Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 16:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d740b5b7ee800eabc9fd01ba954c0689d2b4e701baa061c5876323d7165e6857.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
d740b5b7ee800eabc9fd01ba954c0689d2b4e701baa061c5876323d7165e6857.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
d740b5b7ee800eabc9fd01ba954c0689d2b4e701baa061c5876323d7165e6857.exe
-
Size
96KB
-
MD5
737baa9479870f7c64fdc08a1341e224
-
SHA1
284133dcb70d13254ecee7b15095034642f93ead
-
SHA256
d740b5b7ee800eabc9fd01ba954c0689d2b4e701baa061c5876323d7165e6857
-
SHA512
be4dd5414b7abc5f88f2b9b9d1b4d374a7f14c5fbd3ed9a9cb6b02313d6860593e877622100d90746aa67b712a012c5c4552663a804ff81116d1e8ea36eb0e89
-
SSDEEP
1536:xt7Idmqtrf51q7C55KpBIgd8CfPEXK2SL2Lh17RZObZUUWaegPYAm:xtomq1f/fF9X0o7ClUUWael
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Llqjbhdc.exeInmpcc32.exeNhmeapmd.exeDhclmp32.exeJleijb32.exeNmigoagp.exeOogpjbbb.exeCbfgkffn.exeJhnojl32.exeQhngolpo.exeDbndfl32.exeIjqmhnko.exePdkoch32.exeNiklpj32.exeKbpkkn32.exeDclkee32.exeAjndioga.exeIphioh32.exeEkdnei32.exeFqeioiam.exeGpolbo32.exeIkcdlmgf.exeQlmgopjq.exeIacngdgj.exeCndikf32.exeHhlejcpm.exeAhfdjanb.exeEjchhgid.exeQachgk32.exeDoaneiop.exeAhdpjn32.exeFnaokmco.exeMpqkad32.exeKkhpdcab.exeOimkbaed.exeBffcpg32.exeImiehfao.exeCmqmma32.exeGkobjpin.exeEejeiocj.exeKlndfj32.exeMfcmmp32.exeAdikdfna.exeGmbmkpie.exeDmjocp32.exeFeocelll.exeBbgeno32.exeJlgepanl.exeFkmjaa32.exeMoobbb32.exeOeoblb32.exeJdmgfedl.exeCacckp32.exeFmndpq32.exeEangpgcl.exeMjpbam32.exeNlfelogp.exeOkgaijaj.exeDkdliame.exeCmlcbbcj.exeEpokedmj.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llqjbhdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jleijb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmigoagp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogpjbbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfgkffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhnojl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhngolpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbndfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijqmhnko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkoch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niklpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpkkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dclkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajndioga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqeioiam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpolbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikcdlmgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlmgopjq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacngdgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cndikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhlejcpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahfdjanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejchhgid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doaneiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahdpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnaokmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpqkad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkhpdcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oimkbaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bffcpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkobjpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klndfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adikdfna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjocp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feocelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlgepanl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmjaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moobbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeoblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmndpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eangpgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpbam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfelogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgaijaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkdliame.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlcbbcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epokedmj.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x000700000002403b-3669.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Pfjcgn32.exePqpgdfnp.exePcncpbmd.exePjhlml32.exePmfhig32.exePcppfaka.exePjjhbl32.exePqdqof32.exePjmehkqk.exeQqfmde32.exeQgqeappe.exeQcgffqei.exeAnmjcieo.exeAdgbpc32.exeAnogiicl.exeAclpap32.exeAnadoi32.exeAeklkchg.exeAjhddjfn.exeAabmqd32.exeAjkaii32.exeAadifclh.exeBjmnoi32.exeBagflcje.exeBnkgeg32.exeBffkij32.exeBeglgani.exeBfhhoi32.exeBclhhnca.exeBjfaeh32.exeBcoenmao.exeCndikf32.exeCdabcm32.exeCnffqf32.exeChokikeb.exeCmlcbbcj.exeChagok32.exeCajlhqjp.exeCjbpaf32.exeCmqmma32.exeDfiafg32.exeDmcibama.exeDhhnpjmh.exeDaqbip32.exeDhkjej32.exeDmgbnq32.exeDfpgffpm.exeDmjocp32.exeDeagdn32.exeDoilmc32.exeEdfdej32.exeEolhbc32.exeEdhakj32.exeEonehbjg.exeEdknqiho.exeEgijmegb.exeEobocb32.exeEaakpm32.exeEhkclgmb.exeEoekia32.exeFeocelll.exeFoghnabl.exeFeapkk32.exeFgbmccpg.exepid Process 4712 Pfjcgn32.exe 3600 Pqpgdfnp.exe 3708 Pcncpbmd.exe 4348 Pjhlml32.exe 3568 Pmfhig32.exe 3652 Pcppfaka.exe 2252 Pjjhbl32.exe 3016 Pqdqof32.exe 4696 Pjmehkqk.exe 1548 Qqfmde32.exe 3552 Qgqeappe.exe 5068 Qcgffqei.exe 4296 Anmjcieo.exe 1864 Adgbpc32.exe 3364 Anogiicl.exe 4088 Aclpap32.exe 2724 Anadoi32.exe 2984 Aeklkchg.exe 2520 Ajhddjfn.exe 4728 Aabmqd32.exe 2072 Ajkaii32.exe 2548 Aadifclh.exe 2956 Bjmnoi32.exe 3460 Bagflcje.exe 5016 Bnkgeg32.exe 2420 Bffkij32.exe 4488 Beglgani.exe 4052 Bfhhoi32.exe 4484 Bclhhnca.exe 3660 Bjfaeh32.exe 2556 Bcoenmao.exe 4312 Cndikf32.exe 1044 Cdabcm32.exe 3080 Cnffqf32.exe 4200 Chokikeb.exe 3180 Cmlcbbcj.exe 2088 Chagok32.exe 4704 Cajlhqjp.exe 3796 Cjbpaf32.exe 2028 Cmqmma32.exe 4640 Dfiafg32.exe 4048 Dmcibama.exe 4044 Dhhnpjmh.exe 4872 Daqbip32.exe 3432 Dhkjej32.exe 2700 Dmgbnq32.exe 4460 Dfpgffpm.exe 3212 Dmjocp32.exe 4956 Deagdn32.exe 4372 Doilmc32.exe 968 Edfdej32.exe 2660 Eolhbc32.exe 4864 Edhakj32.exe 1124 Eonehbjg.exe 1080 Edknqiho.exe 2288 Egijmegb.exe 3700 Eobocb32.exe 1924 Eaakpm32.exe 5052 Ehkclgmb.exe 3724 Eoekia32.exe 4384 Feocelll.exe 4456 Foghnabl.exe 4736 Feapkk32.exe 4780 Fgbmccpg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ljbfpo32.exeOmegjomb.exeEkodjiol.exeKngkqbgl.exePplobcpp.exeMpnnle32.exeNpgabc32.exeDdadpdmn.exeNcofplba.exeCndeii32.exeNagiji32.exeHakgmjoh.exeKnbiofhg.exeEpokedmj.exeIjogmdqm.exePojcjh32.exeNmigoagp.exeQdbdcg32.exeDeagdn32.exeKhmknk32.exeLiqihglg.exeIkbfgppo.exeNjinmf32.exeMnlnbl32.exeLcdciiec.exeCncnob32.exeEbdlangb.exeAonhghjl.exeLlqjbhdc.exeJkhngl32.exeQadoba32.exeBombmcec.exeKkpbin32.exeAekddhcb.exeImkbnf32.exePdenmbkk.exeBdmmeo32.exeMmkkmc32.exeNdflak32.exeOdalmibl.exeBdgged32.exeGfodeohd.exeKcmfnd32.exeLancko32.exeOekiqccc.exeEkaapi32.exeHmdlmg32.exeOpogbbig.exeOekpkigo.exePomgjn32.exeKgamnded.exeMhoipb32.exeBaannc32.exeIgfkfo32.exePpopjp32.exeGbofcghl.exeKmieae32.exeHefnkkkj.exeLcgpni32.exedescription ioc Process File created C:\Windows\SysWOW64\Lnnbqnjn.exe Ljbfpo32.exe File opened for modification C:\Windows\SysWOW64\Oelolmnd.exe Omegjomb.exe File created C:\Windows\SysWOW64\Ennqfenp.exe Ekodjiol.exe File created C:\Windows\SysWOW64\Loighj32.exe Kngkqbgl.exe File created C:\Windows\SysWOW64\Pffgom32.exe Pplobcpp.exe File created C:\Windows\SysWOW64\Mblkhq32.exe Mpnnle32.exe File created C:\Windows\SysWOW64\Ngaionfl.exe Npgabc32.exe File created C:\Windows\SysWOW64\Daediilg.exe Ddadpdmn.exe File opened for modification C:\Windows\SysWOW64\Njinmf32.exe Ncofplba.exe File created C:\Windows\SysWOW64\Effkpc32.dll Cndeii32.exe File created C:\Windows\SysWOW64\Gmbjqfjb.dll Nagiji32.exe File created C:\Windows\SysWOW64\Nbnlaldg.exe File opened for modification C:\Windows\SysWOW64\Hdicienl.exe Hakgmjoh.exe File opened for modification C:\Windows\SysWOW64\Kfjapcii.exe Knbiofhg.exe File created C:\Windows\SysWOW64\Edjgfcec.exe Epokedmj.exe File created C:\Windows\SysWOW64\Iafonaao.exe Ijogmdqm.exe File opened for modification C:\Windows\SysWOW64\Piphgq32.exe Pojcjh32.exe File created C:\Windows\SysWOW64\Jebiel32.dll Nmigoagp.exe