Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 03:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c7e707748cdcbf7ff40d57b833f45d3766ebfc94d27af31ae647fb11116ae37e.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
c7e707748cdcbf7ff40d57b833f45d3766ebfc94d27af31ae647fb11116ae37e.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
c7e707748cdcbf7ff40d57b833f45d3766ebfc94d27af31ae647fb11116ae37e.exe
-
Size
96KB
-
MD5
954f435865b8c38a917b81ec762e3f3c
-
SHA1
b88691430516cdcd3385f712e829173b213454eb
-
SHA256
c7e707748cdcbf7ff40d57b833f45d3766ebfc94d27af31ae647fb11116ae37e
-
SHA512
21d47c01030f55c2a085c18bf80223125985f3c1f4751307f0c4b4e1d2b04af679972a7c318c0f6c542166155296ca1af13a52712e0110598b5e4a5bc1f58719
-
SSDEEP
1536:d8oGIBU3dpgtBKff4uBwKCjdckaxJ2LW07RZObZUUWaegPYA:drl2/qKff4uBwbKkaxCLClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ploknb32.exeLqkgbcff.exeJgkmgk32.exeEnhifi32.exeIgcoqocb.exeHnaqgd32.exeLgjijmin.exeFiodpl32.exeOikjkc32.exeBkmeha32.exeFhbimf32.exeNeppokal.exeHkfglb32.exeEfjbcakl.exeDncpkjoc.exeJbiejoaj.exeKeqdmihc.exePkgcea32.exeEfgemb32.exePmlfqh32.exeCcmcgcmp.exeNiipjj32.exeLjobpiql.exeHfaajnfb.exeLflbkcll.exeFoclgq32.exeCcppmc32.exeIdkkpf32.exeQdphngfl.exeJidinqpb.exeJgogbgei.exeCkfphc32.exeHpjmnjqn.exeKodnmkap.exeBacjdbch.exeEhkclgmb.exeIafonaao.exeNbnpcj32.exeHfcnpn32.exeFggdpnkf.exeAcmobchj.exeKgipcogp.exeHnfamjqg.exeLhfmdj32.exeAodfajaj.exeBqmeal32.exeKenggi32.exeAcfhad32.exeJbepme32.exeBbfmgd32.exePfillg32.exeEbejfk32.exeQmhlgmmm.exeAeaanjkl.exeMomcpa32.exePmoiqneg.exeGempgj32.exeJnjejjgh.exeMhbmphjm.exeDclkee32.exeBedgjgkg.exeJoekag32.exeNhbfff32.exeCodhnb32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ploknb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igcoqocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnaqgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiodpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikjkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmeha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbimf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neppokal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dncpkjoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keqdmihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmcgcmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niipjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfaajnfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflbkcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foclgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccppmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdphngfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidinqpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgogbgei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckfphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpjmnjqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kodnmkap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehkclgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iafonaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbnpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfcnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggdpnkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmobchj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgipcogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnfamjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhfmdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodfajaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqmeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenggi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfhad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbfmgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfillg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebejfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmhlgmmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeaanjkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmoiqneg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gempgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnjejjgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbmphjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dclkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Codhnb32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x000700000002401c-3030.