefe32.exeCcceeqfl.exeOjlife32.exeLdchdjom.exeLobbpg32.exeGnjhaj32.exeLafekm32.exeMfdjpo32.exeDeedfacn.exeHgmfjdbe.exeIfiilp32.exeMhgpgjoj.exeQakppa32.exeCfmjoe32.exeAdhohapp.exeBgnaekil.exeIbjikk32.exePipklo32.exeBhjngnod.exeHjpnjheg.exeDeikhhhe.exeAhancp32.exeFpkdca32.exeQkcdigpa.exeBbflkcao.exeCkamihfm.exeEiefqc32.exeCnogmk32.exeOjgokflc.exeMcknjidn.exeIapfmg32.exeIcbldbgi.exeDkolblkk.exeFkpeojha.exeHgobpd32.exeLkhcdhmk.exeKfcadq32.exeGeeekf32.exeQgdbpi32.exeHgeenb32.exeIjmdql32.exeJhndcd32.exeEjmljg32.exeAcplpjpj.exeJmkmlk32.exeOlokighn.exeFaljqcmk.exeEcodfogg.exeOpfdim32.exeHaejcj32.exeLjndga32.exedescription ioc Process File created C:\Windows\SysWOW64\Jephgi32.exe Joepjokm.exe File created C:\Windows\SysWOW64\Lklmoccl.exe Kpblne32.exe File created C:\Windows\SysWOW64\Pbcfie32.exe Pikaqppk.exe File opened for modification C:\Windows\SysWOW64\Djibogkn.exe Dnbbjf32.exe File created C:\Windows\SysWOW64\Fkmhij32.exe Fillabde.exe File opened for modification C:\Windows\SysWOW64\Ggmjkapi.exe Fqqdigko.exe File created C:\Windows\SysWOW64\Feccqime.exe Emfbgg32.exe File created C:\Windows\SysWOW64\Pkihpi32.exe Pelpgb32.exe File created C:\Windows\SysWOW64\Blonkf32.dll Dogbolep.exe File created C:\Windows\SysWOW64\Cfmjoe32.exe Cghmni32.exe File created C:\Windows\SysWOW64\Bjpjnd32.dll Ginefe32.exe File opened for modification C:\Windows\SysWOW64\Dfdngl32.exe Ccceeqfl.exe File opened for modification C:\Windows\SysWOW64\Obgmjh32.exe Ojlife32.exe File created C:\Windows\SysWOW64\Llomhllh.exe Ldchdjom.exe File created C:\Windows\SysWOW64\Ldokhn32.exe Lobbpg32.exe File created C:\Windows\SysWOW64\Gddpndhp.exe Gnjhaj32.exe File created C:\Windows\SysWOW64\Ncmbldke.dll Lafekm32.exe File created C:\Windows\SysWOW64\Mhbflj32.exe Mfdjpo32.exe File created C:\Windows\SysWOW64\Jabfoqib.dll Deedfacn.exe File created C:\Windows\SysWOW64\Djbqegdp.dll Hgmfjdbe.exe File created C:\Windows\SysWOW64\Ifkfap32.exe Ifiilp32.exe File created C:\Windows\SysWOW64\Jabeia32.dll Mhgpgjoj.exe File created C:\Windows\SysWOW64\Qkcdigpa.exe Qakppa32.exe File created C:\Windows\SysWOW64\Ccakij32.exe Cfmjoe32.exe File created C:\Windows\SysWOW64\Oinbpend.dll Adhohapp.exe File opened for modification C:\Windows\SysWOW64\Bmjjmbgc.exe Bgnaekil.exe File opened for modification C:\Windows\SysWOW64\Ieiegf32.exe Ibjikk32.exe File created C:\Windows\SysWOW64\Obbbpp32.dll Pipklo32.exe File opened for modification C:\Windows\SysWOW64\Bofbih32.exe Bhjngnod.exe File created C:\Windows\SysWOW64\Hchbcmlh.exe Hjpnjheg.exe File created C:\Windows\SysWOW64\Ajolkncp.dll Deikhhhe.exe File created C:\Windows\SysWOW64\Mbginggd.dll Ahancp32.exe File opened for modification C:\Windows\SysWOW64\Falakjag.exe Fpkdca32.exe File created C:\Windows\SysWOW64\Emqfen32.dll Qkcdigpa.exe File opened for modification C:\Windows\SysWOW64\Cnmlpd32.exe Bbflkcao.exe File opened for modification C:\Windows\SysWOW64\Cghmni32.exe Ckamihfm.exe File opened for modification C:\Windows\SysWOW64\Eoanij32.exe Eiefqc32.exe File created C:\Windows\SysWOW64\Cghkepdm.exe Cnogmk32.exe File opened for modification C:\Windows\SysWOW64\Ododdlcd.exe Ojgokflc.exe File created C:\Windows\SysWOW64\Mjeffc32.exe Mcknjidn.exe File created C:\Windows\SysWOW64\Icnbic32.exe Iapfmg32.exe File created C:\Windows\SysWOW64\Ijmdql32.exe Icbldbgi.exe File created C:\Windows\SysWOW64\Gadllf32.dll Dkolblkk.exe File opened for modification C:\Windows\SysWOW64\Feeilbhg.exe Fkpeojha.exe File created C:\Windows\SysWOW64\Hbkpfa32.exe Hgobpd32.exe File opened for modification C:\Windows\SysWOW64\Mfngbq32.exe Lkhcdhmk.exe File created C:\Windows\SysWOW64\Kidjfl32.exe Kfcadq32.exe File created C:\Windows\SysWOW64\Hkkaik32.exe Geeekf32.exe File opened for modification C:\Windows\SysWOW64\Qajfmbna.exe Qgdbpi32.exe File created C:\Windows\SysWOW64\Mfdbnlgi.dll Hgeenb32.exe File created C:\Windows\SysWOW64\Ibjikk32.exe Hgeenb32.exe File created C:\Windows\SysWOW64\Clllno32.dll Ijmdql32.exe File opened for modification C:\Windows\SysWOW64\Jmkmlk32.exe Jhndcd32.exe File created C:\Windows\SysWOW64\Efdmohmm.exe Ejmljg32.exe File created C:\Windows\SysWOW64\Gjoigd32.dll Acplpjpj.exe File opened for modification C:\Windows\SysWOW64\Emfbgg32.exe Dogbolep.exe File opened for modification C:\Windows\SysWOW64\Kfcadq32.exe