Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 12:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exe
-
Size
96KB
-
MD5
49e4eaf5e2417827ccb7609970b56b58
-
SHA1
ed0d2da3c52ea33ea93a5b17e53d70a4fa7806ca
-
SHA256
1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72
-
SHA512
530dc1ed1b86f380a9f678d5f8b87041967c3b564dbc2233eb248c71d1cdf17de0780b87581ac73470c55c2a53834944c634a150319ade8d952f90a5fffdb962
-
SSDEEP
1536:/6BPxPf2DlSG+XgcoeXn/W8Th0WL1r7mUBTzy0EA2Ln7RZObZUUWaegPYAG:yLXh316xnClUUWaed
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nbhkmg32.exeAhchdb32.exeEpqgopbi.exeLjfapjbi.exeIqhfnifq.exePbepkh32.exeGlbdnbpk.exeMfokinhf.exeNdcapd32.exeIgebkiof.exeNigldq32.exeGpjmnh32.exeJfojpn32.exeBnqned32.exeQppkfhlc.exeGaojnq32.exeJmipdo32.exeFicehj32.exeIngkdeak.exeBkbdabog.exeHjaeba32.exeIeponofk.exeNbpqmfmd.exeLbfook32.exeGqodqodl.exeLaidgi32.exeBcpgdhpp.exeFodebh32.exeFakdcnhh.exeKkjpggkn.exeChocodch.exeEmgdmc32.exeBkbaii32.exeGolbnm32.exeHdecea32.exeKablnadm.exeBimphc32.exeDbdehdfc.exeOmhhke32.exeMjdcbf32.exeNkclkl32.exeKepgmh32.exePijgbl32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbhkmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahchdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epqgopbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljfapjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqhfnifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbepkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbdnbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfokinhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igebkiof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nigldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpjmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfojpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qppkfhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaojnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ficehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingkdeak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbdabog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjaeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieponofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpqmfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqodqodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laidgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcpgdhpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fodebh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakdcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chocodch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgdmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkbaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdecea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kablnadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bimphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdehdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhhke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkclkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kepgmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijgbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 6 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001dbfb-2635.dat family_bruteratel behavioral1/files/0x000400000001e0c8-3430.dat family_bruteratel behavioral1/files/0x000400000001e93e-3705.dat family_bruteratel behavioral1/files/0x0003000000020b3f-5868.dat family_bruteratel behavioral1/files/0x0003000000020c42-6234.dat family_bruteratel behavioral1/files/0x00030000000212f0-10121.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Pjcmap32.exePckajebj.exePdmnam32.exeQhjfgl32.exeQododfek.exeAjnpecbj.exeAcfdnihk.exeAdfqgl32.exeAmaelomh.exeAjeeeblb.exeAobnniji.exeAmfognic.exeBcpgdhpp.exeBofgii32.exeBgblmk32.exeBiaign32.exeBjbeofpp.exeBammlq32.exeBkbaii32.exeBnqned32.exeBcmfmlen.exeCjgoje32.exeCmfkfa32.exeCcpcckck.exeCmhglq32.exeCbepdhgc.exeCmmagpef.exeCfeepelg.exeDifnaqih.exeDjgkii32.exeDdpobo32.exeDoecog32.exeDphmloih.exeDgbeiiqe.exeDicnkdnf.exeEdibhmml.exeEggndi32.exeEldglp32.exeEgikjh32.exeEoepnk32.exeEeohkeoe.exeEklqcl32.exeEhpalp32.exeEnlidg32.exeEecafd32.exeFnofjfhk.exeFhdjgoha.exeFnacpffh.exeFdkklp32.exeFjhcegll.exeFqalaa32.exeFgldnkkf.exeFnflke32.exeFogibnha.exeFfaaoh32.exeFqfemqod.exeGbhbdi32.exeGhajacmo.exeGolbnm32.exeGdhkfd32.exeGmpcgace.exeGnaooi32.exeGdkgkcpq.exeGkephn32.exepid