Analysis
-
max time kernel
83s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 21:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe
-
Size
96KB
-
MD5
37942471811f83b6db57c68f38fa18e0
-
SHA1
0692ebeccbe6d817b3c24bea35414be1e53e6a37
-
SHA256
e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593
-
SHA512
c89bd7add11cb940ba5b8e4e748c4817c1253c45eb0c86c511d8e82728cc1267c0d15a2c5a8dc4614cf010b664a8664b21dcf1416ab6cb52f83aa4e736fd97f3
-
SSDEEP
1536:Q6hpRrVLQ7X38jDJG7Y/NLm4T8mmfE2Ls7RZObZUUWaegPYA:DJyMjDv/NLm4TqsClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejcmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggmldfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffibceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkipao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bolcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppfafcpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blinefnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jigbebhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgidfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpabpcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhdgdmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghofam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjkeoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaogognm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhleh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghgfekpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dipjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkbmbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpfdeon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feiddbbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gconbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoeamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikqnlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbjcpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jieaofmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkmeiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfocnjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inojhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcnoejch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcjpncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feddombd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojeobm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipgjaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbggif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oehgjfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibhicbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpohakbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djjjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gglbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmcopebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcblan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkicbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfgnnhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmckcmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flocfmnl.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
resource yara_rule behavioral1/files/0x000400000001dc3a-2580.dat family_bruteratel behavioral1/files/0x000400000001dc41-2590.dat family_bruteratel behavioral1/files/0x000400000001de60-2937.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2896 Pbagipfi.exe 2004 Pdbdqh32.exe 2660 Phnpagdp.exe 2676 Pkoicb32.exe 2568 Pidfdofi.exe 2644 Pcljmdmj.exe 2584 Pifbjn32.exe 652 Qcogbdkg.exe 2848 Qndkpmkm.exe 2264 Qeppdo32.exe 1220 Apedah32.exe 2876 Aebmjo32.exe 2092 Apgagg32.exe 2028 Afdiondb.exe 2116 Aomnhd32.exe 1644 Aakjdo32.exe 968 Alqnah32.exe 1732 Aoojnc32.exe 1036 Aficjnpm.exe 1532 Ahgofi32.exe 1576 Abpcooea.exe 2428 Bgllgedi.exe 1692 Bdqlajbb.exe 2452 Bgoime32.exe 1548 Bqgmfkhg.exe 2728 Bceibfgj.exe 1736 Bmnnkl32.exe 2672 Boljgg32.exe 2404 Bqlfaj32.exe 2560 Bcjcme32.exe 2704 Bfioia32.exe 532 Coacbfii.exe 768 Cenljmgq.exe 1800 Cmedlk32.exe 996 Cnfqccna.exe 1948 Cgoelh32.exe 2784 Cnimiblo.exe 2864 Cagienkb.exe 2572 Ckmnbg32.exe 2380 Cbffoabe.exe 2368 Cgcnghpl.exe 2408 Cjakccop.exe 1344 Calcpm32.exe 2056 Cfhkhd32.exe 1636 Dnpciaef.exe 2924 Danpemej.exe 3040 Dpcmgi32.exe 1756 Dbaice32.exe 1760 Djiqdb32.exe 1944 Dmgmpnhl.exe 1808 Dpeiligo.exe 2736 Dfpaic32.exe 2812 Dinneo32.exe 2528 Dlljaj32.exe 2996 Dphfbiem.exe 576 Deenjpcd.exe 2780 Dipjkn32.exe 1912 Dpjbgh32.exe 2416 Eakooqih.exe 2220 Eheglk32.exe 2212 Eopphehb.exe 2628 Ebklic32.exe 1292 Eeiheo32.exe 920 Ehhdaj32.exe -
Loads dropped DLL 64 IoCs