Jmkmlk32.exe File created C:\Windows\SysWOW64\Phelnhnb.exe Olokighn.exe File created C:\Windows\SysWOW64\Lgdcmc32.dll Faljqcmk.exe File created C:\Windows\SysWOW64\Aeqfhb32.dll Ecodfogg.exe File opened for modification C:\Windows\SysWOW64\Ojlife32.exe Opfdim32.exe File created C:\Windows\SysWOW64\Cgghbgfc.dll Haejcj32.exe File opened for modification C:\Windows\SysWOW64\Ldchdjom.exe Ljndga32.exe File created C:\Windows\SysWOW64\Falakjag.exe Fpkdca32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3228 3196 WerFault.exe 288 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ahmehqna.exeBcpiombe.exeHefibg32.exeFkmhij32.exeGgkoojip.exeDpgedepn.exeEhlmnfeo.exeFkpeojha.exeBcjhig32.exeEfdmohmm.exeAjpgkb32.exeGccjpb32.exePejcab32.exeMcknjidn.exeNiombolm.exeOdoddlcd.exeCkamihfm.exeBikhce32.exeHbkpfa32.exeBjgdfg32.exeKidjfl32.exePbaide32.exeEjmljg32.exeEmkfmioh.exePhoeomjc.exeCicggcke.exeCmapna32.exeMjmiknng.exeMfdjpo32.exeFkdoii32.exeGeeekf32.exeQgdbpi32.exeQajfmbna.exeQakppa32.exeIcnbic32.exeJmkmlk32.exeLgejidgn.exeEghdanac.exeMnneabff.exeGgppdpif.exeHchbcmlh.exeHgmfjdbe.exeGpfggeai.exeGnjhaj32.exeJiaaaicm.exeOjgokflc.exeGjcekj32.exeMfoqephq.exeHmlmacfn.exeIqmcmaja.exeCbcikn32.exeDabicikf.exeAcplpjpj.exeGjahfkfg.exeIabcbg32.exeLklmoccl.exeDeedfacn.exeLcieef32.exeAncdgcab.exeIlceog32.exeLdokhn32.exeFalakjag.exePanpgn32.exeDfdngl32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmehqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpiombe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmhij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkoojip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgedepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlmnfeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpeojha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjhig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdmohmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpgkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gccjpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejcab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknjidn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niombolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ododdlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckamihfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikhce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbkpfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgdfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbaide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejmljg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkfmioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phoeomjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicggcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmapna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjmiknng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdjpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdoii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geeekf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgdbpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qajfmbna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qakppa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnbic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkmlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgejidgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eghdanac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnneabff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggppdpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchbcmlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmfjdbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfggeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjhaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiaaaicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgokflc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjcekj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfoqephq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlmacfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmcmaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbcikn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabicikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acplpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjahfkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabcbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklmoccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deedfacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcieef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancdgcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilceog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldokhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falakjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdngl32.exe -
