Analysis
-
max time kernel
52s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 14:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exe
-
Size
96KB
-
MD5
3785f80ff0a928ae5ff1feffb1778045
-
SHA1
d156f89b1ac2cac0e83775b6a922e42455a6f1e7
-
SHA256
eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1
-
SHA512
233588987af389626fbffa1190a026e98003d0df3f3dbc9c02590200c4f45a1f8fb5ca8c27e577af8ca6bded9b0dbb7d0c04cf5defc0fe660fed2496f5dabe50
-
SSDEEP
1536:4XTXf1lk1lCaCLNQ2HVw72LFG7RZObZUUWaegPYAm:4XTdlk1ljCRQwUClUUWaeN
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lkihdioa.exeCdjmcpnl.exeCejphiik.exeHfcjdkpg.exeOlmcchlg.exeCfnoogbo.exeHddlof32.exeEhmbng32.exeJcbhee32.exeQdojgmfe.exeGfhgpg32.exeQjnmlk32.exeBaadng32.exeIllbhp32.exeDbifnj32.exeFqajihle.exeFoafdoag.exeIlofhffj.exeAbeemhkh.exeAchojp32.exeEbefgm32.exeFcmiod32.exeKmobhmnn.exeCemjae32.exeJbpdeogo.exeEhjehh32.exeFgiepced.exeJfhjbobc.exeOdebolpe.exeFnofjfhk.exeCilibi32.exeBekmle32.exeKdmgclfk.exeBfhmqhkd.exeJgaiobjn.exeGehhmkko.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkihdioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjmcpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cejphiik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcjdkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmcchlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnoogbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmbng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbhee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdojgmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhgpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baadng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbifnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqajihle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foafdoag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilofhffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abeemhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achojp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebefgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmobhmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cemjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbpdeogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjehh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgiepced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfhjbobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odebolpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnofjfhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bekmle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmgclfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhmqhkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaiobjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gehhmkko.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 6 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001e82c-3468.dat family_bruteratel behavioral1/files/0x0003000000020fa5-7286.dat family_bruteratel behavioral1/files/0x00030000000210c5-7754.dat family_bruteratel behavioral1/files/0x0003000000021986-12068.dat family_bruteratel behavioral1/files/0x0003000000021d6f-13698.dat family_bruteratel behavioral1/files/0x0003000000021f29-14273.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Odjbdb32.exeOkdkal32.exeOnbgmg32.exeOancnfoe.exeOgkkfmml.exeOappcfmb.exeOgmhkmki.exePjldghjm.exePqemdbaj.exePgpeal32.exePmlmic32.exePqhijbog.exePgbafl32.exePjpnbg32.exePomfkndo.exePcibkm32.exePiekcd32.exePmagdbci.exePoocpnbm.exePbnoliap.exePdlkiepd.exePihgic32.exePkfceo32.exePndpajgd.exeQeohnd32.exeQijdocfj.exeQodlkm32.exeQqeicede.exeQkkmqnck.exeQjnmlk32.exeAbeemhkh.exeAaheie32.exeAcfaeq32.exeAjpjakhc.exeAajbne32.exeAeenochi.exeAchojp32.exeAnnbhi32.exeAmqccfed.exeAckkppma.exeAjecmj32.exeAmcpie32.exeAcmhepko.exeAfkdakjb.exeAijpnfif.exeApdhjq32.exeAfnagk32.exeBilmcf32.exeBlkioa32.exeBpfeppop.exeBbdallnd.exeBiojif32.exeBlmfea32.exeBbgnak32.exeBeejng32.exeBhdgjb32.exeBjbcfn32.exeBbikgk32.exeBehgcf32.exeBhfcpb32.exeBjdplm32.exeBoplllob.exeBejdiffp.exeBdmddc32.exepid Process 2596 Odjbdb32.exe 2812 Okdkal32.exe 2700 Onbgmg32.exe 2664 Oancnfoe.exe 380 Ogkkfmml.exe 1492 Oappcfmb.exe 2140 Ogmhkmki.exe 400 Pjldghjm.exe 2968 Pqemdbaj.exe 3008 Pgpeal32.exe 2908 Pmlmic32.exe 2940 Pqhijbog.exe 1756 Pgbafl32.exe 2176 Pjpnbg32.exe 2648 Pomfkndo.exe 2172 Pcibkm32.exe 