Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 13:56
Static task
static1
Behavioral task
behavioral1
Sample
827ed79ade2db9c618642d5012e9f057980d66ebd959848b06bb8d07de7c72cbN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
827ed79ade2db9c618642d5012e9f057980d66ebd959848b06bb8d07de7c72cbN.exe
Resource
win10v2004-20241007-en
General
-
Target
827ed79ade2db9c618642d5012e9f057980d66ebd959848b06bb8d07de7c72cbN.exe
-
Size
163KB
-
MD5
6f170be53b4fa4d3cb2d71fd5f2787f0
-
SHA1
6e32738eb9a04158c140fd89c5ae49b8534a453e
-
SHA256
827ed79ade2db9c618642d5012e9f057980d66ebd959848b06bb8d07de7c72cb
-
SHA512
c96238eb5a1b16fc9ff447cde3111e54ecf87febe55f9bea5aab74300fecb1c769cdc50aaa39dd5bb75c6d20bb86df21210342dc4ee7eb18971714f104aead71
-
SSDEEP
1536:PGmVQcsGeTBMypA1Ge4sWMghgKnlyIy/vQOZlProNVU4qNVUrk/9QbfBr+7GwKrj:PQCeTCyqKyKlyQqltOrWKDBr+yJb
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Eoepebho.exeMcfbkpab.exeMecjif32.exeNbefdijg.exeHkdjfb32.exeDkhnjk32.exeEmnbdioi.exeCmcolgbj.exeIcdheded.exeIhkjno32.exeFdamgb32.exeHpomcp32.exeJkaicd32.exeJcdala32.exeJebfng32.exe827ed79ade2db9c618642d5012e9f057980d66ebd959848b06bb8d07de7c72cbN.exeMaodigil.exeBfpdin32.exeEipinkib.exeGemkelcd.exeBpdnjple.exeKkjlic32.exeObcceg32.exeIogopi32.exeLegjmh32.exeHckeoeno.exeGncchb32.exeQaqegecm.exeDpqodfij.exeGgpbjkpl.exeGddbcp32.exeFipbdikp.exeGngeik32.exeHlblcn32.exeNjjdho32.exeDhbebj32.exeEhndnh32.exeIdkkpf32.exeKglmio32.exeJcfggkac.exeLlodgnja.exeEmehdh32.exeGigheh32.exeEbfign32.exeIlphdlqh.exeKplmliko.exePqbala32.exeKjpijpdg.exeDdjmba32.exeGikdkj32.exePmiikh32.exeBahdob32.exeFqeioiam.exeHnbeeiji.exeAogiap32.exeGblbca32.exeNgndaccj.exeOabhfg32.exeAgdcpkll.exeCdimqm32.exeFkjmlaac.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoepebho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfbkpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mecjif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbefdijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdjfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhnjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnbdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmcolgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihkjno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdamgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpomcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkaicd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdala32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 827ed79ade2db9c618642d5012e9f057980d66ebd959848b06bb8d07de7c72cbN.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maodigil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpdin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipinkib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemkelcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdnjple.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjlic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcceg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogopi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legjmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckeoeno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpqodfij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpbjkpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddbcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipbdikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gngeik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlblcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehndnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idkkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfggkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llodgnja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emehdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebfign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilphdlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqbala32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpijpdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikdkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahdob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqeioiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnbeeiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblbca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngndaccj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdcpkll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdimqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjmlaac.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Gpcfmkff.exe family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Bfqkddfd.exeBmkcqn32.exeBqilgmdg.exeBoklbi32.exeBfedoc32.exeCpeohh32.exeCfogeb32.exeCpglnhad.exeCmklglpn.exeCgqqdeod.exeCjomap32.exeCibmlmeb.exeCaienjfd.exeCcgajfeh.exeDpnbog32.exeDiffglam.exeDpqodfij.exeDmdonkgc.exeDpckjfgg.exeDhjckcgi.exeDabhdinj.exeDpehof32.exeDdadpdmn.exeDfoplpla.exeDjklmo32.exeDmihij32.exeDaediilg.exeDpgeee32.exeDdcqedkk.exeDhomfc32.exeDjmibn32.exeEipinkib.exeEmlenj32.exeEagaoh32.exeEdemkd32.exeEhailbaa.exeEfdjgo32.exeEmnbdioi.exeEaindh32.exeEplnpeol.exeEhcfaboo.exeEfffmo32.exeEjbbmnnb.exeEidbij32.exeEalkjh32.exeEpokedmj.exeEhfcfb32.exeEfhcbodf.exeEjdocm32.exeEmbkoi32.exeEangpgcl.exeEpagkd32.exeEhhpla32.exeEfkphnbd.exeEiildjag.exeEmehdh32.exeEpcdqd32.exeFkihnmhj.exeFdamgb32.exeFhmigagd.exeFmjaphek.exeFaenpf32.exeFgbfhmll.exeFipbdikp.exepid process 756 Bfqkddfd.exe 2724 Bmkcqn32.exe 1384 Bqilgmdg.exe 3692 Boklbi32.exe 2592 Bfedoc32.exe 2576 Cpeohh32.exe 2140 Cfogeb32.exe 4940 Cpglnhad.exe 2976 Cmklglpn.exe 3156 Cgqqdeod.exe 2972 Cjomap32.exe 2044 Cibmlmeb.exe 4352 Caienjfd.exe 4232 Ccgajfeh.exe 5012 Dpnbog32.exe 3812 Diffglam.exe 5056 Dpqodfij.exe 4360 Dmdonkgc.exe 1952 Dpckjfgg.exe 4744 Dhjckcgi.exe 3412 Dabhdinj.exe 2312 Dpehof32.exe 2628 Ddadpdmn.exe 1612 Dfoplpla.exe 4504 Djklmo32.exe 4224 Dmihij32.exe 32 Daediilg.exe 788 Dpgeee32.exe 4600 Ddcqedkk.exe 4928 Dhomfc32.exe 1960 Djmibn32.exe 1988 Eipinkib.exe 4272 Emlenj32.exe 1644 Eagaoh32.exe 3596 Edemkd32.exe 3984 Ehailbaa.exe 3288 Efdjgo32.exe 1696 Emnbdioi.exe 4804 Eaindh32.exe 956 Eplnpeol.exe 1616 Ehcfaboo.exe 1744 Efffmo32.exe 440 Ejbbmnnb.exe 2844 Eidbij32.exe 2988 Ealkjh32.exe 3752 Epokedmj.exe 4456 Ehfcfb32.exe 1624 Efhcbodf.exe 5040 Ejdocm32.exe 3908 Embkoi32.exe 3136 Eangpgcl.exe 2336 Epagkd32.exe 2220 Ehhpla32.exe 4512 Efkphnbd.exe 2024 Eiildjag.exe 1156 Emehdh32.exe 660 Epcdqd32.exe 4016 Fkihnmhj.exe 4268 Fdamgb32.exe 1832 Fhmigagd.exe 4812 Fmjaphek.exe 4392 Faenpf32.exe 5000 Fgbfhmll.exe 1392 Fipbdikp.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lnjgfb32.exeCacckp32.exeEnpfan32.exeHnphoj32.exeKkfcndce.exeOblmdhdo.exeCcpdoqgd.exeEbhglj32.exeGaqhjggp.exeJifecp32.exeKndojobi.exeHoaojp32.exeBhkfkmmg.exeCpdgqmnb.exeHmbfbn32.exeBaadiiif.exeNmcpoedn.exeJhpqaiji.exeJgeghp32.exePfoann32.exeBhmbqm32.exeDfoplpla.exeEpokedmj.exeEfhcbodf.exeKjkpoq32.exeEcbjkngo.exeEfjimhnh.exePaiogf32.exeAfbgkl32.exeKhgbqkhj.exeIahlcaol.exePefhlaie.exeDpphjp32.exeGeaepk32.exeIojbpo32.exePpgegd32.exeLfiokmkc.exeEfkphnbd.exeMifljdjo.exeOemefcap.exeEnnqfenp.exeDbbffdlq.exeKemooo32.exeDdcqedkk.exeJdgafjpn.exeMhoipb32.exeOkgaijaj.exeGfmojenc.exeObafpg32.exeBhamkipi.exePjbcplpe.exeIgjngh32.exeIohejo32.exeIhmfco32.exeCbdjeg32.exeBknlbhhe.exeMhjhmhhd.exeFkihnmhj.exeLajagj32.exeNefped32.exeEjchhgid.exeMjlalkmd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Lqhdbm32.exe Lnjgfb32.exe File created C:\Windows\SysWOW64\Ekiapmnp.dll Cacckp32.exe File created C:\Windows\SysWOW64\Mjaonjaj.dll Enpfan32.exe File opened for modification C:\Windows\SysWOW64\Hifmmb32.exe Hnphoj32.exe File created C:\Windows\SysWOW64\Kndojobi.exe Kkfcndce.exe File opened for modification C:\Windows\SysWOW64\Okgaijaj.exe Oblmdhdo.exe File created C:\Windows\SysWOW64\Nhjnjq32.dll Ccpdoqgd.exe File opened for modification C:\Windows\SysWOW64\Ejoomhmi.exe Ebhglj32.exe File opened for modification C:\Windows\SysWOW64\Ggkqgaol.exe Gaqhjggp.exe File created C:\Windows\SysWOW64\Ieicjl32.dll Jifecp32.exe File created C:\Windows\SysWOW64\Kqbkfkal.exe Kndojobi.exe File opened for modification C:\Windows\SysWOW64\Hekgfj32.exe Hoaojp32.exe File opened for modification C:\Windows\SysWOW64\Bmhocd32.exe Bhkfkmmg.exe File opened for modification C:\Windows\SysWOW64\Ckjknfnh.exe Cpdgqmnb.exe File created C:\Windows\SysWOW64\Hdmoohbo.exe Hmbfbn32.exe File opened for modification C:\Windows\SysWOW64\Blgifbil.exe Baadiiif.exe File created C:\Windows\SysWOW64\Noblkqca.exe Nmcpoedn.exe File created C:\Windows\SysWOW64\Nahffe32.dll Jhpqaiji.exe File opened for modification