Modifies registry class 64 IoCs
Processes:
Ejmljg32.exeGeeekf32.exeHjpnjheg.exeDeikhhhe.exeHaejcj32.exeMjgclcjh.exeBgnaekil.exeCmjoaofc.exeFaljqcmk.exeNbddfe32.exeBjgdfg32.exeMjmiknng.exeNqbdllld.exeHgmfjdbe.exePdamhocm.exeAchlch32.exeDeimaa32.exeEmkfmioh.exeKapbmo32.exeCicggcke.exeKekkkm32.exeMfngbq32.exeAhmehqna.exeHkndiabh.exeIjhkembk.exeIabcbg32.exeJocceo32.exeDnbbjf32.exeEcodfogg.exeMcknjidn.exeAncdgcab.exeAadbfp32.exeCghmni32.exeFeeilbhg.exePpmkilbp.exeBqciha32.exeBfcnfh32.exePbaide32.exeLafekm32.exeLndlamke.exeBlcmbmip.exeCbcikn32.exeFkdlaplh.exeHndaao32.exeGcimop32.exeGhkbccdn.exeQkcdigpa.exeAhgdbk32.exeGinefe32.exeGgmjkapi.exeIfkfap32.exeLdchdjom.exeNicfnn32.exeFpkdca32.exeKbokda32.exeMbkkepio.exeMookod32.exeOjgokflc.exeQgdbpi32.exeAdhohapp.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgdkphm.dll" Ejmljg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geeekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjpnjheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deikhhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haejcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjgclcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmjoaofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faljqcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niadmlcg.dll" Nbddfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjgdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjmiknng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqbdllld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgmfjdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdamhocm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggkphll.dll" Achlch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmgmelp.dll" Deimaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Achlch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkfmioh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kapbmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnbll32.dll" Cicggcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjdfae32.dll" Kekkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfngbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmqcllm.dll" Ahmehqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkndiabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipapioii.dll" Ijhkembk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iabcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnnoaop.dll" Jocceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcelqihb.dll" Dnbbjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecodfogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecodfogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekqjiiel.dll" Mcknjidn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ancdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnnkddfe.dll" Aadbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcojn32.dll" Cghmni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feeilbhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppmkilbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihikk32.dll" Bqciha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacbha32.dll" Bfcnfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbaide32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lafekm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefpnicb.dll" Lndlamke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blcmbmip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbcikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkdlaplh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oocqlibj.dll" Hndaao