844 Piekcd32.exe 2392 Pmagdbci.exe 1324 Poocpnbm.exe 2304 Pbnoliap.exe 1536 Pdlkiepd.exe 2196 Pihgic32.exe 1992 Pkfceo32.exe 2380 Pndpajgd.exe 2072 Qeohnd32.exe 2624 Qijdocfj.exe 2620 Qodlkm32.exe 2488 Qqeicede.exe 2708 Qkkmqnck.exe 584 Qjnmlk32.exe 2916 Abeemhkh.exe 3024 Aaheie32.exe 2976 Acfaeq32.exe 2956 Ajpjakhc.exe 2352 Aajbne32.exe 2960 Aeenochi.exe 1160 Achojp32.exe 2252 Annbhi32.exe 3060 Amqccfed.exe 2060 Ackkppma.exe 408 Ajecmj32.exe 1532 Amcpie32.exe 868 Acmhepko.exe 1392 Afkdakjb.exe 316 Aijpnfif.exe 2900 Apdhjq32.exe 2332 Afnagk32.exe 2744 Bilmcf32.exe 1244 Blkioa32.exe 1344 Bpfeppop.exe 2724 Bbdallnd.exe 2088 Biojif32.exe 3000 Blmfea32.exe 2996 Bbgnak32.exe 2868 Beejng32.exe 2780 Bhdgjb32.exe 1892 Bjbcfn32.exe 1764 Bbikgk32.exe 1476 Behgcf32.exe 1004 Bhfcpb32.exe 2372 Bjdplm32.exe 1812 Boplllob.exe 1260 Bejdiffp.exe 1784 Bdmddc32.exe -
Loads dropped DLL 64 IoCs
Processes:
eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exeOdjbdb32.exeOkdkal32.exeOnbgmg32.exeOancnfoe.exeOgkkfmml.exeOappcfmb.exeOgmhkmki.exePjldghjm.exePqemdbaj.exePgpeal32.exePmlmic32.exePqhijbog.exePgbafl32.exePjpnbg32.exePomfkndo.exePcibkm32.exePiekcd32.exePmagdbci.exePoocpnbm.exePbnoliap.exePdlkiepd.exePihgic32.exePkfceo32.exePndpajgd.exeQeohnd32.exeQijdocfj.exeQodlkm32.exeQqeicede.exeQkkmqnck.exeQjnmlk32.exeAbeemhkh.exepid Process 2840 eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exe 2840 eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exe 2596 Odjbdb32.exe 2596 Odjbdb32.exe 2812 Okdkal32.exe 2812 Okdkal32.exe 2700 Onbgmg32.exe 2700 Onbgmg32.exe 2664 Oancnfoe.exe 2664 Oancnfoe.exe 380 Ogkkfmml.exe 380 Ogkkfmml.exe 1492 Oappcfmb.exe 1492 Oappcfmb.exe 2140 Ogmhkmki.exe 2140 Ogmhkmki.exe 400 Pjldghjm.exe 400 Pjldghjm.exe 2968 Pqemdbaj.exe 2968 Pqemdbaj.exe 3008 Pgpeal32.exe 3008 Pgpeal32.exe 2908 Pmlmic32.exe 2908 Pmlmic32.exe 2940 Pqhijbog.exe 2940 Pqhijbog.exe 1756 Pgbafl32.exe 1756 Pgbafl32.exe 2176 Pjpnbg32.exe 2176 Pjpnbg32.exe 2648 Pomfkndo.exe 2648 Pomfkndo.exe 2172 Pcibkm32.exe 2172 Pcibkm32.exe 844 Piekcd32.exe 844 Piekcd32.exe 2392 Pmagdbci.exe 2392 Pmagdbci.exe 1324 Poocpnbm.exe 1324 Poocpnbm.exe 2304 Pbnoliap.exe 2304 Pbnoliap.exe 1536 Pdlkiepd.exe 1536 Pdlkiepd.exe 2196 Pihgic32.exe 2196 Pihgic32.exe 1992 Pkfceo32.exe 1992 Pkfceo32.exe 2380 Pndpajgd.exe 2380 Pndpajgd.exe 2072 Qeohnd32.exe 2072 Qeohnd32.exe 2624 Qijdocfj.exe 2624 Qijdocfj.exe 2620 Qodlkm32.exe 2620 Qodlkm32.exe 2488 Qqeicede.exe 2488 Qqeicede.exe 2708 Qkkmqnck.exe 2708 Qkkmqnck.exe 584 Qjnmlk32.exe 584 Qjnmlk32.exe 2916 Abeemhkh.exe 2916 Abeemhkh.exe -
Drops file in System32 directory 64 IoCs
Processes:
Qodlkm32.exeKceqjhiq.exeJdhgnf32.exeAkkoig32.exeGfcnegnk.exeQeohnd32.exeEijdkcgn.exeGifaciae.exeHdfhdfgl.exeOoicid32.exeCcbphk32.exeHhcmhdke.exeQobbofgn.exeCilibi32.exeKfeikcfa.exePqemdbaj.exeMioabp32.exeDkadjn32.exeCckdlnjg.exeQoeeolig.exeKfebambf.exeNjpgpbpf.exePjcmap32.exeFemeig32.exeIaonhm32.exeJjmpbopd.exeCkolek32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Lhnkffeo.exe File opened for modification C:\Windows\SysWOW64\Ajckilei.exe File opened for modification C:\Windows\SysWOW64\Cfehhn32.exe File created C:\Windows\SysWOW64\Qqeicede.exe Qodlkm32.exe File created C:\Windows\SysWOW64\Hnifgpff.dll Kceqjhiq.exe File created C:\Windows\SysWOW64\Jdhgnf32.exe Jdhgnf32.exe File created C:\Windows\SysWOW64\Gnpincmg.dll File created C:\Windows\SysWOW64\Hloncd32.dll File opened for modification C:\Windows\SysWOW64\Ajnpecbj.exe Akkoig32.exe File opened for modification C:\Windows\SysWOW64\Gjojef32.exe Gfcnegnk.exe File created C:\Windows\SysWOW64\Gchfle32.dll File created C:\Windows\SysWOW64\Ijnkifgp.exe File created C:\Windows\SysWOW64\Nlbjim32.dll File created C:\Windows\SysWOW64\Dilfgala.dll File created C:\Windows\SysWOW64\Lpabpcdf.exe File created C:\Windows\SysWOW64\Qijdocfj.exe Qeohnd32.exe File created C:\Windows\SysWOW64\Elipgofb.exe Eijdkcgn.exe File created C:\Windows\SysWOW64\Pghfnc32.exe File created C:\Windows\SysWOW64\Mfjaekpm.dll File created C:\Windows\SysWOW64\Ejebfdmb.dll File opened for modification C:\Windows\SysWOW64\Bnfddp32.exe File created C:\Windows\SysWOW64\Pcaibd32.dll File created C:\Windows\SysWOW64\Noockemb.dll File created C:\Windows\SysWOW64\Ghiaof32.exe Gifaciae.exe File created C:\Windows\SysWOW64\Hhbdee32.exe Hdfhdfgl.exe File opened for modification C:\Windows\SysWOW64\Oagoep32.exe Ooicid32.exe