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Deagdn32.exeDknpmdfc.exeEecdjmfi.exeEkpmbddq.exeEajeon32.exeEggmge32.exeEonehbjg.exeEehnem32.exeEhfjah32.exeEopbnbhd.exeEhiffh32.exeEobocb32.exeEemgplno.exeEhkclgmb.exeEkiohclf.exeFdbdah32.exeFoghnabl.exeFeapkk32.exeFgbmccpg.exeFojedapj.exeFhbimf32.exeFnobem32.exeFkcboack.exeFnaokmco.exeFhgbhfbe.exeGaogak32.exeGkglja32.exeGempgj32.exeGkjhoq32.exeGadqlkep.exeGhniielm.exeGkleeplq.exeGafmaj32.exeGgcfja32.exeGahjgj32.exeGoljqnpd.exeHakgmjoh.exeHoogfnnb.exeHdlpneli.exeHdnldd32.exeHkhdqoac.exeHnfamjqg.exeHgoeep32.exeHninbj32.exeInkjhi32.exeIdebdcdo.exeIgcoqocb.exeInmgmijo.exeIickkbje.exeIkaggmii.exeIbkpcg32.exeIdjlpc32.exeIoopml32.exeIenekbld.exeJeqbpb32.exeJecofa32.exeJfbkpd32.exeJpkphjeb.exeJgfdmlcm.exeJpmlnjco.exeJblijebc.exeJejefqaf.exeKldmckic.exeKnbiofhg.exepid Process 3388 Deagdn32.exe 4428 Dknpmdfc.exe 3000 Eecdjmfi.exe 1380 Ekpmbddq.exe 3472 Eajeon32.exe 820 Eggmge32.exe 3160 Eonehbjg.exe 3816 Eehnem32.exe 2496 Ehfjah32.exe 812 Eopbnbhd.exe 3720 Ehiffh32.exe 2604 Eobocb32.exe 5112 Eemgplno.exe 3192 Ehkclgmb.exe 4828 Ekiohclf.exe 3928 Fdbdah32.exe 4312 Foghnabl.exe 644 Feapkk32.exe 4984 Fgbmccpg.exe 4208 Fojedapj.exe 3852 Fhbimf32.exe 2712 Fnobem32.exe 4264 Fkcboack.exe 1856 Fnaokmco.exe 764 Fhgbhfbe.exe 1880 Gaogak32.exe 3348 Gkglja32.exe 4184 Gempgj32.exe 4488 Gkjhoq32.exe 1760 Gadqlkep.exe 4412 Ghniielm.exe 3204 Gkleeplq.exe 4848 Gafmaj32.exe 1568 Ggcfja32.exe 3652 Gahjgj32.exe 1956 Goljqnpd.exe 3448 Hakgmjoh.exe 2424 Hoogfnnb.exe 556 Hdlpneli.exe 2396 Hdnldd32.exe 4880 Hkhdqoac.exe 5048 Hnfamjqg.exe 2956 Hgoeep32.exe 1276 Hninbj32.exe 708 Inkjhi32.exe 3620 Idebdcdo.exe 4964 Igcoqocb.exe 4872 Inmgmijo.exe 4328 Iickkbje.exe 2792 Ikaggmii.exe 4316 Ibkpcg32.exe 2268 Idjlpc32.exe 1356 Ioopml32.exe 4044 Ienekbld.exe 4916 Jeqbpb32.exe 4124 Jecofa32.exe 1828 Jfbkpd32.exe 1524 Jpkphjeb.exe 2920 Jgfdmlcm.exe 2804 Jpmlnjco.exe 3940 Jblijebc.exe 4836 Jejefqaf.exe 2120 Kldmckic.exe 3528 Knbiofhg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Qfkqjmdg.exeDglkoeio.exeMapppn32.exeKgopidgf.exeAcfhad32.exeBkmmaeap.exeAogiap32.exeKgiiiidd.exeCgnomg32.exeEhndnh32.exeDdfbgelh.exeOofaiokl.exeCimcan32.exeOkedcjcm.exeHoaojp32.exeIpjoja32.exeBacjdbch.exeFgbmccpg.exeIkaggmii.exeDifpmfna.exeFideeaco.exeNapjdpcn.exeQmhlgmmm.exeMqimikfj.exeIeccbbkn.exeNlqomd32.exeFmqgpgoc.exeBokehc32.exeIfomll32.exeOmbcji32.exeDabhdinj.exeHdilnojp.exeCkeimm32.exeFknbil32.exeHbhijepa.exeHlglidlo.exeIbhkfm32.exeAbfdpfaj.exeEehnem32.exeBfhadc32.exeFkihnmhj.exeDgbanq32.exeAhenokjf.exeLnadagbm.exeEppjfgcp.exeGemkelcd.exeIlnbicff.exeGadqlkep.exeLhkgoiqe.exeQfpbmfdf.exeIeidhh32.exeAonhghjl.exeDjgdkk32.exeGjaphgpl.exeOljaccjf.exeDfmcfp32.exeGdlfhj32.exeQhngolpo.exeFoclgq32.exeDdmhhd32.exeKqmkae32.exeLflbkcll.exeMfchlbfd.exePmiikh32.exedescription ioc Process File created C:\Windows\SysWOW64\Qdoacabq.exe Qfkqjmdg.exe File created C:\Windows\SysWOW64\Enfckp32.exe Dglkoeio.exe File opened for modification C:\Windows\SysWOW64\Mpapnfhg.exe Mapppn32.exe File opened for modification C:\Windows\SysWOW64\Kjmmepfj.exe Kgopidgf.exe File created C:\Windows\SysWOW64\Aeddnp32.exe Acfhad32.exe File created C:\Windows\SysWOW64\Pjjfgb32.dll Bkmmaeap.exe File created C:\Windows\SysWOW64\Aeaanjkl.exe Aogiap32.exe File created C:\Windows\SysWOW64\Kjgeedch.exe Kgiiiidd.exe File opened for modification C:\Windows\SysWOW64\Cacckp32.exe Cgnomg32.exe File created C:\Windows\SysWOW64\Eklajcmc.exe Ehndnh32.exe File opened for modification C:\Windows\SysWOW64\Dickplko.exe Ddfbgelh.exe File opened for modification C:\Windows\SysWOW64\Ogmijllo.exe Oofaiokl.exe File created C:\Windows\SysWOW64\Cpglnhad.exe Cimcan32.exe File opened for modification C:\Windows\SysWOW64\Ooqqdi32.exe Okedcjcm.exe File opened for modification C:\Windows\SysWOW64\Hmbphg32.exe Hoaojp32.exe File created C:\Windows\SysWOW64\Ibhkfm32.exe Ipjoja32.exe File opened for modification C:\Windows\SysWOW64\Bgpcliao.exe Bacjdbch.exe File created C:\Windows\SysWOW64\Efbdhf32.dll Fgbmccpg.exe File opened for modification C:\Windows\SysWOW64\Ibkpcg32.exe Ikaggmii.exe File created