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcimop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llloeb32.dll" Ghkbccdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkcdigpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahgdbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpjnd32.dll" Ginefe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggmjkapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifkfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffdlkng.dll" Ldchdjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nicfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Achlch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cghmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deoipl32.dll" Fpkdca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbokda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngnoa32.dll" Mbkkepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mookod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgokflc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgdbpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adhohapp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exeBkghjq32.exeBikhce32.exeBedene32.exeBbhfgj32.exeCnogmk32.exeCghkepdm.exeCjhdgk32.exeCbcikn32.exeCcceeqfl.exeDfdngl32.exeDeikhhhe.exeDekhnh32.exeDabicikf.exeDpgedepn.exeEmkfmioh.exedescription pid Process procid_target PID 2424 wrote to memory of 2140 2424 1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exe 29 PID 2424 wrote to memory of 2140 2424 1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exe 29 PID 2424 wrote to memory of 2140 2424 1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exe 29 PID 2424 wrote to memory of 2140 2424 1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exe 29 PID 2140 wrote to memory of 2972 2140 Bkghjq32.exe 30 PID 2140 wrote to memory of 2972 2140 Bkghjq32.exe 30 PID 2140 wrote to memory of 2972 2140 Bkghjq32.exe 30 PID 2140 wrote to memory of 2972 2140 Bkghjq32.exe 30 PID 2972 wrote to memory of 3000 2972 Bikhce32.exe 31 PID 2972 wrote to memory of 3000 2972 Bikhce32.exe 31 PID 2972 wrote to memory of 3000 2972 Bikhce32.exe 31 PID 2972 wrote to memory of 3000 2972 Bikhce32.exe 31 PID 3000 wrote to memory of 1084 3000 Bedene32.exe 32 PID 3000 wrote to memory of 1084 3000 Bedene32.exe 32 PID 3000 wrote to memory of 1084 3000 Bedene32.exe 32 PID 3000 wrote to memory of 1084 3000 Bedene32.exe 32 PID 1084 wrote to memory of 2756 1084 Bbhfgj32.exe 33 PID 1084 wrote to memory of 2756 1084 Bbhfgj32.exe 33 PID 1084 wrote to memory of 2756 1084 Bbhfgj32.exe 33 PID 1084 wrote to memory of 2756 1084 Bbhfgj32.exe 33 PID 2756 wrote to memory of 2708 2756 Cnogmk32.exe 34 PID 2756 wrote to memory of 2708 2756 Cnogmk32.exe 34 PID 2756 wrote to memory of 2708 2756 Cnogmk32.exe 34 PID 2756 wrote to memory of 2708 2756 Cnogmk32.exe 34 PID 2708 wrote to memory of 2672 2708 Cghkepdm.exe 35 PID 2708 wrote to memory of 2672 2708 Cghkepdm.exe 35 PID 2708 wrote to memory of 2672 2708 Cghkepdm.exe 35 PID 2708 wrote to memory of 2672 2708 Cghkepdm.exe 35 PID 2672 wrote to memory of 2348 2672 Cjhdgk32.exe 36 PID 2672 wrote to memory of 2348 2672 Cjhdgk32.exe 36 PID 2672 wrote to memory of 2348 2672 Cjhdgk32.exe 36 PID 2672 wrote to memory of 2348 2672 Cjhdgk32.exe 36 PID 2348 wrote to memory of 2240 2348 Cbcikn32.exe 37 PID 2348 wrote to memory of 2240 2348 Cbcikn32.exe 37 PID 2348 wrote to memory of 2240 2348 Cbcikn32.exe 37 PID 2348 wrote to memory of 2240 2348 Cbcikn32.exe 37 PID 2240 wrote to memory of 3056 2240 Ccceeqfl.exe 38 PID 2240 wrote to memory of 3056 2240 Ccceeqfl.exe 38 PID 2240 wrote to memory of 3056 2240 Ccceeqfl.exe 38 PID 2240 wrote to memory of 3056 2240 Ccceeqfl.exe 38 PID 3056 wrote to memory of 2416 3056 Dfdngl32.exe 39 PID 3056 wrote to memory of 2416 3056 Dfdngl32.exe 39 PID 3056 wrote to memory of 2416 3056 Dfdngl32.exe 39 PID 3056 wrote to memory of 2416 3056 Dfdngl32.exe 39 PID 2416 wrote to memory of 3028 2416 Deikhhhe.exe 40 PID 2416 wrote to memory of 3028 2416 Deikhhhe.exe 40 PID 2416 wrote to memory of 3028 2416 Deikhhhe.exe 40 PID 2416 wrote to memory of 3028 2416 Deikhhhe.exe 40 PID 3028 wrote to memory of 1756 3028 Dekhnh32.exe 41 PID 3028 wrote to memory of 1756 3028 Dekhnh32.exe 41 PID 3028 