File created C:\Windows\SysWOW64\Moeinj32.dll Ccbphk32.exe File created C:\Windows\SysWOW64\Mmfejo32.dll File opened for modification C:\Windows\SysWOW64\Ageompfe.exe File opened for modification C:\Windows\SysWOW64\Eifmimch.exe File created C:\Windows\SysWOW64\Ebnabb32.exe File created C:\Windows\SysWOW64\Cdbhodcb.dll Hhcmhdke.exe File created C:\Windows\SysWOW64\Ggpbcccn.dll Qobbofgn.exe File opened for modification C:\Windows\SysWOW64\Jdpjba32.exe File opened for modification C:\Windows\SysWOW64\Fpjofl32.exe File created C:\Windows\SysWOW64\Iakgefqe.exe File opened for modification C:\Windows\SysWOW64\Cmgechbh.exe Cilibi32.exe File created C:\Windows\SysWOW64\Mpjdmlgk.dll Kfeikcfa.exe File opened for modification C:\Windows\SysWOW64\Elcpbigl.exe File created C:\Windows\SysWOW64\Fplllkdc.exe File opened for modification C:\Windows\SysWOW64\Gockgdeh.exe File opened for modification C:\Windows\SysWOW64\Jabponba.exe File created C:\Windows\SysWOW64\Ipgljgoi.dll Pqemdbaj.exe File created C:\Windows\SysWOW64\Iggmbm32.dll Mioabp32.exe File created C:\Windows\SysWOW64\Domqjm32.exe Dkadjn32.exe File opened for modification C:\Windows\SysWOW64\Oibmpl32.exe File opened for modification C:\Windows\SysWOW64\Eibgpnjk.exe File created C:\Windows\SysWOW64\Ipomlm32.exe File opened for modification C:\Windows\SysWOW64\Iclbpj32.exe File created C:\Windows\SysWOW64\Cejphiik.exe Cckdlnjg.exe File created C:\Windows\SysWOW64\Qglmpi32.exe Qoeeolig.exe File created C:\Windows\SysWOW64\Fckada32.dll Kfebambf.exe File created C:\Windows\SysWOW64\Ojomdoof.exe File created C:\Windows\SysWOW64\Ciagojda.exe File created C:\Windows\SysWOW64\Emfbap32.dll File opened for modification C:\Windows\SysWOW64\Najpll32.exe Njpgpbpf.exe File created C:\Windows\SysWOW64\Plaimk32.exe Pjcmap32.exe File opened for modification C:\Windows\SysWOW64\Kindeddf.exe File created C:\Windows\SysWOW64\Ndcapd32.exe File created C:\Windows\SysWOW64\Ffnbaojm.exe Femeig32.exe File created C:\Windows\SysWOW64\Idmkdh32.exe Iaonhm32.exe File created C:\Windows\SysWOW64\Jlklnjoh.exe Jjmpbopd.exe File opened for modification C:\Windows\SysWOW64\Mhfjjdjf.exe File created C:\Windows\SysWOW64\Cojhejbh.exe Ckolek32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 5188 5396 1886 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Mlpneh32.exeCmpdgf32.exeAnnbhi32.exeOhidmoaa.exeIdfnicfl.exeHcgjmo32.exeIncbgnmc.exePadeldeo.exeHmoofdea.exePjcckf32.exeNkhdkgnj.exeEabcggll.exeKdmgclfk.exeNaopaa32.exeQglmpi32.exeIhmpobck.exeOgknoe32.exeEcnmpa32.exeJfcqgpfi.exeKqiaclhj.exeEamilh32.exeJpogbgmi.exeCfnoogbo.exeJjmpbopd.exeBbjdjjdn.exeElajgpmj.exeLdoimh32.exeMeabakda.exeEpoqde32.exeGjngmmnp.exeHmjlhfof.exeKhabghdl.exeMndmoaog.exeOdjbdb32.exeEhjehh32.exeQfonkfqd.exeGjfgqk32.exeMjcoqdoc.exeMpgmijgc.exeFdnolfon.exeQeohnd32.exeEgahen32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpneh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpdgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Annbhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohidmoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idfnicfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcgjmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Incbgnmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padeldeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoofdea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhdkgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabcggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmgclfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naopaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qglmpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmpobck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogknoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnmpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcqgpfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqiaclhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpogbgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnoogbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmpbopd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjdjjdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elajgpmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldoimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meabakda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epoqde