Process 972 Pjcmap32.exe 264 Pckajebj.exe 2756 Pdmnam32.exe 2744 Qhjfgl32.exe 2636 Qododfek.exe 2668 Ajnpecbj.exe 2732 Acfdnihk.exe 1628 Adfqgl32.exe 1800 Amaelomh.exe 744 Ajeeeblb.exe 1432 Aobnniji.exe 1308 Amfognic.exe 2348 Bcpgdhpp.exe 2708 Bofgii32.exe 2192 Bgblmk32.exe 1152 Biaign32.exe 1304 Bjbeofpp.exe 1656 Bammlq32.exe 2908 Bkbaii32.exe 1736 Bnqned32.exe 2128 Bcmfmlen.exe 1088 Cjgoje32.exe 1652 Cmfkfa32.exe 1768 Ccpcckck.exe 2548 Cmhglq32.exe 2420 Cbepdhgc.exe 2164 Cmmagpef.exe 2720 Cfeepelg.exe 2848 Difnaqih.exe 2728 Djgkii32.exe 2884 Ddpobo32.exe 2608 Doecog32.exe 1988 Dphmloih.exe 296 Dgbeiiqe.exe 2968 Dicnkdnf.exe 1648 Edibhmml.exe 1340 Eggndi32.exe 2900 Eldglp32.exe 1424 Egikjh32.exe 3064 Eoepnk32.exe 2444 Eeohkeoe.exe 3012 Eklqcl32.exe 2472 Ehpalp32.exe 1560 Enlidg32.exe 1600 Eecafd32.exe 736 Fnofjfhk.exe 676 Fhdjgoha.exe 2080 Fnacpffh.exe 2516 Fdkklp32.exe 872 Fjhcegll.exe 1876 Fqalaa32.exe 1400 Fgldnkkf.exe 2256 Fnflke32.exe 2772 Fogibnha.exe 1492 Ffaaoh32.exe 2676 Fqfemqod.exe 2652 Gbhbdi32.exe 2120 Ghajacmo.exe 2016 Golbnm32.exe 2672 Gdhkfd32.exe 1960 Gmpcgace.exe 3068 Gnaooi32.exe 2400 Gdkgkcpq.exe 1900 Gkephn32.exe -
Loads dropped DLL 64 IoCs
Processes:
1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exePjcmap32.exePckajebj.exePdmnam32.exeQhjfgl32.exeQododfek.exeAjnpecbj.exeAcfdnihk.exeAdfqgl32.exeAmaelomh.exeAjeeeblb.exeAobnniji.exeAmfognic.exeBcpgdhpp.exeBofgii32.exeBgblmk32.exeBiaign32.exeBjbeofpp.exeBammlq32.exeBkbaii32.exeBnqned32.exeBcmfmlen.exeCjgoje32.exeCmfkfa32.exeCcpcckck.exeCmhglq32.exeCpiqmlfm.exeCmmagpef.exeCfeepelg.exeDifnaqih.exeDjgkii32.exeDdpobo32.exepid Process 1632 1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exe 1632 1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exe 972 Pjcmap32.exe 972 Pjcmap32.exe 264 Pckajebj.exe 264 Pckajebj.exe 2756 Pdmnam32.exe 2756 Pdmnam32.exe 2744 Qhjfgl32.exe 2744 Qhjfgl32.exe 2636 Qododfek.exe 2636 Qododfek.exe 2668 Ajnpecbj.exe 2668 Ajnpecbj.exe 2732 Acfdnihk.exe 2732 Acfdnihk.exe 1628 Adfqgl32.exe 1628 Adfqgl32.exe 1800 Amaelomh.exe 1800 Amaelomh.exe 744 Ajeeeblb.exe 744 Ajeeeblb.exe 1432 Aobnniji.exe 1432 Aobnniji.exe 1308 Amfognic.exe 1308 Amfognic.exe 2348 Bcpgdhpp.exe 2348 Bcpgdhpp.exe 2708 Bofgii32.exe 2708 Bofgii32.exe 2192 Bgblmk32.exe 2192 Bgblmk32.exe 1152 Biaign32.exe 1152 Biaign32.exe 1304 Bjbeofpp.exe 1304 Bjbeofpp.exe 1656 Bammlq32.exe 1656 Bammlq32.exe 2908 Bkbaii32.exe 2908 Bkbaii32.exe 1736 Bnqned32.exe 1736 Bnqned32.exe 2128 Bcmfmlen.exe 2128 Bcmfmlen.exe 1088 Cjgoje32.exe 1088 Cjgoje32.exe 1652 Cmfkfa32.exe 1652 Cmfkfa32.exe 1768 Ccpcckck.exe 1768 Ccpcckck.exe 2548 Cmhglq32.exe 2548 Cmhglq32.exe 1616 Cpiqmlfm.exe 1616 Cpiqmlfm.exe 2164 Cmmagpef.exe 2164 Cmmagpef.exe 2720 Cfeepelg.exe 2720 Cfeepelg.exe 2848 Difnaqih.exe 2848 Difnaqih.exe 2728 Djgkii32.exe 2728 Djgkii32.exe 2884 Ddpobo32.exe 2884 Ddpobo32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kaajei32.exeGllnnc32.exeLekjal32.exeGqcnln32.exeJpajbl32.exeJjfkmdlg.exeDnjalhpp.exeIladfn32.exeDmjlof32.exeMpikik32.exeJeqopcld.exeKmegjdad.exeCbpbgk32.exeJdidmf32.exeEgikjh32.exeIebldo32.exeElcpbigl.exeHbofmcij.exeGoapjnoo.exeBhmaeg32.exeApnfno32.exeEebibf32.exeAeoijidl.exeOielnd32.exePofkha32.exeCgoelh32.exeMfokinhf.exeAclpaali.exeAjehnk32.exeLonpma32.exePhaoppja.exeIjlaloaf.exeMeljbqna.exeOffmipej.exeJpepkk32.exeBdaojbjf.exeOdnobj32.exeLifcib32.exeHabili32.exeFgldnkkf.exeIefcfe32.exeNfgjml32.exeDadbdkld.exeAdlcfjgh.exeQboikm32.exedescription ioc Process File created C:\Windows\SysWOW64\Oncobd32.dll Kaajei32.exe File created C:\Windows\SysWOW64\Jdlhma32.dll File created C:\Windows\SysWOW64\Lmphha32.dll Gllnnc32.exe File created C:\Windows\SysWOW64\Miepgfmf.dll Lekjal32.exe File opened for modification C:\Windows\SysWOW64\Lckpbm32.exe File created C:\Windows\SysWOW64\Hkgioloi.dll Gqcnln32.exe File created C:\Windows\SysWOW64\Jijokbfp.exe Jpajbl32.exe File opened for modification C:\Windows\SysWOW64\Japciodd.exe Jjfkmdlg.exe File opened for modification C:\Windows\SysWOW64\Eddjhb32.exe Dnjalhpp.exe File created C:\Windows\SysWOW64\Jhndmp32.dll Iladfn32.exe File created C:\Windows\SysWOW64\Dfbqgldn.exe Dmjlof32.exe File created C:\Windows\SysWOW64\Mcggef32.exe Mpikik32.exe File created C:\Windows\SysWOW64\Gekbbi32.dll File opened for modification C:\Windows\SysWOW64\Fhkagonc.exe File created C:\Windows\SysWOW64\Qhfeiqmh.dll File created C:\Windows\SysWOW64\Jhoklnkg.exe Jeqopcld.exe File created