wrote to memory of 1756 3028 Dekhnh32.exe 41 PID 3028 wrote to memory of 1756 3028 Dekhnh32.exe 41 PID 1756 wrote to memory of 1864 1756 Dabicikf.exe 42 PID 1756 wrote to memory of 1864 1756 Dabicikf.exe 42 PID 1756 wrote to memory of 1864 1756 Dabicikf.exe 42 PID 1756 wrote to memory of 1864 1756 Dabicikf.exe 42 PID 1864 wrote to memory of 2176 1864 Dpgedepn.exe 43 PID 1864 wrote to memory of 2176 1864 Dpgedepn.exe 43 PID 1864 wrote to memory of 2176 1864 Dpgedepn.exe 43 PID 1864 wrote to memory of 2176 1864 Dpgedepn.exe 43 PID 2176 wrote to memory of 1564 2176 Emkfmioh.exe 44 PID 2176 wrote to memory of 1564 2176 Emkfmioh.exe 44 PID 2176 wrote to memory of 1564 2176 Emkfmioh.exe 44 PID 2176 wrote to memory of 1564 2176 Emkfmioh.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exe"C:\Users\Admin\AppData\Local\Temp\1740a02a51a0bc93add822c58d9ce46b306e4ab736829dc51fca5d3f057b4dd3N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Bikhce32.exeC:\Windows\system32\Bikhce32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Bedene32.exeC:\Windows\system32\Bedene32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Bbhfgj32.exeC:\Windows\system32\Bbhfgj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Cnogmk32.exeC:\Windows\system32\Cnogmk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Cjhdgk32.exeC:\Windows\system32\Cjhdgk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Cbcikn32.exeC:\Windows\system32\Cbcikn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Dfdngl32.exeC:\Windows\system32\Dfdngl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Dekhnh32.exeC:\Windows\system32\Dekhnh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Dpgedepn.exeC:\Windows\system32\Dpgedepn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Emncci32.exeC:\Windows\system32\Emncci32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Eidchjbi.exeC:\Windows\system32\Eidchjbi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Eghdanac.exeC:\Windows\system32\Eghdanac.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Ecodfogg.exeC:\Windows\system32\Ecodfogg.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Ehlmnfeo.exeC:\Windows\system32\Ehlmnfeo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Febjmj32.exeC:\Windows\system32\Febjmj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\Fdggofgn.exeC:\Windows\system32\Fdggofgn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Fjdpgnee.exeC:\Windows\system32\Fjdpgnee.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Fqqdigko.exeC:\Windows\system32\Fqqdigko.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Gccjpb32.exeC:\Windows\system32\Gccjpb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Gfdcbmbn.exeC:\Windows\system32\Gfdcbmbn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Gkaljdaf.exeC:\Windows\system32\Gkaljdaf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Gnbelong.exeC:\Windows\system32\Gnbelong.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Hgmfjdbe.exeC:\Windows\system32\Hgmfjdbe.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Haejcj32.exeC:\Windows\system32\Haejcj32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Ifiilp32.exeC:\Windows\system32\Ifiilp32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Ifkfap32.exeC:\Windows\system32\Ifkfap32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Ipcjje32.exeC:\Windows\system32\Ipcjje32.exe42⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Ihooog32.exeC:\Windows\system32\Ihooog32.exe43⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Jhahcjcf.exeC:\Windows\system32\Jhahcjcf.exe44⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe45⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Kapbmo32.exeC:\Windows\system32\Kapbmo32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe47⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe48⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Ljndga32.exeC:\Windows\system32\Ljndga32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Ldchdjom.exeC:\Windows\system32\Ldchdjom.