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjngmmnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjlhfof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khabghdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mndmoaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjbdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfonkfqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfgqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcoqdoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgmijgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnolfon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeohnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egahen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Poocpnbm.exeHpjeialg.exeJagnlkjd.exeAcekjjmk.exeDogpdg32.exeFkjdopeh.exeHeealhla.exePhhjblpa.exeMmogmjmn.exeOpnpimdf.exeOghhfg32.exeAollokco.exeFpicodoj.exeKfeikcfa.exeNamclbil.exeLgbeoibb.exeNfcbldmm.exeOgqaehak.exeDinklffl.exePcibkm32.exeCicpch32.exeIbckfa32.exeKdpcikdi.exeLflplbpi.exeAgljom32.exeAcfaeq32.exePgegok32.exeFlqmbd32.exeLqqpgj32.exeFblmglgm.exeBbjdjjdn.exeGbdhjm32.exeJabdql32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll" Poocpnbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpjeialg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebpihab.dll" Jagnlkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlcjk32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmejgd32.dll" Acekjjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcinhie.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdeifom.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobhlhdl.dll" Fkjdopeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heealhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhjblpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfdih32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmogmjmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammmql32.dll" Opnpimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oghhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnlmcm32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aollokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinic32.dll" Fpicodoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfeikcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Namclbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgbeoibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfcbldmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdgpabaa.dll" Ogqaehak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dinklffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkajkp32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofhpf32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpckqje.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcibkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkomjoa.dll" Cicpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamedlhf.dll" Ibckfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpklbcl.dll" Kdpcikdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllcjack.dll" Lflplbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agljom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acfaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgegok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flqmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqqpgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fblmglgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjplo32.dll" Bbjdjjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbdhjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exeOdjbdb32.exeOkdkal32.exeOnbgmg32.exeOancnfoe.exeOgkkfmml.exeOappcfmb.exeOgmhkmki.exePjldghjm.exePqemdbaj.exePgpeal32.exePmlmic32.exePqhijbog.exePgbafl32.exePjpnbg32.exePomfkndo.exedescription pid Process procid_target PID 2840 wrote to memory of 2596 2840 eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exe 30 PID 2840 wrote to memory of 2596 2840 eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exe 30 PID 2840 wrote to memory of 2596 2840 eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exe 30 PID 2840 wrote to memory of 2596 2840 eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exe 30 PID 2596 wrote to memory of 2812 2596 Odjbdb32.exe 31 PID 2596 wrote to memory of 2812 2596 Odjbdb32.exe 31 PID 2596 wrote to memory