File opened for modification C:\Windows\SysWOW64\Qklmpalf.exe Qdbdcg32.exe File created C:\Windows\SysWOW64\Oqhoeb32.exe File created C:\Windows\SysWOW64\Diphbb32.dll Deagdn32.exe File created C:\Windows\SysWOW64\Cepohhai.dll Khmknk32.exe File created C:\Windows\SysWOW64\Bbekbm32.dll Liqihglg.exe File opened for modification C:\Windows\SysWOW64\Ilccoh32.exe Ikbfgppo.exe File created C:\Windows\SysWOW64\Nmgjia32.exe Njinmf32.exe File opened for modification C:\Windows\SysWOW64\Majjng32.exe Mnlnbl32.exe File created C:\Windows\SysWOW64\Llmhaold.exe Lcdciiec.exe File opened for modification C:\Windows\SysWOW64\Cpbjkn32.exe Cncnob32.exe File opened for modification C:\Windows\SysWOW64\Ehndnh32.exe Ebdlangb.exe File opened for modification C:\Windows\SysWOW64\Nmfmde32.exe File created C:\Windows\SysWOW64\Apodoq32.exe Aonhghjl.exe File created C:\Windows\SysWOW64\Hjcakafa.dll Llqjbhdc.exe File created C:\Windows\SysWOW64\Emkbpmep.dll File created C:\Windows\SysWOW64\Jilnqqbj.exe Jkhngl32.exe File opened for modification C:\Windows\SysWOW64\Qhngolpo.exe Qadoba32.exe File opened for modification C:\Windows\SysWOW64\Bblnindg.exe Bombmcec.exe File created C:\Windows\SysWOW64\Kggcnoic.exe Kkpbin32.exe File created C:\Windows\SysWOW64\Ejoaandc.dll Aekddhcb.exe File opened for modification C:\Windows\SysWOW64\Pmkofa32.exe File created C:\Windows\SysWOW64\Mlelal32.dll Imkbnf32.exe File created C:\Windows\SysWOW64\Jnfpnk32.dll Pdenmbkk.exe File created C:\Windows\SysWOW64\Bkgeainn.exe Bdmmeo32.exe File created C:\Windows\SysWOW64\Mebcop32.exe Mmkkmc32.exe File opened for modification C:\Windows\SysWOW64\Njpdnedf.exe Ndflak32.exe File opened for modification C:\Windows\SysWOW64\Olicnfco.exe Odalmibl.exe File created C:\Windows\SysWOW64\Mmjpbc32.dll Bdgged32.exe File opened for modification C:\Windows\SysWOW64\Glkmmefl.exe Gfodeohd.exe File opened for modification C:\Windows\SysWOW64\Kifojnol.exe Kcmfnd32.exe File opened for modification C:\Windows\SysWOW64\Ljdkll32.exe Lancko32.exe File created C:\Windows\SysWOW64\Dbmiag32.dll Oekiqccc.exe File created C:\Windows\SysWOW64\Ofpnmakg.dll Ekaapi32.exe File created C:\Windows\SysWOW64\Pqhfnd32.dll Hmdlmg32.exe File created C:\Windows\SysWOW64\Ooagno32.exe Opogbbig.exe File created C:\Windows\SysWOW64\Imllmfjk.dll Oekpkigo.exe File opened for modification C:\Windows\SysWOW64\Pgdokkfg.exe Pomgjn32.exe File opened for modification C:\Windows\SysWOW64\Knkekn32.exe Kgamnded.exe File opened for modification C:\Windows\SysWOW64\Mjneln32.exe Mhoipb32.exe File created C:\Windows\SysWOW64\Plikcm32.dll Baannc32.exe File created C:\Windows\SysWOW64\Inpccihl.exe Igfkfo32.exe File created C:\Windows\SysWOW64\Mnfafakb.dll Ppopjp32.exe File created C:\Windows\SysWOW64\Gjfnedho.exe Gbofcghl.exe File opened for modification C:\Windows\SysWOW64\Kdpmbc32.exe Kmieae32.exe File created C:\Windows\SysWOW64\Hlpfhe32.exe Hefnkkkj.exe File created C:\Windows\SysWOW64\Bfnikd32.dll Lcgpni32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 9468 9220 1167 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gohaeo32.exeMlklkgei.exeJcgnbaeo.exePfjcgn32.exeNmigoagp.exeIbjqaf32.exeLcimdh32.exeQobhkjdi.exeDfiafg32.exeIbffhhek.exeOoagno32.exeQklmpalf.exeGfdfgiid.exeKflnfcgg.exeHginecde.exeFalcae32.exeKjhloj32.exeLcdciiec.exePnplfj32.exeJpegkj32.exeIjogmdqm.exeMejpje32.exeOlfghg32.exeHpiecd32.exeHplbickp.exeLfeljd32.exePqpgdfnp.exeMecjif32.exeNoeahkfc.exeInmpcc32.exeGkleeplq.exeKpiljh32.exeDbbffdlq.exeIibccgep.exeLijlof32.exeAhgjejhd.exeElnoopdj.exePaoollik.exeCajlhqjp.exeMhicpg32.exeCoohhlpe.exeCpmapodj.exeHnphoj32.exeBgnkhg32.exeQgpogili.exeAchegd32.exeLancko32.exeDeagdn32.exeMfcmmp32.exeDikpbl32.exeEfmmmn32.exeHhfedm32.exeEleepoob.exeAddaif32.exeCnfaohbj.exeHiacacpg.exeHpmpnp32.exeIkndgg32.exeEfjbcakl.exeHidgai32.exeCndeii32.exeCmqmma32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohaeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlklkgei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgnbaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjcgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmigoagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjqaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcimdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobhkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibffhhek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooagno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklmpalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdfgiid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflnfcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hginecde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdciiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnplfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpegkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijogmdqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpiecd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplbickp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqpgdfnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecjif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noeahkfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmpcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkleeplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpiljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbffdlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibccgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijlof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgjejhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnoopdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paoollik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajlhqjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhicpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coohhlpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmapodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnphoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnkhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgpogili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lancko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfcmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dikpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmmmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfedm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eleepoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfaohbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiacacpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikndgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmma32.exe -
Modifies registry class 64 IoCs
Processes:
Ikkpgafg.exePnfiplog.exeIeccbbkn.exeKcjjhdjb.exeHjchaf32.exeKageaj32.exeFcniglmb.exeQcclld32.exeElpkep32.exeGphphj32.exeJknfcofa.exeGncchb32.exeEolhbc32.exeFnaokmco.exeNlfelogp.exeOjdgnn32.exeDkhgod32.exeIlibdmgp.exeCdabcm32.exeGdppbfff.exePocpfphe.exeBbdhiojo.exeCcdnjp32.exeQaalblgi.exePqpgdfnp.exeJecofa32.exeQjnkcekm.exePdkoch32.exeGfjkjo32.exeNpgabc32.exeAjjjocap.exeBfhadc32.exeIepaaico.exeFdffbake.exeGgnedlao.exeDpbdopck.exeNmgjia32.exeCnfaohbj.exeFngcmcfe.exeMcbpjg32.exeAhfmpnql.exeGochjpho.exeFimodc32.exeLndagg32.exeCoohhlpe.exeLfeljd32.exeEiekog32.exeHaaaaeim.exeDhhnpjmh.exeJbgoof32.exeIeliebnf.exeFllkqn32.exeMgeakekd.exeDhclmp32.exeAglnbhal.exeHpabni32.exeAednci32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikkpgafg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnfiplog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgiiak32.dll" Ieccbbkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcjjhdjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjchaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kageaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmheim32.dll" Fcniglmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcclld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elpkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gphphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfmkfhq.dll" Jknfcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbqcnc32.dll" Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eolhbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnaokmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlfelogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpibgp32.dll" Ojdgnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkhgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilibdmgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdppbfff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pocpfphe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbdhiojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnlefae.dll" Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmigpf32.dll" Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnndji32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqpgdfnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jecofa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjnkcekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdkoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabjq32.dll" Gfjkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npgabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjjocap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnfmjbo.dll" Bfhadc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdffbake.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggnedlao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpbdopck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmgjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heeeiopa.dll" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fngcmcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdlfcb32.dll" Ahfmpnql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gochjpho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimodc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diinlj32.dll" Coohhlpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfeljd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiekog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haaaaeim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofcga32.dll" Jbgoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmmao32.dll" Gphphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieliebnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajaoo32.dll" Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleqaiga.dll" Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonhqi32.dll" Aglnbhal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpabni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aednci32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d740b5b7ee800eabc9fd01ba954c0689d2b4e701baa061c5876323d7165e6857.exePfjcgn32.exePqpgdfnp.exePcncpbmd.exePjhlml32.exePmfhig32.exePcppfaka.exePjjhbl32.exePqdqof32.exePjmehkqk.exeQqfmde32.exeQgqeappe.exeQcgffqei.exeAnmjcieo.exeAdgbpc32.exeAnogiicl.exeAclpap32.exeAnadoi32.exeAeklkchg.exeAjhddjfn.exeAabmqd32.exeAjkaii32.exedescription pid Process procid_target PID 4240 wrote to memory of 4712 4240 d740b5b7ee800eabc9fd01ba954c0689d2b4e701baa061c5876323d7165e6857.exe 83 PID 4240 wrote to memory of 4712 4240 d740b5b7ee800eabc9fd01ba954c0689d2b4e701baa061c5876323d7165e6857.exe 83 PID 4240 wrote to memory of 4712 4240 d740b5b7ee800eabc9fd01ba954c0689d2b4e701baa061c5876323d7165e6857.exe 83 PID 4712 wrote to memory of 3600 4712 Pfjcgn32.exe 84 PID 4712 wrote to memory of 3600 4712 Pfjcgn32.exe 84 PID 4712 wrote to memory of 3600 4712 Pfjcgn32.exe 84 PID 3600 wrote to memory of 3708 3600 Pqpgdfnp.exe 85 PID 3600 wrote to memory of 3708 3600 Pqpgdfnp.exe 85 PID 3600 wrote to memory of 3708 3600 Pqpgdfnp.exe 85 PID 3708 wrote to memory of 4348 3708 Pcncpbmd.exe 86 PID 3708 wrote to memory of 4348 3708 Pcncpbmd.exe 86 PID 3708 wrote to memory of 4348 3708 Pcncpbmd.exe 86 PID 4348 wrote to memory of 3568 4348 Pjhlml32.exe 87 PID 4348 wrote to memory of 3568 4348 Pjhlml32.exe 87 PID 4348 wrote to memory of 3568 4348 Pjhlml32.exe 87 PID 3568 wrote to memory of 3652 3568 Pmfhig32.exe 88 PID 3568 wrote to memory of 3652 3568 Pmfhig32.exe 88 PID 3568 wrote to memory of 3652 3568 Pmfhig32.exe 88 PID 3652 wrote to memory of 2252 3652 Pcppfaka.exe 89 PID 3652 wrote to memory of 2252 3652 Pcppfaka.exe 89 PID 3652 wrote to memory of 2252 3652 Pcppfaka.exe 89 PID 2252 wrote to memory of 3016 2252 Pjjhbl32.exe 90 PID 2252 wrote to memory of 3016 2252 