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Llomhllh.exeC:\Windows\system32\Llomhllh.exe51⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Lcieef32.exeC:\Windows\system32\Lcieef32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe53⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Loofjg32.exeC:\Windows\system32\Loofjg32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Lhhjcmpj.exeC:\Windows\system32\Lhhjcmpj.exe55⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Lobbpg32.exeC:\Windows\system32\Lobbpg32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Lkhcdhmk.exeC:\Windows\system32\Lkhcdhmk.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Mfngbq32.exeC:\Windows\system32\Mfngbq32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe61⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe62⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe63⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe66⤵PID:1284
-
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe67⤵PID:1676
-
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe68⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe69⤵PID:956
-
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe71⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe72⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe74⤵PID:2924
-
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe75⤵PID:2904
-
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe77⤵PID:2284
-
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Ofnppgbh.exeC:\Windows\system32\Ofnppgbh.exe80⤵PID:2128
-
C:\Windows\SysWOW64\Opfdim32.exeC:\Windows\system32\Opfdim32.exe81⤵
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe82⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Obgmjh32.exeC:\Windows\system32\Obgmjh32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Omlahqeo.exeC:\Windows\system32\Omlahqeo.exe84⤵PID:616
-
C:\Windows\SysWOW64\Odfjdk32.exeC:\Windows\system32\Odfjdk32.exe85⤵PID:896
-
C:\Windows\SysWOW64\Oegflcbj.exeC:\Windows\system32\Oegflcbj.exe86⤵PID:1360
-
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe87⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe88⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe89⤵PID:2488
-
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe90⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Pkihpi32.exeC:\Windows\system32\Pkihpi32.exe91⤵PID:2912
-
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe92⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe93⤵PID:2388
-
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe94⤵
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Ppjjcogn.exeC:\Windows\system32\Ppjjcogn.exe95⤵PID:2816
-
C:\Windows\SysWOW64\Qgdbpi32.exeC:\Windows\system32\Qgdbpi32.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Qajfmbna.exeC:\Windows\system32\Qajfmbna.exe97⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Qlcgmpkp.exeC:\Windows\system32\Qlcgmpkp.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Acplpjpj.exeC:\Windows\system32\Acplpjpj.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Ahmehqna.exeC:\Windows\system32\Ahmehqna.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe103⤵PID:1040
-
C:\Windows\SysWOW64\Ahoamplo.exeC:\Windows\system32\Ahoamplo.exe104⤵PID:2428
-
C:\Windows\SysWOW64\Acdfki32.exeC:\Windows\system32\Acdfki32.exe105⤵PID:2732
-
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe106⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Aokfpjai.exeC:\Windows\system32\Aokfpjai.exe107⤵PID:1640
-
C:\Windows\SysWOW64\Adhohapp.exeC:\Windows\system32\Adhohapp.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe110⤵PID:3032
-
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Bcpiombe.exeC:\Windows\system32\Bcpiombe.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Bmjjmbgc.exeC:\Windows\system32\Bmjjmbgc.exe115⤵PID:2916
-
C:\Windows\SysWOW64\Bfcnfh32.exeC:\Windows\system32\Bfcnfh32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Bokcom32.exeC:\Windows\system32\Bokcom32.exe117⤵PID:2560
-
C:\Windows\SysWOW64\Cicggcke.exeC:\Windows\system32\Cicggcke.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Ccileljk.exeC:\Windows\system32\Ccileljk.exe119⤵PID:2688
-
C:\Windows\SysWOW64\Cmapna32.exeC:\Windows\system32\Cmapna32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Dogbolep.exeC:\Windows\system32\Dogbolep.exe121⤵
- Drops file in System32 directory
PID:1716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-