C:\Windows\SysWOW64\Kjepjkhf.exe Jgeghp32.exe File created C:\Windows\SysWOW64\Pmiikh32.exe Pfoann32.exe File created C:\Windows\SysWOW64\Oeeape32.dll Bhmbqm32.exe File created C:\Windows\SysWOW64\Bjbalpnl.dll Dfoplpla.exe File created C:\Windows\SysWOW64\Ehfcfb32.exe Epokedmj.exe File opened for modification C:\Windows\SysWOW64\Ejdocm32.exe Efhcbodf.exe File created C:\Windows\SysWOW64\Kbbhqn32.exe Kjkpoq32.exe File created C:\Windows\SysWOW64\Ebejfk32.exe Ecbjkngo.exe File opened for modification C:\Windows\SysWOW64\Ejfeng32.exe Efjimhnh.exe File created C:\Windows\SysWOW64\Kmephjke.dll Paiogf32.exe File opened for modification C:\Windows\SysWOW64\Aagkhd32.exe Afbgkl32.exe File created C:\Windows\SysWOW64\Koajmepf.exe Khgbqkhj.exe File created C:\Windows\SysWOW64\Cnmqme32.dll Iahlcaol.exe File created C:\Windows\SysWOW64\Pkcadhgm.exe Pefhlaie.exe File created C:\Windows\SysWOW64\Dbndfl32.exe Dpphjp32.exe File opened for modification C:\Windows\SysWOW64\Gmimai32.exe Geaepk32.exe File created C:\Windows\SysWOW64\Lblldc32.dll Iojbpo32.exe File created C:\Windows\SysWOW64\Pjmjdm32.exe Ppgegd32.exe File created C:\Windows\SysWOW64\Llcghg32.exe Lfiokmkc.exe File opened for modification C:\Windows\SysWOW64\Eiildjag.exe Efkphnbd.exe File created C:\Windows\SysWOW64\Mhilfa32.exe Mifljdjo.exe File created C:\Windows\SysWOW64\Okjnnj32.exe Oemefcap.exe File created C:\Windows\SysWOW64\Kdjfee32.dll Ennqfenp.exe File created C:\Windows\SysWOW64\Npdpachh.dll Dbbffdlq.exe File opened for modification C:\Windows\SysWOW64\Phcgcqab.exe Paiogf32.exe File created C:\Windows\SysWOW64\Knnele32.dll Kemooo32.exe File opened for modification C:\Windows\SysWOW64\Dhomfc32.exe Ddcqedkk.exe File opened for modification C:\Windows\SysWOW64\Jibmgi32.exe Jdgafjpn.exe File opened for modification C:\Windows\SysWOW64\Mniallpq.exe Mhoipb32.exe File created C:\Windows\SysWOW64\Oocmii32.exe Okgaijaj.exe File opened for modification C:\Windows\SysWOW64\Gbdoof32.exe Gfmojenc.exe File created C:\Windows\SysWOW64\Dcoobn32.dll Obafpg32.exe File created C:\Windows\SysWOW64\Bjpjel32.exe Bhamkipi.exe File opened for modification C:\Windows\SysWOW64\Pmiikh32.exe Pfoann32.exe File created C:\Windows\SysWOW64\Occmjg32.dll Pjbcplpe.exe File created C:\Windows\SysWOW64\Qipkmbib.dll Igjngh32.exe File opened for modification C:\Windows\SysWOW64\Iinjhh32.exe Iohejo32.exe File created C:\Windows\SysWOW64\Iogopi32.exe Ihmfco32.exe File created C:\Windows\SysWOW64\Cnkkjh32.exe Cbdjeg32.exe File created C:\Windows\SysWOW64\Bahdob32.exe Bknlbhhe.exe File created C:\Windows\SysWOW64\Hobbfhjl.dll Mhjhmhhd.exe File created C:\Windows\SysWOW64\Fdamgb32.exe Fkihnmhj.exe File created C:\Windows\SysWOW64\Nogiifoh.dll Lajagj32.exe File created C:\Windows\SysWOW64\Nhdlao32.exe Nefped32.exe File created C:\Windows\SysWOW64\Embddb32.exe Ejchhgid.exe File created C:\Windows\SysWOW64\Nfenigce.dll Mjlalkmd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6272 6228 WerFault.exe Pififb32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Epokedmj.exePkcadhgm.exeEfeihb32.exePfhmjf32.exeDaediilg.exeHnaqgd32.exeIdbodn32.exeJcdala32.exeDfdpad32.exeFelbnn32.exeEdgbii32.exeEmehdh32.exeBkobmnka.exeEbgpad32.exeIgdgglfl.exeJpcapp32.exeOjomcopk.exeIiopca32.exeHoaojp32.exeLpfgmnfp.exeBdmmeo32.exeDdnobj32.exeFqeioiam.exeCjomap32.exeDjcoai32.exeEmkndc32.exeEfpomccg.exeIdkbkl32.exeLjhefhha.exeFmcjpl32.exeJekqmhia.exeDamfao32.exeFinnef32.exeDfoplpla.exeHgnoki32.exeFpimlfke.exeModgdicm.exePaihlpfi.exeDpgeee32.exeHpfcdojl.exeChqogq32.exeMogcihaj.exeKemooo32.exeHhfedm32.exeEmmkiclm.exeHkdjfb32.exeJgeghp32.exeIplkpa32.exePmblagmf.exeAogbfi32.exeLlcghg32.exeHlepcdoa.exeJqiipljg.exeKkjlic32.exeMaodigil.exeMifljdjo.exeBcinna32.exeCimmggfl.exeJdfjld32.exeKjgeedch.exeMjjkaabc.exeNgndaccj.exeHifmmb32.exeMofmobmo.