C:\Windows\SysWOW64\Dhbmpk32.dll Difpmfna.exe File created C:\Windows\SysWOW64\Glcaambb.exe Fideeaco.exe File created C:\Windows\SysWOW64\Doogdl32.dll Napjdpcn.exe File created C:\Windows\SysWOW64\Qeodhjmo.exe Qmhlgmmm.exe File created C:\Windows\SysWOW64\Fnihkq32.dll Mqimikfj.exe File created C:\Windows\SysWOW64\Ipihpkkd.exe Ieccbbkn.exe File created C:\Windows\SysWOW64\Ieefiiml.dll Nlqomd32.exe File created C:\Windows\SysWOW64\Igbcbhgq.dll Fmqgpgoc.exe File created C:\Windows\SysWOW64\Inbhocbm.dll Bokehc32.exe File opened for modification C:\Windows\SysWOW64\Imiehfao.exe Ifomll32.exe File created C:\Windows\SysWOW64\Kpibgp32.dll Ombcji32.exe File created C:\Windows\SysWOW64\Bjbalpnl.dll Dabhdinj.exe File opened for modification C:\Windows\SysWOW64\Hkbdki32.exe Hdilnojp.exe File created C:\Windows\SysWOW64\Ineedcfb.dll Ckeimm32.exe File created C:\Windows\SysWOW64\Jgnboabc.dll Fknbil32.exe File opened for modification C:\Windows\SysWOW64\Hibafp32.exe Hbhijepa.exe File created C:\Windows\SysWOW64\Qfgllk32.dll Hlglidlo.exe File opened for modification C:\Windows\SysWOW64\Iefgbh32.exe Ibhkfm32.exe File created C:\Windows\SysWOW64\Ncmkcc32.dll Abfdpfaj.exe File created C:\Windows\SysWOW64\Ekbngp32.dll Eehnem32.exe File opened for modification C:\Windows\SysWOW64\Bqmeal32.exe Bfhadc32.exe File created C:\Windows\SysWOW64\Kednfemc.dll Fkihnmhj.exe File created C:\Windows\SysWOW64\Mjbaohka.dll Dgbanq32.exe File created C:\Windows\SysWOW64\Aoofle32.exe Ahenokjf.exe File created C:\Windows\SysWOW64\Npjfngdm.dll Lnadagbm.exe File opened for modification C:\Windows\SysWOW64\Efjbcakl.exe Eppjfgcp.exe File opened for modification C:\Windows\SysWOW64\Gmdcfidg.exe Gemkelcd.exe File created C:\Windows\SysWOW64\Ipjoja32.exe Ilnbicff.exe File created C:\Windows\SysWOW64\Ghniielm.exe Gadqlkep.exe File created C:\Windows\SysWOW64\Lpbopfag.exe Lhkgoiqe.exe File opened for modification C:\Windows\SysWOW64\Qcdbfk32.exe Qfpbmfdf.exe File opened for modification C:\Windows\SysWOW64\Impliekg.exe Ieidhh32.exe File opened for modification C:\Windows\SysWOW64\Apodoq32.exe Aonhghjl.exe File opened for modification C:\Windows\SysWOW64\Dncpkjoc.exe Djgdkk32.exe File created C:\Windows\SysWOW64\Gdgdeppb.exe Gjaphgpl.exe File created C:\Windows\SysWOW64\Hhcjel32.dll Oljaccjf.exe File opened for modification C:\Windows\SysWOW64\Dikpbl32.exe Dfmcfp32.exe File opened for modification C:\Windows\SysWOW64\Gmdjapgb.exe Gdlfhj32.exe File created C:\Windows\SysWOW64\Flnqig32.dll Qhngolpo.exe File created C:\Windows\SysWOW64\Paoinm32.dll Foclgq32.exe File created C:\Windows\SysWOW64\Ekgqennl.exe Ddmhhd32.exe File opened for modification C:\Windows\SysWOW64\Kkconn32.exe Kqmkae32.exe File created C:\Windows\SysWOW64\Fdllgpbm.dll Lflbkcll.exe File created C:\Windows\SysWOW64\Pdbeojmh.dll Mfchlbfd.exe File created C:\Windows\SysWOW64\Ppgegd32.exe Pmiikh32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 9368 10124 WerFault.exe 1107 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dnmhpg32.exeMqimikfj.exeIlmmni32.exeDclkee32.exeJofalmmp.exeOikjkc32.exeAfappe32.exeOllnhb32.exeOpeiadfg.exeOacoqnci.exeDhbebj32.exeEhndnh32.exePaelfmaf.exeJokkgl32.exeLobjni32.exeAcmobchj.exeOhkbbn32.exeLqpamb32.exeNmbjcljl.exeDkekjdck.exePmbegqjk.exeBdeiqgkj.exeLnnbqnjn.exeBqilgmdg.exeEhailbaa.exeImnocf32.exeHioflcbj.exeEdoencdm.exeFcbnpnme.exeIgcoqocb.exeMgobel32.exeQkipkani.exeEnmjlojd.exeCajjjk32.exeGjdaodja.exeGpgind32.exeAhgcjddh.exeEblpgjha.exeEmhkdmlg.exeCklhcfle.exeCpglnhad.exeDickplko.exeGkdpbpih.exeNbcqiope.exeIggjga32.exeFiodpl32.exeMogcihaj.exePplhhm32.exeFnhbmgmk.exeGadqlkep.exeOondnini.exeNfnamjhk.exeLflgmqhd.exeLcimdh32.exeGgkiol32.exePlpjoe32.exeBedgjgkg.exeNfaemp32.exeOoqqdi32.exeNccokk32.exeHbnaeh32.exeAbfdpfaj.exeBqmeal32.exeIqklon32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmhpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqimikfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmmni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclkee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofalmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikjkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afappe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollnhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opeiadfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacoqnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehndnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acmobchj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkbbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqpamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbjcljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkekjdck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmbegqjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdeiqgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnbqnjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqilgmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehailbaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnocf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hioflcbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edoencdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbnpnme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcoqocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkipkani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmjlojd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajjjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdaodja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgind32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgcjddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblpgjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhkdmlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpglnhad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dickplko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdpbpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbcqiope.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiodpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogcihaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplhhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhbmgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gadqlkep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oondnini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnamjhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflgmqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcimdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedgjgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfaemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooqqdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccokk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnaeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfdpfaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqmeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqklon32.exe -
Modifies registry class 64 IoCs
Processes:
Eopbnbhd.exeEblpgjha.exeHpcodihc.exeIepaaico.exeIeidhh32.exeKcbfcigf.exeEdaaccbj.exeOphjiaql.exeAphnnafb.exeFkjmlaac.exeHifmmb32.exeMbibfm32.exeOfckhj32.exeApjdikqd.exeGgkiol32.exeIgqkqiai.exeJcoaglhk.exeBklomh32.exeGicgpelg.exeGkdpbpih.exeCaojpaij.exeJpegkj32.exeCidjbmcp.exeEmpoiimf.exeJnlbojee.exeGncchb32.exeHbohpn32.exeNccokk32.exeJedccfqg.exeHakgmjoh.exeMpnnle32.exeQlmgopjq.exeEfmmmn32.exeOeaoab32.exeKcmfnd32.exeNoppeaed.exeEiildjag.exeKlbnajqc.exeLpbopfag.exeFmlneg32.exeFlfkkhid.exeCacckp32.exeGgmmlamj.exeGmcdffmq.exeIggjga32.exeHoaojp32.exeIckglm32.exeJniood32.exeGijekg32.exeCmpjoloh.exeLnpofnhk.exeCjecpkcg.exeHildmn32.exePhaahggp.exePjpfjl32.exeAmnlme32.exePmbegqjk.exeBpcgpihi.exeCimcan32.exeGigheh32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eopbnbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdjiqhc.dll" Eblpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpkgc32.dll" Hpcodihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmophg32.dll" Iepaaico.