C:\Windows\SysWOW64\Nklpbacp.dll Kmegjdad.exe File opened for modification C:\Windows\SysWOW64\Cdnncfoe.exe Cbpbgk32.exe File created C:\Windows\SysWOW64\Jkcmjpma.exe Jdidmf32.exe File created C:\Windows\SysWOW64\Eoepnk32.exe Egikjh32.exe File created C:\Windows\SysWOW64\Igqhpj32.exe Iebldo32.exe File created C:\Windows\SysWOW64\Edelakoq.exe File created C:\Windows\SysWOW64\Akphfbbl.exe File created C:\Windows\SysWOW64\Eefjaj32.dll File opened for modification C:\Windows\SysWOW64\Emdmjamj.exe Elcpbigl.exe File opened for modification C:\Windows\SysWOW64\Hiioin32.exe Hbofmcij.exe File opened for modification C:\Windows\SysWOW64\Gaplfinb.exe Goapjnoo.exe File created C:\Windows\SysWOW64\Cdimfhnj.dll File opened for modification C:\Windows\SysWOW64\Bfabnl32.exe Bhmaeg32.exe File created C:\Windows\SysWOW64\Qedehamj.dll Apnfno32.exe File opened for modification C:\Windows\SysWOW64\Bhjpnj32.exe File created C:\Windows\SysWOW64\Gjjhgphb.dll File created C:\Windows\SysWOW64\Fpgnoo32.exe Eebibf32.exe File created C:\Windows\SysWOW64\Ckkenikc.exe File created C:\Windows\SysWOW64\Aemgfj32.dll Aeoijidl.exe File created C:\Windows\SysWOW64\Ocjpkm32.exe Oielnd32.exe File created C:\Windows\SysWOW64\Ialadj32.exe File created C:\Windows\SysWOW64\Ejadibmh.exe File opened for modification C:\Windows\SysWOW64\Phnpagdp.exe Pofkha32.exe File opened for modification C:\Windows\SysWOW64\Cagienkb.exe Cgoelh32.exe File created C:\Windows\SysWOW64\Bhjpnj32.exe File created C:\Windows\SysWOW64\Injchoib.dll File opened for modification C:\Windows\SysWOW64\Mcckcbgp.exe Mfokinhf.exe File opened for modification C:\Windows\SysWOW64\Ajehnk32.exe Aclpaali.exe File created C:\Windows\SysWOW64\Phoogg32.dll Ajehnk32.exe File created C:\Windows\SysWOW64\Ogmmfl32.dll File created C:\Windows\SysWOW64\Jbedkhie.exe File created C:\Windows\SysWOW64\Lfhhjklc.exe Lonpma32.exe File created C:\Windows\SysWOW64\Ldknflmi.dll Phaoppja.exe File created C:\Windows\SysWOW64\Iqfiii32.exe Ijlaloaf.exe File created C:\Windows\SysWOW64\Mkibjgli.exe Meljbqna.exe File created C:\Windows\SysWOW64\Opnbbe32.exe Offmipej.exe File created C:\Windows\SysWOW64\Qmgaio32.dll Jpepkk32.exe File opened for modification C:\Windows\SysWOW64\Bjngbihn.exe Bdaojbjf.exe File opened for modification C:\Windows\SysWOW64\Ongckp32.exe Odnobj32.exe File created C:\Windows\SysWOW64\Celbik32.exe File created C:\Windows\SysWOW64\Lpqlemaj.exe Lifcib32.exe File created C:\Windows\SysWOW64\Hhlaiccm.exe Habili32.exe File created C:\Windows\SysWOW64\Fnflke32.exe Fgldnkkf.exe File created C:\Windows\SysWOW64\Ihdpbq32.exe Iefcfe32.exe File created C:\Windows\SysWOW64\Nmabjfek.exe Nfgjml32.exe File opened for modification C:\Windows\SysWOW64\Dlifadkk.exe Dadbdkld.exe File opened for modification C:\Windows\SysWOW64\Aoagccfn.exe Adlcfjgh.exe File created C:\Windows\SysWOW64\Efkcnl32.dll Qboikm32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 912 2032 1519 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dphmloih.exeJbbccgmp.exeAnbmbi32.exeNladco32.exeQjgjpi32.exeJimbkh32.exeBmbgfkje.exeKljdkpfl.exeLadebd32.exeBphooc32.exeGfcopl32.exeFnofjfhk.exeOiffkkbk.exeEannmi32.exeOqojhp32.exeAifjgdkj.exeMopbgn32.exeMnglnj32.exeAeoijidl.exeLlgjaeoj.exeNnjicjbf.exeBacihmoo.exeKbhbai32.exeBdaojbjf.exeAlqnah32.exeHddmjk32.exeJbcelp32.exeCppobaeb.exeHahnac32.exeKmqmod32.exeGcjmmdbf.exeNojnql32.exeHghdjn32.exeIojopp32.exeQghgigkn.exeOmnipjni.exePhlclgfc.exeNgpqfp32.exeBbjpil32.exeFolhgbid.exeJfjhbo32.exeLlhocfnb.exeGmqkml32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphmloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbccgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbmbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nladco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljdkpfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladebd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphooc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcopl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnofjfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiffkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eannmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqojhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifjgdkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeoijidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgjaeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjicjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacihmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdaojbjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddmjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppobaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmqmod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjmmdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojnql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qghgigkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnipjni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpqfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjpil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folhgbid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfjhbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhocfnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmqkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Dmjlof32.exeIppdgc32.exeCojeomee.exeBgblmk32.exePbglpg32.exeAadobccg.exeHhoeii32.exePhledp32.exeNepokogo.exeKdpfadlm.exeElkofg32.exeFamaimfe.exeKlhioioc.exeQododfek.exeDekdikhc.exeJeqopcld.exeOhbikbkb.exeCogfqe32.exeCmmcpi32.exeFogibnha.exeNbkgbg32.exeMpqjmh32.exeOfdeeb32.exeEikfdl32.exeFpdkpiik.exeMjdcbf32.exeImhqbkbm.exeHkmjjn32.exeFakdcnhh.exeDnckki32.exeAgbbgqhh.exeEbckmaec.exeDgiaefgg.exeNbmdhfog.exeGmidlmcd.exeMcacochk.exeOdedge32.exeEpkepakn.exeEannmi32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacnfacn.dll" Ippdgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojeomee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhlgpao.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgblmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbglpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbihnp32.dll" Aadobccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndecfjhe.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagolf32.dll" Phledp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nepokogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomagi32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdpfadlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qobmnf32.dll" Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klhioioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobecg32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qododfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dekdikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghejcg32.dll" Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohbikbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmehhn32.dll" Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdjfq32.dll" Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enalae32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fogibnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbkgbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhgp32.dll" Mpqjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegibbeb.dll" Ofdeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eikfdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdkpiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmfjfmd.dll" Mjdcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imhqbkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ippdgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkmjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinqgg32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffhohhi.dll" Fakdcnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloimaiq.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebckmaec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgiaefgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbmdhfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakabjnn.dll" Mcacochk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henmen32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbmjnpao.dll" Epkepakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eannmi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exePjcmap32.exePckajebj.exePdmnam32.exeQhjfgl32.exeQododfek.exeAjnpecbj.exeAcfdnihk.exeAdfqgl32.exeAmaelomh.exeAjeeeblb.exeAobnniji.exeAmfognic.exeBcpgdhpp.exeBofgii32.exeBgblmk32.exedescription pid Process procid_target PID 1632 wrote to memory of 972 1632 1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exe 30 PID 1632 wrote to memory of 972 1632 1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exe 30 PID 1632 wrote to memory of 972 1632 