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epokedmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcadhgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeihb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daediilg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnaqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idbodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgbii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emehdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkobmnka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebgpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdgglfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcapp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomcopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiopca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoaojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfgmnfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmmeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqeioiam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjomap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efpomccg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhefhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcjpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekqmhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Damfao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finnef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoplpla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnoki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpimlfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modgdicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paihlpfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgeee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfcdojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chqogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogcihaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfedm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmkiclm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgeghp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplkpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogbfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlepcdoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqiipljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjlic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maodigil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifljdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcinna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimmggfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgeedch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjkaabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngndaccj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofmobmo.exe -
Modifies registry class 64 IoCs
Processes:
Ocjoadei.exeJeapcq32.exeDjklmo32.exeIjfnmc32.exeCcbadp32.exeJjafok32.exeKnenkbio.exeNcpeaoih.exeOcgkan32.exeIkqqlgem.exeOlijhmgj.exeGjdaodja.exeBhbcfbjk.exeKcapicdj.exeGhojbq32.exeMlhqcgnk.exeCjomap32.exeOkgaijaj.exeMeepdp32.exeDokgdkeh.exeQfmmplad.exePfhmjf32.exeCgqqdeod.exePiphgq32.exeNmenca32.exeEiloco32.exeOblhcj32.exeLkchelci.exeKcjjhdjb.exeGbdoof32.exeIgfclkdj.exePmblagmf.exeCammjakm.exeLaiipofp.exeJkaicd32.exeDjqblj32.exeDpphjp32.exeHkicaahi.exePfiddm32.exeDhomfc32.exeCnkkjh32.exeHefnkkkj.exeOjomcopk.exeLclpdncg.exeOabhfg32.exeEdionhpn.exeBoklbi32.exeEmbkoi32.exePekbga32.exeIdhnkf32.exeJdfjld32.exeNqcejcha.exeOifppdpd.exePbekii32.exeEhfcfb32.exeJnkldqkc.exeFoclgq32.exeIamamcop.exeMfnhfm32.exeKpiqfima.exeDfoplpla.exeJqglkmlj.exeCbpajgmf.exeKoaagkcb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcefi32.dll" Ocjoadei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeapcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijfnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdbpmock.dll" Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiedd32.dll" Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipbmd32.dll" Ncpeaoih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maenpfhk.dll" Ocgkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamojc32.dll" Ikqqlgem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palbkhoj.dll" Olijhmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgflaec.dll" Gjdaodja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphblj32.dll" Bhbcfbjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcapicdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghojbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlhqcgnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjomap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oemnpgle.dll" Okgaijaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfmmplad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfhmjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgqqdeod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kckefh32.dll" Piphgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqlnnkp.dll" Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oblhcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkchelci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgfga32.dll" Kcjjhdjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgffoo32.dll" Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll" Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laiipofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loolpf32.dll" Jkaicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khacqh32.dll" Djqblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkicaahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll" Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhomfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdomd32.dll" Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogigdpmb.dll" Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkddhpn.dll" Lclpdncg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edionhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfapnkp.dll" Boklbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Embkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjonng32.dll" Pekbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnfjkma.dll" Idhnkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdfjld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njogfipp.dll" Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kninjc32.dll" Ehfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmpmgdc.dll" Jnkldqkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foclgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahkpm32.dll" Iamamcop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfnhfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpiqfima.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbalpnl.dll" Dfoplpla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqglkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbpajgmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koaagkcb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
827ed79ade2db9c618642d5012e9f057980d66ebd959848b06bb8d07de7c72cbN.exeBfqkddfd.exeBmkcqn32.exeBqilgmdg.exeBoklbi32.exeBfedoc32.exeCpeohh32.exeCfogeb32.exeCpglnhad.exeCmklglpn.exeCgqqdeod.exeCjomap32.exeCibmlmeb.exeCaienjfd.exeCcgajfeh.exeDpnbog32.exeDiffglam.exeDpqodfij.exeDmdonkgc.exeDpckjfgg.exeDhjckcgi.exeDabhdinj.exedescription pid process target process PID 2796 wrote to memory of 756 2796 827ed79ade2db9c618642d5012e9f057980d66ebd959848b06bb8d07de7c72cbN.exe Bfqkddfd.exe PID 2796 wrote to memory of 756 2796 827ed79ade2db9c618642d5012e9f057980d66ebd959848b06bb8d07de7c72cbN.exe Bfqkddfd.exe PID 2796 wrote to memory of 756 2796 827ed79ade2db9c618642d5012e9f057980d66ebd959848b06bb8d07de7c72cbN.exe Bfqkddfd.exe PID 756 wrote to memory of 2724 756 Bfqkddfd.exe Bmkcqn32.exe PID 756 wrote to memory of 2724 756 Bfqkddfd.exe Bmkcqn32.exe PID 756 wrote to memory of 2724 756 Bfqkddfd.exe Bmkcqn32.exe PID 2724 wrote to memory of 1384 2724 Bmkcqn32.exe Bqilgmdg.exe PID 2724 wrote to memory of 1384 2724 Bmkcqn32.exe Bqilgmdg.exe PID 2724 wrote to memory of 1384 2724 Bmkcqn32.exe Bqilgmdg.exe PID 1384 wrote to memory of 3692 1384 Bqilgmdg.exe Boklbi32.exe PID 1384 wrote to memory of 3692 1384 Bqilgmdg.exe Boklbi32.exe PID 1384 wrote to memory of 3692 1384 Bqilgmdg.exe Boklbi32.exe PID 3692 wrote to memory of 2592 3692 Boklbi32.exe Bfedoc32.exe PID 3692 wrote to memory of 2592 3692 Boklbi32.exe Bfedoc32.exe PID 3692 wrote to memory of 2592 3692 Boklbi32.exe Bfedoc32.exe PID 2592 wrote to memory of 2576 2592 Bfedoc32.exe Cpeohh32.exe PID 2592 wrote to memory of 2576 2592 Bfedoc32.exe Cpeohh32.exe PID 2592 wrote to memory of 2576 2592 Bfedoc32.exe Cpeohh32.exe PID 2576 wrote to memory of 2140 2576 Cpeohh32.exe Cfogeb32.exe PID 2576 wrote to memory of 2140 2576 Cpeohh32.exe Cfogeb32.exe PID 2576 wrote to memory of 2140 2576 Cpeohh32.exe Cfogeb32.exe PID 2140 wrote to memory of 4940 2140 Cfogeb32.exe Cpglnhad.exe PID 2140 wrote to memory of 4940 2140 Cfogeb32.exe Cpglnhad.exe