pid Process 548 e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe 548 e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe 2896 Pbagipfi.exe 2896 Pbagipfi.exe 2004 Pdbdqh32.exe 2004 Pdbdqh32.exe 2660 Phnpagdp.exe 2660 Phnpagdp.exe 2676 Pkoicb32.exe 2676 Pkoicb32.exe 2568 Pidfdofi.exe 2568 Pidfdofi.exe 2644 Pcljmdmj.exe 2644 Pcljmdmj.exe 2584 Pifbjn32.exe 2584 Pifbjn32.exe 652 Qcogbdkg.exe 652 Qcogbdkg.exe 2848 Qndkpmkm.exe 2848 Qndkpmkm.exe 2264 Qeppdo32.exe 2264 Qeppdo32.exe 1220 Apedah32.exe 1220 Apedah32.exe 2876 Aebmjo32.exe 2876 Aebmjo32.exe 2092 Apgagg32.exe 2092 Apgagg32.exe 2028 Afdiondb.exe 2028 Afdiondb.exe 2116 Aomnhd32.exe 2116 Aomnhd32.exe 1644 Aakjdo32.exe 1644 Aakjdo32.exe 968 Alqnah32.exe 968 Alqnah32.exe 1732 Aoojnc32.exe 1732 Aoojnc32.exe 1036 Aficjnpm.exe 1036 Aficjnpm.exe 1532 Ahgofi32.exe 1532 Ahgofi32.exe 1576 Abpcooea.exe 1576 Abpcooea.exe 2428 Bgllgedi.exe 2428 Bgllgedi.exe 1692 Bdqlajbb.exe 1692 Bdqlajbb.exe 2452 Bgoime32.exe 2452 Bgoime32.exe 1548 Bqgmfkhg.exe 1548 Bqgmfkhg.exe 2728 Bceibfgj.exe 2728 Bceibfgj.exe 1736 Bmnnkl32.exe 1736 Bmnnkl32.exe 2672 Boljgg32.exe 2672 Boljgg32.exe 2404 Bqlfaj32.exe 2404 Bqlfaj32.exe 2560 Bcjcme32.exe 2560 Bcjcme32.exe 2704 Bfioia32.exe 2704 Bfioia32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oioipf32.exe Ofqmcj32.exe File created C:\Windows\SysWOW64\Ebnabb32.exe Eppefg32.exe File created C:\Windows\SysWOW64\Nbiahjpi.dll Ehnfpifm.exe File created C:\Windows\SysWOW64\Kkjpggkn.exe Khldkllj.exe File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe Lplbjm32.exe File opened for modification C:\Windows\SysWOW64\Alqnah32.exe Aakjdo32.exe File created C:\Windows\SysWOW64\Boljgg32.exe Bmnnkl32.exe File created C:\Windows\SysWOW64\Eldhjg32.dll Hieiqo32.exe File created C:\Windows\SysWOW64\Neniei32.dll Dpcmgi32.exe File opened for modification C:\Windows\SysWOW64\Qbnphngk.exe Qiflohqk.exe File created C:\Windows\SysWOW64\Cmkfji32.exe Cfanmogq.exe File created C:\Windows\SysWOW64\Eadbpdla.dll Cbgobp32.exe File opened for modification C:\Windows\SysWOW64\Fgocmc32.exe Fdpgph32.exe File created C:\Windows\SysWOW64\Khpjqgjc.dll Apedah32.exe File opened for modification C:\Windows\SysWOW64\Abpcooea.exe Ahgofi32.exe File created C:\Windows\SysWOW64\Cbehjc32.dll Dnpciaef.exe File created C:\Windows\SysWOW64\Gicaikhj.dll Fdpgph32.exe File created C:\Windows\SysWOW64\Ffdmihcc.dll Inhdgdmk.exe File created C:\Windows\SysWOW64\Jieaofmp.exe Jfgebjnm.exe File created C:\Windows\SysWOW64\Hjmlhbbg.exe Gockgdeh.exe File created C:\Windows\SysWOW64\Iejiodbl.exe Ichmgl32.exe File created C:\Windows\SysWOW64\Bjkeingq.dll Jfieigio.exe File opened for modification C:\Windows\SysWOW64\Pbemboof.exe Ppfafcpb.exe File opened for modification C:\Windows\SysWOW64\Piabdiep.exe Pfbfhm32.exe File opened for modification C:\Windows\SysWOW64\Fbegbacp.exe Eknpadcn.exe File opened for modification C:\Windows\SysWOW64\Ehhdaj32.exe Eeiheo32.exe File created C:\Windows\SysWOW64\Homdhjai.exe Hgflflqg.exe File opened for modification C:\Windows\SysWOW64\Hnbaif32.exe Hkdemk32.exe File created C:\Windows\SysWOW64\Goqnae32.exe Gkebafoa.exe File created C:\Windows\SysWOW64\Lgdqap32.dll Egajnfoe.exe File created C:\Windows\SysWOW64\Figmjq32.exe Foahmh32.exe File created C:\Windows\SysWOW64\Mphaobfe.dll Ojeobm32.exe File opened for modification C:\Windows\SysWOW64\Aklabp32.exe Ahmefdcp.exe File opened for modification C:\Windows\SysWOW64\Fmdbnnlj.exe Fkefbcmf.exe File created C:\Windows\SysWOW64\Alqnah32.exe Aakjdo32.exe File opened for modification C:\Windows\SysWOW64\Ahgofi32.exe Aficjnpm.exe File created C:\Windows\SysWOW64\Cenljmgq.exe Coacbfii.exe File opened for modification C:\Windows\SysWOW64\Eppefg32.exe Eifmimch.exe File created C:\Windows\SysWOW64\Loeccoai.dll Fimoiopk.exe File created C:\Windows\SysWOW64\Lcepfhka.dll Hddmjk32.exe File opened for modification C:\Windows\SysWOW64\Iakino32.exe Ibhicbao.exe File created C:\Windows\SysWOW64\Aebmjo32.exe Apedah32.exe File created C:\Windows\SysWOW64\Gbdnfd32.dll Ifpcchai.exe File created C:\Windows\SysWOW64\Oalkih32.exe Ojbbmnhc.exe File created C:\Windows\SysWOW64\Kablnadm.exe Kocpbfei.exe File created C:\Windows\SysWOW64\Lopfhk32.exe Lgingm32.exe File opened for modification C:\Windows\SysWOW64\Dnhbmpkn.exe Dlifadkk.exe File created C:\Windows\SysWOW64\Gockgdeh.exe Gglbfg32.exe File created C:\Windows\SysWOW64\Ckmnbg32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Aklabp32.exe Ahmefdcp.exe File created C:\Windows\SysWOW64\Ffakjm32.dll Kjhcag32.exe File created C:\Windows\SysWOW64\Fmihbe32.dll Jigbebhb.exe File created C:\Windows\SysWOW64\Jqnodo32.dll Jieaofmp.exe File created C:\Windows\SysWOW64\Nckkgp32.exe Nmabjfek.exe File created C:\Windows\SysWOW64\Ojbbmnhc.exe Oiafee32.exe File created C:\Windows\SysWOW64\Aemgfj32.dll