1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exe 30 PID 1632 wrote to memory of 972 1632 1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exe 30 PID 972 wrote to memory of 264 972 Pjcmap32.exe 31 PID 972 wrote to memory of 264 972 Pjcmap32.exe 31 PID 972 wrote to memory of 264 972 Pjcmap32.exe 31 PID 972 wrote to memory of 264 972 Pjcmap32.exe 31 PID 264 wrote to memory of 2756 264 Pckajebj.exe 32 PID 264 wrote to memory of 2756 264 Pckajebj.exe 32 PID 264 wrote to memory of 2756 264 Pckajebj.exe 32 PID 264 wrote to memory of 2756 264 Pckajebj.exe 32 PID 2756 wrote to memory of 2744 2756 Pdmnam32.exe 33 PID 2756 wrote to memory of 2744 2756 Pdmnam32.exe 33 PID 2756 wrote to memory of 2744 2756 Pdmnam32.exe 33 PID 2756 wrote to memory of 2744 2756 Pdmnam32.exe 33 PID 2744 wrote to memory of 2636 2744 Qhjfgl32.exe 34 PID 2744 wrote to memory of 2636 2744 Qhjfgl32.exe 34 PID 2744 wrote to memory of 2636 2744 Qhjfgl32.exe 34 PID 2744 wrote to memory of 2636 2744 Qhjfgl32.exe 34 PID 2636 wrote to memory of 2668 2636 Qododfek.exe 35 PID 2636 wrote to memory of 2668 2636 Qododfek.exe 35 PID 2636 wrote to memory of 2668 2636 Qododfek.exe 35 PID 2636 wrote to memory of 2668 2636 Qododfek.exe 35 PID 2668 wrote to memory of 2732 2668 Ajnpecbj.exe 36 PID 2668 wrote to memory of 2732 2668 Ajnpecbj.exe 36 PID 2668 wrote to memory of 2732 2668 Ajnpecbj.exe 36 PID 2668 wrote to memory of 2732 2668 Ajnpecbj.exe 36 PID 2732 wrote to memory of 1628 2732 Acfdnihk.exe 37 PID 2732 wrote to memory of 1628 2732 Acfdnihk.exe 37 PID 2732 wrote to memory of 1628 2732 Acfdnihk.exe 37 PID 2732 wrote to memory of 1628 2732 Acfdnihk.exe 37 PID 1628 wrote to memory of 1800 1628 Adfqgl32.exe 38 PID 1628 wrote to memory of 1800 1628 Adfqgl32.exe 38 PID 1628 wrote to memory of 1800 1628 Adfqgl32.exe 38 PID 1628 wrote to memory of 1800 1628 Adfqgl32.exe 38 PID 1800 wrote to memory of 744 1800 Amaelomh.exe 39 PID 1800 wrote to memory of 744 1800 Amaelomh.exe 39 PID 1800 wrote to memory of 744 1800 Amaelomh.exe 39 PID 1800 wrote to memory of 744 1800 Amaelomh.exe 39 PID 744 wrote to memory of 1432 744 Ajeeeblb.exe 40 PID 744 wrote to memory of 1432 744 Ajeeeblb.exe 40 PID 744 wrote to memory of 1432 744 Ajeeeblb.exe 40 PID 744 wrote to memory of 1432 744 Ajeeeblb.exe 40 PID 1432 wrote to memory of 1308 1432 Aobnniji.exe 41 PID 1432 wrote to memory of 1308 1432 Aobnniji.exe 41 PID 1432 wrote to memory of 1308 1432 Aobnniji.exe 41 PID 1432 wrote to memory of 1308 1432 Aobnniji.exe 41 PID 1308 wrote to memory of 2348 1308 Amfognic.exe 42 PID 1308 wrote to memory of 2348 1308 Amfognic.exe 42 PID 1308 wrote to memory of 2348 1308 Amfognic.exe 42 PID 1308 wrote to memory of 2348 1308 Amfognic.exe 42 PID 2348 wrote to memory of 2708 2348 Bcpgdhpp.exe 43 PID 2348 wrote to memory of 2708 2348 Bcpgdhpp.exe 43 PID 2348 wrote to memory of 2708 2348 Bcpgdhpp.exe 43 PID 2348 wrote to memory of 2708 2348 Bcpgdhpp.exe 43 PID 2708 wrote to memory of 2192 2708 Bofgii32.exe 44 PID 2708 wrote to memory of 2192 2708 Bofgii32.exe 44 PID 2708 wrote to memory of 2192 2708 Bofgii32.exe 44 PID 2708 wrote to memory of 2192 2708 Bofgii32.exe 44 PID 2192 wrote to memory of 1152 2192 Bgblmk32.exe 45 PID 2192 wrote to memory of 1152 2192 Bgblmk32.exe 45 PID 2192 wrote to memory of 1152 2192 Bgblmk32.exe 45 PID 2192 wrote to memory of 1152 2192 Bgblmk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exe"C:\Users\Admin\AppData\Local\Temp\1efa91d298a6c8c247d84335b63fa71210897dc7a64ed7ee029f01841cb25c72.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe27⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe28⤵
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe34⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe36⤵
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe37⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe38⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe39⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe40⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe42⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe43⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe44⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe45⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe46⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe47⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:736 