Pjjhbl32.exe 90 PID 2252 wrote to memory of 3016 2252 Pjjhbl32.exe 90 PID 3016 wrote to memory of 4696 3016 Pqdqof32.exe 91 PID 3016 wrote to memory of 4696 3016 Pqdqof32.exe 91 PID 3016 wrote to memory of 4696 3016 Pqdqof32.exe 91 PID 4696 wrote to memory of 1548 4696 Pjmehkqk.exe 92 PID 4696 wrote to memory of 1548 4696 Pjmehkqk.exe 92 PID 4696 wrote to memory of 1548 4696 Pjmehkqk.exe 92 PID 1548 wrote to memory of 3552 1548 Qqfmde32.exe 93 PID 1548 wrote to memory of 3552 1548 Qqfmde32.exe 93 PID 1548 wrote to memory of 3552 1548 Qqfmde32.exe 93 PID 3552 wrote to memory of 5068 3552 Qgqeappe.exe 94 PID 3552 wrote to memory of 5068 3552 Qgqeappe.exe 94 PID 3552 wrote to memory of 5068 3552 Qgqeappe.exe 94 PID 5068 wrote to memory of 4296 5068 Qcgffqei.exe 95 PID 5068 wrote to memory of 4296 5068 Qcgffqei.exe 95 PID 5068 wrote to memory of 4296 5068 Qcgffqei.exe 95 PID 4296 wrote to memory of 1864 4296 Anmjcieo.exe 96 PID 4296 wrote to memory of 1864 4296 Anmjcieo.exe 96 PID 4296 wrote to memory of 1864 4296 Anmjcieo.exe 96 PID 1864 wrote to memory of 3364 1864 Adgbpc32.exe 97 PID 1864 wrote to memory of 3364 1864 Adgbpc32.exe 97 PID 1864 wrote to memory of 3364 1864 Adgbpc32.exe 97 PID 3364 wrote to memory of 4088 3364 Anogiicl.exe 98 PID 3364 wrote to memory of 4088 3364 Anogiicl.exe 98 PID 3364 wrote to memory of 4088 3364 Anogiicl.exe 98 PID 4088 wrote to memory of 2724 4088 Aclpap32.exe 99 PID 4088 wrote to memory of 2724 4088 Aclpap32.exe 99 PID 4088 wrote to memory of 2724 4088 Aclpap32.exe 99 PID 2724 wrote to memory of 2984 2724 Anadoi32.exe 100 PID 2724 wrote to memory of 2984 2724 Anadoi32.exe 100 PID 2724 wrote to memory of 2984 2724 Anadoi32.exe 100 PID 2984 wrote to memory of 2520 2984 Aeklkchg.exe 101 PID 2984 wrote to memory of 2520 2984 Aeklkchg.exe 101 PID 2984 wrote to memory of 2520 2984 Aeklkchg.exe 101 PID 2520 wrote to memory of 4728 2520 Ajhddjfn.exe 102 PID 2520 wrote to memory of 4728 2520 Ajhddjfn.exe 102 PID 2520 wrote to memory of 4728 2520 Ajhddjfn.exe 102 PID 4728 wrote to memory of 2072 4728 Aabmqd32.exe 103 PID 4728 wrote to memory of 2072 4728 Aabmqd32.exe 103 PID 4728 wrote to memory of 2072 4728 Aabmqd32.exe 103 PID 2072 wrote to memory of 2548 2072 Ajkaii32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d740b5b7ee800eabc9fd01ba954c0689d2b4e701baa061c5876323d7165e6857.exe"C:\Users\Admin\AppData\Local\Temp\d740b5b7ee800eabc9fd01ba954c0689d2b4e701baa061c5876323d7165e6857.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe23⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe24⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe25⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe26⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe27⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe28⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe29⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe30⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe31⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe32⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe35⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe36⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe38⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4704 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe40⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4640 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe43⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4044 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe45⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe46⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe47⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe48⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4956 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe51⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe52⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe54⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe55⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe56⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe57⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe58⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe59⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe60⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe61⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe63⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe64⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe65⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe66⤵PID:3164