PID 2140 wrote to memory of 4940 2140 Cfogeb32.exe Cpglnhad.exe PID 4940 wrote to memory of 2976 4940 Cpglnhad.exe Cmklglpn.exe PID 4940 wrote to memory of 2976 4940 Cpglnhad.exe Cmklglpn.exe PID 4940 wrote to memory of 2976 4940 Cpglnhad.exe Cmklglpn.exe PID 2976 wrote to memory of 3156 2976 Cmklglpn.exe Cgqqdeod.exe PID 2976 wrote to memory of 3156 2976 Cmklglpn.exe Cgqqdeod.exe PID 2976 wrote to memory of 3156 2976 Cmklglpn.exe Cgqqdeod.exe PID 3156 wrote to memory of 2972 3156 Cgqqdeod.exe Cjomap32.exe PID 3156 wrote to memory of 2972 3156 Cgqqdeod.exe Cjomap32.exe PID 3156 wrote to memory of 2972 3156 Cgqqdeod.exe Cjomap32.exe PID 2972 wrote to memory of 2044 2972 Cjomap32.exe Cibmlmeb.exe PID 2972 wrote to memory of 2044 2972 Cjomap32.exe Cibmlmeb.exe PID 2972 wrote to memory of 2044 2972 Cjomap32.exe Cibmlmeb.exe PID 2044 wrote to memory of 4352 2044 Cibmlmeb.exe Caienjfd.exe PID 2044 wrote to memory of 4352 2044 Cibmlmeb.exe Caienjfd.exe PID 2044 wrote to memory of 4352 2044 Cibmlmeb.exe Caienjfd.exe PID 4352 wrote to memory of 4232 4352 Caienjfd.exe Ccgajfeh.exe PID 4352 wrote to memory of 4232 4352 Caienjfd.exe Ccgajfeh.exe PID 4352 wrote to memory of 4232 4352 Caienjfd.exe Ccgajfeh.exe PID 4232 wrote to memory of 5012 4232 Ccgajfeh.exe Dpnbog32.exe PID 4232 wrote to memory of 5012 4232 Ccgajfeh.exe Dpnbog32.exe PID 4232 wrote to memory of 5012 4232 Ccgajfeh.exe Dpnbog32.exe PID 5012 wrote to memory of 3812 5012 Dpnbog32.exe Diffglam.exe PID 5012 wrote to memory of 3812 5012 Dpnbog32.exe Diffglam.exe PID 5012 wrote to memory of 3812 5012 Dpnbog32.exe Diffglam.exe PID 3812 wrote to memory of 5056 3812 Diffglam.exe Dpqodfij.exe PID 3812 wrote to memory of 5056 3812 Diffglam.exe Dpqodfij.exe PID 3812 wrote to memory of 5056 3812 Diffglam.exe Dpqodfij.exe PID 5056 wrote to memory of 4360 5056 Dpqodfij.exe Dmdonkgc.exe PID 5056 wrote to memory of 4360 5056 Dpqodfij.exe Dmdonkgc.exe PID 5056 wrote to memory of 4360 5056 Dpqodfij.exe Dmdonkgc.exe PID 4360 wrote to memory of 1952 4360 Dmdonkgc.exe Dpckjfgg.exe PID 4360 wrote to memory of 1952 4360 Dmdonkgc.exe Dpckjfgg.exe PID 4360 wrote to memory of 1952 4360 Dmdonkgc.exe Dpckjfgg.exe PID 1952 wrote to memory of 4744 1952 Dpckjfgg.exe Dhjckcgi.exe PID 1952 wrote to memory of 4744 1952 Dpckjfgg.exe Dhjckcgi.exe PID 1952 wrote to memory of 4744 1952 Dpckjfgg.exe Dhjckcgi.exe PID 4744 wrote to memory of 3412 4744 Dhjckcgi.exe Dabhdinj.exe PID 4744 wrote to memory of 3412 4744 Dhjckcgi.exe Dabhdinj.exe PID 4744 wrote to memory of 3412 4744 Dhjckcgi.exe Dabhdinj.exe PID 3412 wrote to memory of 2312 3412 Dabhdinj.exe Dpehof32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\827ed79ade2db9c618642d5012e9f057980d66ebd959848b06bb8d07de7c72cbN.exe"C:\Users\Admin\AppData\Local\Temp\827ed79ade2db9c618642d5012e9f057980d66ebd959848b06bb8d07de7c72cbN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe23⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe24⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe27⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:32 -
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:788 -
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4600 -
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4928 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe32⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe34⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe35⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe36⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe37⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe38⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe40⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe41⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe42⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe43⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe44⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe45⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe46⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4456 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe50⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe52⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe53⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe54⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4512 -