of 2812 2596 Odjbdb32.exe 31 PID 2596 wrote to memory of 2812 2596 Odjbdb32.exe 31 PID 2812 wrote to memory of 2700 2812 Okdkal32.exe 32 PID 2812 wrote to memory of 2700 2812 Okdkal32.exe 32 PID 2812 wrote to memory of 2700 2812 Okdkal32.exe 32 PID 2812 wrote to memory of 2700 2812 Okdkal32.exe 32 PID 2700 wrote to memory of 2664 2700 Onbgmg32.exe 33 PID 2700 wrote to memory of 2664 2700 Onbgmg32.exe 33 PID 2700 wrote to memory of 2664 2700 Onbgmg32.exe 33 PID 2700 wrote to memory of 2664 2700 Onbgmg32.exe 33 PID 2664 wrote to memory of 380 2664 Oancnfoe.exe 34 PID 2664 wrote to memory of 380 2664 Oancnfoe.exe 34 PID 2664 wrote to memory of 380 2664 Oancnfoe.exe 34 PID 2664 wrote to memory of 380 2664 Oancnfoe.exe 34 PID 380 wrote to memory of 1492 380 Ogkkfmml.exe 35 PID 380 wrote to memory of 1492 380 Ogkkfmml.exe 35 PID 380 wrote to memory of 1492 380 Ogkkfmml.exe 35 PID 380 wrote to memory of 1492 380 Ogkkfmml.exe 35 PID 1492 wrote to memory of 2140 1492 Oappcfmb.exe 36 PID 1492 wrote to memory of 2140 1492 Oappcfmb.exe 36 PID 1492 wrote to memory of 2140 1492 Oappcfmb.exe 36 PID 1492 wrote to memory of 2140 1492 Oappcfmb.exe 36 PID 2140 wrote to memory of 400 2140 Ogmhkmki.exe 37 PID 2140 wrote to memory of 400 2140 Ogmhkmki.exe 37 PID 2140 wrote to memory of 400 2140 Ogmhkmki.exe 37 PID 2140 wrote to memory of 400 2140 Ogmhkmki.exe 37 PID 400 wrote to memory of 2968 400 Pjldghjm.exe 38 PID 400 wrote to memory of 2968 400 Pjldghjm.exe 38 PID 400 wrote to memory of 2968 400 Pjldghjm.exe 38 PID 400 wrote to memory of 2968 400 Pjldghjm.exe 38 PID 2968 wrote to memory of 3008 2968 Pqemdbaj.exe 39 PID 2968 wrote to memory of 3008 2968 Pqemdbaj.exe 39 PID 2968 wrote to memory of 3008 2968 Pqemdbaj.exe 39 PID 2968 wrote to memory of 3008 2968 Pqemdbaj.exe 39 PID 3008 wrote to memory of 2908 3008 Pgpeal32.exe 40 PID 3008 wrote to memory of 2908 3008 Pgpeal32.exe 40 PID 3008 wrote to memory of 2908 3008 Pgpeal32.exe 40 PID 3008 wrote to memory of 2908 3008 Pgpeal32.exe 40 PID 2908 wrote to memory of 2940 2908 Pmlmic32.exe 41 PID 2908 wrote to memory of 2940 2908 Pmlmic32.exe 41 PID 2908 wrote to memory of 2940 2908 Pmlmic32.exe 41 PID 2908 wrote to memory of 2940 2908 Pmlmic32.exe 41 PID 2940 wrote to memory of 1756 2940 Pqhijbog.exe 42 PID 2940 wrote to memory of 1756 2940 Pqhijbog.exe 42 PID 2940 wrote to memory of 1756 2940 Pqhijbog.exe 42 PID 2940 wrote to memory of 1756 2940 Pqhijbog.exe 42 PID 1756 wrote to memory of 2176 1756 Pgbafl32.exe 43 PID 1756 wrote to memory of 2176 1756 Pgbafl32.exe 43 PID 1756 wrote to memory of 2176 1756 Pgbafl32.exe 43 PID 1756 wrote to memory of 2176 1756 Pgbafl32.exe 43 PID 2176 wrote to memory of 2648 2176 Pjpnbg32.exe 44 PID 2176 wrote to memory of 2648 2176 Pjpnbg32.exe 44 PID 2176 wrote to memory of 2648 2176 Pjpnbg32.exe 44 PID 2176 wrote to memory of 2648 2176 Pjpnbg32.exe 44 PID 2648 wrote to memory of 2172 2648 Pomfkndo.exe 45 PID 2648 wrote to memory of 2172 2648 Pomfkndo.exe 45 PID 2648 wrote to memory of 2172 2648 Pomfkndo.exe 45 PID 2648 wrote to memory of 2172 2648 Pomfkndo.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exe"C:\Users\Admin\AppData\Local\Temp\eb39ce64a979efe9691db13487809e2c9f5462ff5520c83bf923080d5a4231b1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Pbnoliap.exeC:\Windows\system32\Pbnoliap.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe33⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe35⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe36⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe37⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Amqccfed.exeC:\Windows\system32\Amqccfed.exe40⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Ackkppma.exeC:\Windows\system32\Ackkppma.exe41⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe42⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe43⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe44⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe45⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe46⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe47⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe48⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe49⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe50⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe51⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe52⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe53⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Blmfea32.exeC:\Windows\system32\Blmfea32.exe54⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe55⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe56⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe57⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe58⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe59⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe60⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe61⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe62⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe63⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe64⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe65⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe66⤵PID:1292
-
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe67⤵PID:2248
-
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe68⤵PID:1124
-
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe70⤵PID:2988
-
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe71⤵PID:560
-
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe73⤵PID:2096
-
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe74⤵PID:2240
-
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe75⤵PID:2260
-
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe76⤵PID:2052
-
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe77⤵PID:768
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe78⤵PID:1508
-
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe79⤵PID:1748
-
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe80⤵PID:288
-
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe81⤵PID:2296
-
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe82⤵PID:944
-
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe83⤵PID:2192
-
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe84⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Chfpoeja.exeC:\Windows\system32\Chfpoeja.exe85⤵PID:792
-
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe86⤵PID:2360
-
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe87⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe89⤵PID:1288
-
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe90⤵PID:1500
-
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe91⤵PID:2548
-
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe92⤵PID:1956
-
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe93⤵PID:1908
-
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe94⤵PID:568
-
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe95⤵PID:924
-
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe96⤵PID:2600
-
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe97⤵PID:1664
-
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe98⤵PID:804
-
C:\Windows\SysWOW64\Dkkbkp32.exeC:\Windows\system32\Dkkbkp32.exe99⤵PID:1920
-
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe100⤵PID:2952
-
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe101⤵PID:2880
-
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe102⤵PID:2468
-
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe103⤵PID:1884
-
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe104⤵PID:864
-
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe105⤵PID:1608
-
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe106⤵PID:852
-
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe107⤵PID:1624
-
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe108⤵PID:3012
-
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe109⤵PID:580
-
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe110⤵PID:2760
-
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe111⤵PID:2404
-
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe112⤵PID:1156
-
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe113⤵PID:1612
-
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe114⤵
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe116⤵PID:1712
-
C:\Windows\SysWOW64\Ehjehh32.exeC:\Windows\system32\Ehjehh32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe118⤵PID:2892
-
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe119⤵PID:2316
-
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe120⤵PID:816
-
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe121⤵PID:1980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-