Aeoijidl.exe File created C:\Windows\SysWOW64\Obahbj32.dll Bdqlajbb.exe File created C:\Windows\SysWOW64\Ghofam32.exe Gdcjpncm.exe File created C:\Windows\SysWOW64\Jlfnangf.exe Jigbebhb.exe File opened for modification C:\Windows\SysWOW64\Bknjfb32.exe Blkjkflb.exe File created C:\Windows\SysWOW64\Gcgqgd32.exe Gpidki32.exe File created C:\Windows\SysWOW64\Dfcllk32.dll Hiioin32.exe File opened for modification C:\Windows\SysWOW64\Hfjbmb32.exe Hbofmcij.exe File created C:\Windows\SysWOW64\Ipafocdg.dll Lplbjm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5804 5768 WerFault.exe 531 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfnangf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgidfcdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdiondb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oioipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflpgnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeoijidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadojlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljmdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfalqpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbemboof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaoclgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghofam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjkeoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbofmcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinneo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopphehb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcciqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlmljkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mloiec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhdaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcnakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcopebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpepj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhifooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaihob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbpqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egonhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmcefmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonale32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqgmfkhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjbgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmabjfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehhdkjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhebfck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaebeoan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqcnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcodkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhbgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhfhbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogijnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkjkflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieibdnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmegjdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckkgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhbmpkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfocnjg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll" Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdekgjno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammhpd32.dll" Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdogedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Addfkeid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdqlajbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeiheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnebcjoe.dll" Picojhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khjgel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkmggbfb.dll" Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poibnekg.dll" Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nckkgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibacbcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcool32.dll" Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpflkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paocnkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aahfdihn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfckcoen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dphfbiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apoahgqd.dll" Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnagmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll" Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdokbck.dll" Fhgifgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdphjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpohakbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifpcchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllnnkld.dll" Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjjgb32.dll" Mhjcec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqdfehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll" Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjaaeimj.dll" Kljdkpfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llmmpcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njeccjcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmcopebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdnfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deenjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpopbabj.dll" Hnbaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncmglp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhehaf32.dll" Hmbndmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbgobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfafae32.dll" Fleifl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jacfidem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbemboof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baefnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glehgdkn.dll" Ikfbbjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfcqihha.dll" Kmcjedcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oioipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glpepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnagmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll" Jfaeme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmkmjoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanlcl32.dll" Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhqaemi.dll" Modlbmmn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 548 wrote to memory of 2896 548 e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe 31 PID 548 wrote to memory of 2896 548 e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe 31 PID 548 wrote to memory of 2896 548 e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe 31 PID 548 wrote to memory of 2896 548 e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe 31 PID 2896 wrote to memory of 2004 2896 Pbagipfi.exe 32 PID 2896 wrote to memory of 2004 2896 Pbagipfi.exe 32 PID 2896 wrote to memory of 2004 2896 Pbagipfi.exe 32 PID 2896 wrote to memory of 2004 2896 Pbagipfi.exe 32 PID 2004 wrote to memory of 2660 2004 Pdbdqh32.exe 33 PID 2004 wrote to memory of 2660 2004 Pdbdqh32.exe 33 PID 2004 wrote to memory of 2660 2004 Pdbdqh32.exe 33 PID 2004 wrote to memory of 2660 2004 Pdbdqh32.exe 33 PID 2660 wrote to memory of 2676 2660 Phnpagdp.exe 34 PID 2660 wrote to memory of 2676 2660 Phnpagdp.exe 34 PID 2660 wrote to memory of 2676 2660 Phnpagdp.exe 34 PID 2660 wrote to memory of 2676 2660 Phnpagdp.exe 34 PID 2676 wrote to memory of 2568 2676 Pkoicb32.exe 35 PID 2676 wrote to memory of 2568 2676 Pkoicb32.exe 35 PID 2676 wrote to memory of 2568 2676 Pkoicb32.exe 35 PID 2676 wrote to memory of 2568 2676 Pkoicb32.exe 35 PID 2568 wrote to memory of 2644 2568 Pidfdofi.exe 36 PID 2568 wrote to memory of 2644 2568 Pidfdofi.exe 36 PID 2568 wrote to memory of 2644 2568 Pidfdofi.exe 36 PID 2568 wrote to memory of 2644 2568 Pidfdofi.exe 36 PID 2644 wrote to memory of 2584 2644 Pcljmdmj.exe 37 PID 2644 wrote to memory of 2584 2644 Pcljmdmj.exe 37 PID 2644 wrote to memory of 2584 2644 Pcljmdmj.exe 37 PID 2644 wrote to memory of 2584 2644 Pcljmdmj.exe 37 PID 2584 wrote to memory of 652 2584 Pifbjn32.exe 38 PID 2584 wrote to memory of 652 2584 Pifbjn32.exe 38 PID 2584 wrote to memory of 652 2584 Pifbjn32.exe 38 PID 2584 wrote to memory of 652 2584 Pifbjn32.exe 38 PID 652 wrote to memory of 2848 652 Qcogbdkg.exe 39 PID 652 wrote to memory of 2848 652 Qcogbdkg.exe 39 PID 652 wrote to memory of 2848 652 Qcogbdkg.exe 39 PID 652 wrote to memory of 2848 652 Qcogbdkg.exe 39 PID 2848 wrote to memory of 2264 2848 Qndkpmkm.exe 40 PID 2848 wrote to memory of 2264 2848 Qndkpmkm.exe 40 PID 2848 wrote to memory of 2264 2848 Qndkpmkm.exe 40 PID 2848 wrote to memory of 2264 2848 Qndkpmkm.exe 40 PID 2264 wrote to memory of 1220 2264 Qeppdo32.exe 41 PID 2264 wrote to memory of 1220 2264 Qeppdo32.exe 41 PID 2264 wrote to memory of 1220 2264 Qeppdo32.exe 41 PID 2264 wrote to memory of 1220 2264 Qeppdo32.exe 41 PID 1220 wrote to memory of 2876 1220 Apedah32.exe 42 PID 1220 wrote to memory of 2876 1220 Apedah32.exe 42 PID 1220 wrote to memory of 2876 1220 Apedah32.exe 42 PID 1220 wrote to memory of 2876 1220 Apedah32.exe 42 PID 2876 wrote to memory of 2092 2876 Aebmjo32.exe 43 PID 2876 wrote to memory