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieidhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaecci32.dll" Edaaccbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ophjiaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkjmlaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll" Hifmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbibfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofckhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apjdikqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggkiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqnmlj32.dll" Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcoaglhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnobcjlg.dll" Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkdpbpih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpegkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cidjbmcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Empoiimf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmjim32.dll" Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjofoqdn.dll" Hbohpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nccokk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jedccfqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dogkme32.dll" Hakgmjoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpnnle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlmgopjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efmmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeaoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpcodihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcmfnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noppeaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabbod32.dll" Eiildjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klbnajqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpbopfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcqdoab.dll" Fmlneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfkkhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceknlgnl.dll" Ggmmlamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cppnfc32.dll" Gmcdffmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edflhb32.dll" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoaojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiodpebj.dll" Ickglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleiba32.dll" Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baampdgc.dll" Fkjmlaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkiebg32.dll" Gijekg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gicgpelg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmpjoloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnpofnhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igpoaebh.dll" Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjceejee.dll" Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll" Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmbegqjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpcgpihi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cimcan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gigheh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c7e707748cdcbf7ff40d57b833f45d3766ebfc94d27af31ae647fb11116ae37e.exeDeagdn32.exeDknpmdfc.exeEecdjmfi.exeEkpmbddq.exeEajeon32.exeEggmge32.exeEonehbjg.exeEehnem32.exeEhfjah32.exeEopbnbhd.exeEhiffh32.exeEobocb32.exeEemgplno.exeEhkclgmb.exeEkiohclf.exeFdbdah32.exeFoghnabl.exeFeapkk32.exeFgbmccpg.exeFojedapj.exeFhbimf32.exedescription pid Process procid_target PID 4856 wrote to memory of 3388 4856 c7e707748cdcbf7ff40d57b833f45d3766ebfc94d27af31ae647fb11116ae37e.exe 85 PID 4856 wrote to memory of 3388 4856 c7e707748cdcbf7ff40d57b833f45d3766ebfc94d27af31ae647fb11116ae37e.exe 85 PID 4856 wrote to memory of 3388 4856 c7e707748cdcbf7ff40d57b833f45d3766ebfc94d27af31ae647fb11116ae37e.exe 85 PID 3388 wrote to memory of 4428 3388 Deagdn32.exe 86 PID 3388 wrote to memory of 4428 3388 Deagdn32.exe 86 PID 3388 wrote to memory of 4428 3388 Deagdn32.exe 86 PID 4428 wrote to memory of 3000 4428 Dknpmdfc.exe 87 PID 4428 wrote to memory of 3000 4428 Dknpmdfc.exe 87 PID 4428 wrote to memory of 3000 4428 Dknpmdfc.exe 87 PID 3000 wrote to memory of 1380 3000 Eecdjmfi.exe 88 PID 3000 wrote to memory of 1380 3000 Eecdjmfi.exe 88 PID 3000 wrote to memory of 1380 3000 Eecdjmfi.exe 88 PID 1380 wrote to memory of 3472 1380 Ekpmbddq.exe 89 PID 1380 wrote to memory of 3472 1380 Ekpmbddq.exe 89 PID 1380 wrote to memory of 3472 1380 Ekpmbddq.exe 89 PID 3472 wrote to memory of 820 3472 Eajeon32.exe 90 PID 3472 wrote to memory of 820 3472 Eajeon32.exe 90 PID 3472 wrote to memory of 820 3472 Eajeon32.exe 90 PID 820 wrote to memory of 3160 820 