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe56⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe58⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4016 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe61⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe62⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe63⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe64⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe66⤵PID:2892
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe67⤵PID:5084
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe68⤵PID:2756
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe69⤵PID:4168
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe70⤵PID:1116
-
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe71⤵PID:3180
-
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe72⤵PID:3768
-
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe73⤵PID:1708
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:552 -
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe75⤵PID:2680
-
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe76⤵PID:784
-
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe77⤵PID:4660
-
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe78⤵PID:3976
-
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe79⤵PID:4956
-
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3280 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4524 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe82⤵PID:2492
-
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe83⤵PID:1620
-
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe84⤵PID:4064
-
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe85⤵PID:2364
-
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe86⤵
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe89⤵PID:1260
-
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe90⤵PID:5088
-
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe92⤵
- System Location Discovery: System Language Discovery
PID:3804 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe94⤵PID:468
-
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe95⤵PID:2300
-
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe96⤵
- Drops file in System32 directory
PID:3264 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe97⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe98⤵PID:5164
-
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe99⤵PID:5228
-
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe100⤵PID:5264
-
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe101⤵
- Modifies registry class
PID:5336 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe102⤵PID:5388
-
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe103⤵
- System Location Discovery: System Language Discovery
PID:5436 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe104⤵
- Drops file in System32 directory
PID:5496 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe105⤵PID:5548
-
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe106⤵PID:5624
-
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe107⤵PID:5672
-
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe108⤵PID:5716
-
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe109⤵PID:5772
-
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe110⤵PID:5820
-
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe111⤵PID:5864
-
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe112⤵PID:5920
-
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe113⤵PID:5968
-
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe114⤵PID:6012
-
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe115⤵
- Modifies registry class
PID:6056 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe116⤵PID:6096
-
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe117⤵PID:4808
-
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe118⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe119⤵
- System Location Discovery: System Language Discovery
PID:5248 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe120⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe121⤵PID:5420
-
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe122⤵PID:5532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-