of 2092 2876 Aebmjo32.exe 43 PID 2876 wrote to memory of 2092 2876 Aebmjo32.exe 43 PID 2876 wrote to memory of 2092 2876 Aebmjo32.exe 43 PID 2092 wrote to memory of 2028 2092 Apgagg32.exe 44 PID 2092 wrote to memory of 2028 2092 Apgagg32.exe 44 PID 2092 wrote to memory of 2028 2092 Apgagg32.exe 44 PID 2092 wrote to memory of 2028 2092 Apgagg32.exe 44 PID 2028 wrote to memory of 2116 2028 Afdiondb.exe 45 PID 2028 wrote to memory of 2116 2028 Afdiondb.exe 45 PID 2028 wrote to memory of 2116 2028 Afdiondb.exe 45 PID 2028 wrote to memory of 2116 2028 Afdiondb.exe 45 PID 2116 wrote to memory of 1644 2116 Aomnhd32.exe 46 PID 2116 wrote to memory of 1644 2116 Aomnhd32.exe 46 PID 2116 wrote to memory of 1644 2116 Aomnhd32.exe 46 PID 2116 wrote to memory of 1644 2116 Aomnhd32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe"C:\Users\Admin\AppData\Local\Temp\e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Aficjnpm.exeC:\Windows\system32\Aficjnpm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe34⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe35⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe36⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe38⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe45⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe49⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe50⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe51⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe52⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe55⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Dipjkn32.exeC:\Windows\system32\Dipjkn32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe60⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe61⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe63⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe66⤵PID:544
-
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe67⤵PID:876
-
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe68⤵PID:2944
-
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe69⤵PID:2992
-
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe70⤵PID:2732
-
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe71⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe73⤵PID:2548
-
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe74⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe75⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe76⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe79⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe80⤵PID:2088
-
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe81⤵PID:2376
-
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe82⤵PID:316
-
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe84⤵PID:2372
-
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe86⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe87⤵PID:2664
-
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe88⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe89⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe90⤵PID:1376
-
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe91⤵PID:776
-
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe92⤵PID:1604
-
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe96⤵PID:1680
-
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe98⤵PID:2444
-
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe99⤵PID:2040
-
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe101⤵PID:2540
-
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe102⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe103⤵PID:2592
-
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe104⤵PID:1320
-
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe105⤵PID:2708
-
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe106⤵PID:1140
-
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe108⤵PID:1796
-
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe109⤵PID:900
-
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe110⤵
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe111⤵PID:3064
-
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692 -
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe113⤵PID:2596
-
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe114⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe116⤵PID:2160
-
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe117⤵PID:708
-
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe118⤵PID:612
-
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe119⤵PID:3020
-
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe120⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe121⤵PID:2816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-