Eggmge32.exe 91 PID 820 wrote to memory of 3160 820 Eggmge32.exe 91 PID 820 wrote to memory of 3160 820 Eggmge32.exe 91 PID 3160 wrote to memory of 3816 3160 Eonehbjg.exe 92 PID 3160 wrote to memory of 3816 3160 Eonehbjg.exe 92 PID 3160 wrote to memory of 3816 3160 Eonehbjg.exe 92 PID 3816 wrote to memory of 2496 3816 Eehnem32.exe 93 PID 3816 wrote to memory of 2496 3816 Eehnem32.exe 93 PID 3816 wrote to memory of 2496 3816 Eehnem32.exe 93 PID 2496 wrote to memory of 812 2496 Ehfjah32.exe 94 PID 2496 wrote to memory of 812 2496 Ehfjah32.exe 94 PID 2496 wrote to memory of 812 2496 Ehfjah32.exe 94 PID 812 wrote to memory of 3720 812 Eopbnbhd.exe 95 PID 812 wrote to memory of 3720 812 Eopbnbhd.exe 95 PID 812 wrote to memory of 3720 812 Eopbnbhd.exe 95 PID 3720 wrote to memory of 2604 3720 Ehiffh32.exe 96 PID 3720 wrote to memory of 2604 3720 Ehiffh32.exe 96 PID 3720 wrote to memory of 2604 3720 Ehiffh32.exe 96 PID 2604 wrote to memory of 5112 2604 Eobocb32.exe 97 PID 2604 wrote to memory of 5112 2604 Eobocb32.exe 97 PID 2604 wrote to memory of 5112 2604 Eobocb32.exe 97 PID 5112 wrote to memory of 3192 5112 Eemgplno.exe 98 PID 5112 wrote to memory of 3192 5112 Eemgplno.exe 98 PID 5112 wrote to memory of 3192 5112 Eemgplno.exe 98 PID 3192 wrote to memory of 4828 3192 Ehkclgmb.exe 99 PID 3192 wrote to memory of 4828 3192 Ehkclgmb.exe 99 PID 3192 wrote to memory of 4828 3192 Ehkclgmb.exe 99 PID 4828 wrote to memory of 3928 4828 Ekiohclf.exe 100 PID 4828 wrote to memory of 3928 4828 Ekiohclf.exe 100 PID 4828 wrote to memory of 3928 4828 Ekiohclf.exe 100 PID 3928 wrote to memory of 4312 3928 Fdbdah32.exe 101 PID 3928 wrote to memory of 4312 3928 Fdbdah32.exe 101 PID 3928 wrote to memory of 4312 3928 Fdbdah32.exe 101 PID 4312 wrote to memory of 644 4312 Foghnabl.exe 102 PID 4312 wrote to memory of 644 4312 Foghnabl.exe 102 PID 4312 wrote to memory of 644 4312 Foghnabl.exe 102 PID 644 wrote to memory of 4984 644 Feapkk32.exe 103 PID 644 wrote to memory of 4984 644 Feapkk32.exe 103 PID 644 wrote to memory of 4984 644 Feapkk32.exe 103 PID 4984 wrote to memory of 4208 4984 Fgbmccpg.exe 104 PID 4984 wrote to memory of 4208 4984 Fgbmccpg.exe 104 PID 4984 wrote to memory of 4208 4984 Fgbmccpg.exe 104 PID 4208 wrote to memory of 3852 4208 Fojedapj.exe 105 PID 4208 wrote to memory of 3852 4208 Fojedapj.exe 105 PID 4208 wrote to memory of 3852 4208 Fojedapj.exe 105 PID 3852 wrote to memory of 2712 3852 Fhbimf32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7e707748cdcbf7ff40d57b833f45d3766ebfc94d27af31ae647fb11116ae37e.exe"C:\Users\Admin\AppData\Local\Temp\c7e707748cdcbf7ff40d57b833f45d3766ebfc94d27af31ae647fb11116ae37e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe23⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe24⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe25⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe26⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe27⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe28⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe30⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe32⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe33⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe34⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe35⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe36⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe37⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe39⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe40⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe41⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe42⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe44⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe45⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe46⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe47⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe49⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe50⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe52⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe53⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe54⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe55⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe56⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe57⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe58⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe59⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe60⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe61⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe62⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe63⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe64⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe65⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe66⤵PID:3112