-
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe67⤵PID:1560
-
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe68⤵PID:4064
-
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe69⤵PID:3996
-
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe71⤵PID:1140
-
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe72⤵PID:4020
-
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe73⤵PID:1648
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe74⤵PID:3544
-
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe75⤵
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe76⤵PID:4252
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe77⤵
- Modifies registry class
PID:384 -
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe78⤵PID:5112
-
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe79⤵PID:3532
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe80⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe81⤵
- System Location Discovery: System Language Discovery
PID:3308 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe82⤵PID:3260
-
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5028 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe84⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe85⤵PID:1352
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe86⤵PID:4992
-
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe87⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe88⤵PID:2636
-
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe89⤵PID:2552
-
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe90⤵PID:3172
-
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe91⤵PID:3684
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe92⤵PID:4976
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe93⤵PID:628
-
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe94⤵PID:4724
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe95⤵PID:3456
-
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4796 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe97⤵PID:388
-
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe98⤵PID:3668
-
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe99⤵PID:4196
-
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe100⤵
- System Location Discovery: System Language Discovery
PID:4260 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe101⤵PID:1940
-
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe102⤵PID:624
-
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe103⤵PID:664
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe104⤵
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe105⤵PID:2964
-
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe106⤵PID:2356
-
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe107⤵PID:4832
-
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe109⤵
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe110⤵PID:4580
-
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe111⤵PID:4960
-
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe112⤵PID:3748
-
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe113⤵
- Drops file in System32 directory
PID:5144 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe114⤵PID:5188
-
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe115⤵PID:5232
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe116⤵
- Modifies registry class
PID:5276 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe117⤵PID:5320
-
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe118⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe119⤵PID:5408
-
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe120⤵PID:5452
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe121⤵PID:5496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-