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe49⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe50⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe51⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe52⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe53⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe55⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe57⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe58⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe59⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe60⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe62⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe63⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe64⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe65⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe66⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe67⤵PID:1460
-
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe68⤵PID:544
-
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe69⤵PID:3032
-
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe70⤵PID:2004
-
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe71⤵PID:3048
-
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe72⤵PID:2216
-
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe73⤵PID:2180
-
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe75⤵PID:2824
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe76⤵PID:2724
-
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe77⤵PID:1808
-
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe78⤵PID:2952
-
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe79⤵PID:2432
-
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe80⤵PID:2680
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe81⤵PID:1688
-
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe82⤵PID:2136
-
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe83⤵PID:1580
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe84⤵PID:2316
-
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe85⤵PID:1664
-
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe86⤵PID:2232
-
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe87⤵PID:3000
-
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe88⤵PID:1772
-
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe89⤵PID:1516
-
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe90⤵PID:1872
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe91⤵PID:1924
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe92⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe93⤵PID:2684
-
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe94⤵PID:2296
-
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe95⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe96⤵PID:2340
-
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe97⤵PID:2184
-
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe98⤵PID:1288
-
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe99⤵PID:684
-
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe100⤵PID:2084
-
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe101⤵PID:1508
-
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe103⤵PID:2124
-
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe104⤵PID:2628
-
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe105⤵PID:2264
-
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe106⤵PID:2960
-
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe107⤵PID:316
-
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe108⤵PID:2208
-
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe109⤵PID:2204
-
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe110⤵PID:3020
-
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe111⤵PID:564
-
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe112⤵PID:1640
-
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe113⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe114⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe115⤵PID:2632
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe116⤵PID:2748
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe117⤵PID:1704
-
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe118⤵PID:2976
-
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe119⤵PID:2240
-
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe120⤵PID:2460
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe121⤵
- Drops file in System32 directory
PID:1944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-