-
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe67⤵PID:3308
-
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe68⤵PID:2684
-
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe69⤵PID:1588
-
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe70⤵PID:5052
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe71⤵PID:1364
-
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe72⤵PID:1148
-
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3760 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe74⤵PID:2472
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe75⤵PID:2856
-
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe76⤵PID:4624
-
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe77⤵PID:2052
-
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe78⤵
- Drops file in System32 directory
PID:4280 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe79⤵
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe80⤵
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe81⤵PID:4060
-
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe82⤵PID:4424
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe83⤵PID:1444
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe85⤵PID:5084
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe86⤵PID:1964
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe87⤵PID:2340
-
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe88⤵
- Modifies registry class
PID:4756 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe89⤵PID:1292
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe90⤵PID:4940
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe91⤵PID:3164
-
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4928 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe93⤵PID:1420
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5024 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe95⤵PID:1688
-
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe96⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe97⤵PID:4156
-
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe98⤵PID:4076
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe99⤵PID:1984
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe100⤵PID:4148
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3244 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe102⤵PID:684
-
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe103⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe104⤵PID:4400
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe105⤵PID:3636
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe106⤵PID:1160
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe107⤵PID:3284
-
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe108⤵PID:3536
-
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe109⤵PID:4852
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe110⤵PID:2092
-
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe111⤵PID:1280
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe112⤵PID:1820
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe113⤵PID:4752
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe114⤵
- Drops file in System32 directory
PID:5012 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe115⤵PID:2284
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe116⤵PID:4596
-
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe117⤵
- Drops file in System32 directory
PID:5156 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe118⤵PID:5208
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe119⤵PID:5248
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe120⤵PID:5292
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-