Analysis
-
max time kernel
39s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 03:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
-
Size
96KB
-
MD5
45c400a3eb57a4d1cf4690d368b485f7
-
SHA1
66f3df1dd7501532e81422bec92942ebf12330e5
-
SHA256
d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19
-
SHA512
462382fe018b3aba8d53665fe72879f438a8016fb1c1c3726a82b4113b1c4decf2047ab9c34002475cb3d748c183f314c6576f4620a05721108aa158ad4a1d3d
-
SSDEEP
1536:DHGfYDgMMLIetnH3WGcIrmfDdwLL1F+2Lh17RZObZUUWaegPYA:jGAkM3etnX/9+sBlPClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmfchfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ickaaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gocpcfeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfigkljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gocpcfeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deeeafii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfeegfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajelmiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdpkdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfoao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbcpokl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajkmbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbbgge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bepmokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqqqokla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpajmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmdoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgkeonp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmifla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdooongp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idnako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpfoekhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdpjaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpledf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpojcpcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfagmck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhlmef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caajmilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdohme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikooghn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibehna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghklq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Condfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpliec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghpngkhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndjhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfoffmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijbnppi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkcjlhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdohme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inopce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icidlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocoobngl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adadedjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blfnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaokhdja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqgofo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgbfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbpmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngajeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjnfobi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnjfepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpfpco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpngkhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjdmggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogiqffhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Belfldoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnoempk.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/files/0x000400000001deae-2969.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2160 Eckcak32.exe 2392 Eapcjo32.exe 2912 Fimedaoe.exe 2428 Fioajqmb.exe 536 Fplgljbm.exe 2692 Fpncbjqj.exe 1920 Gocpcfeb.exe 308 Ghlell32.exe 1692 Ghnaaljp.exe 2984 Ghpngkhm.exe 912 Gkaghf32.exe 1012 Glbcpokl.exe 1064 Hgjdcghp.exe 1992 Hpbilmop.exe 2260 Hddoep32.exe 1056 Hojbbiae.exe 2424 Inopce32.exe 1988 Ihedan32.exe 1036 Idkdfo32.exe 1672 Idnako32.exe 1952 Inffdd32.exe 1944 Iccnmk32.exe 1676 Iqgofo32.exe 1880 Jfdgnf32.exe 944 Jkqpfmje.exe 2344 Jmplqp32.exe 2812 Jekaeb32.exe 3032 Jncenh32.exe 2824 Jccjln32.exe 2844 Knhoig32.exe 2936 Knkkngol.exe 2284 Kcjqlm32.exe 2600 Kleeqp32.exe 2064 Klgbfo32.exe 2616 Kfmfchfo.exe 2448 Lljolodf.exe 972 Lebcdd32.exe 2128 Ledpjdid.exe 1724 Lmpdoffo.exe 2860 Lgjfmlkm.exe 3048 Mikooghn.exe 2088 Mheekb32.exe 2636 Mamjchoa.exe 1704 Nndjhi32.exe 1860 Nabcog32.exe 1712 Nadpdg32.exe 1984 Ncellpog.exe 932 Nqjmec32.exe 3060 Nffenj32.exe 3052 Nqlikc32.exe 2144 Ogfagmck.exe 2876 Obpbhk32.exe 2328 Ojgkih32.exe 2688 Ocoobngl.exe 2704 Onipbl32.exe 1968 Okmqlp32.exe 1168 Pjbnmm32.exe 1444 Pcjbfbmm.exe 2976 Pjdjbl32.exe 1188 Pghklq32.exe 3044 Pnbcij32.exe 2364 Pjicnlqe.exe 2196 Pcahga32.exe 2492 Pfpdcm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2580 d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe 2580 d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe 2160 Eckcak32.exe 2160 Eckcak32.exe 2392 Eapcjo32.exe 2392 Eapcjo32.exe 2912 Fimedaoe.exe 2912 Fimedaoe.exe 2428 Fioajqmb.exe 2428 Fioajqmb.exe 536 Fplgljbm.exe 536 Fplgljbm.exe 2692 Fpncbjqj.exe 2692 Fpncbjqj.exe 1920 Gocpcfeb.exe 1920 Gocpcfeb.exe 308 Ghlell32.exe 308 Ghlell32.exe 1692 Ghnaaljp.exe 1692 Ghnaaljp.exe 2984 Ghpngkhm.exe 2984 Ghpngkhm.exe 912 Gkaghf32.exe 912 Gkaghf32.exe 1012 Glbcpokl.exe 1012 Glbcpokl.exe 1064 Hgjdcghp.exe 1064 Hgjdcghp.exe 1992 Hpbilmop.exe 1992 Hpbilmop.exe 2260 Hddoep32.exe 2260 Hddoep32.exe 1056 Hojbbiae.exe 1056 Hojbbiae.exe 2424 Inopce32.exe 2424 Inopce32.exe 1988 Ihedan32.exe 1988 Ihedan32.exe 1036 Idkdfo32.exe 1036 Idkdfo32.exe 1672 Idnako32.exe 1672 Idnako32.exe 1952 Inffdd32.exe 1952 Inffdd32.exe 1944 Iccnmk32.exe 1944 Iccnmk32.exe 1676 Iqgofo32.exe 1676 Iqgofo32.exe 1880 Jfdgnf32.exe 1880 Jfdgnf32.exe 944 Jkqpfmje.exe 944 Jkqpfmje.exe 2344 Jmplqp32.exe 2344 Jmplqp32.exe 2812 Jekaeb32.exe 2812 Jekaeb32.exe 3032 Jncenh32.exe 3032 Jncenh32.exe 2824 Jccjln32.exe 2824 Jccjln32.exe 2844 Knhoig32.exe 2844 Knhoig32.exe 2936 Knkkngol.exe 2936 Knkkngol.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Emhnah32.dll Abkqle32.exe File opened for modification C:\Windows\SysWOW64\Pcjbfbmm.exe Pjbnmm32.exe File created C:\Windows\SysWOW64\Kbkgjqib.dll Ecfcle32.exe File opened for modification C:\Windows\SysWOW64\Ibehna32.exe Ihmcelkk.exe File opened for modification C:\Windows\SysWOW64\Lnmglbgh.exe Lgcooh32.exe File opened for modification C:\Windows\SysWOW64\Pjbnmm32.exe Okmqlp32.exe File created C:\Windows\SysWOW64\Eqqgkm32.dll Ajkmbo32.exe File created C:\Windows\SysWOW64\Jhgdkh32.dll Condfo32.exe File created C:\Windows\SysWOW64\Kfqpmc32.exe Jmhkdnfp.exe File created C:\Windows\SysWOW64\Enjcfm32.exe Eoefea32.exe File opened for modification C:\Windows\SysWOW64\Iapghlbe.exe Igjckcbo.exe File opened for modification C:\Windows\SysWOW64\Cdejpg32.exe Bljeke32.exe File opened for modification C:\Windows\SysWOW64\Mpcmojia.exe Leilnllb.exe File created C:\Windows\SysWOW64\Onjeinde.dll Fimpcc32.exe File created C:\Windows\SysWOW64\Kkggja32.dll Ihedan32.exe File created C:\Windows\SysWOW64\Bnalihff.dll Edafjiqe.exe File created C:\Windows\SysWOW64\Ofbajq32.dll Lfeegfkf.exe File created C:\Windows\SysWOW64\Jbpmlfek.dll Kceijg32.exe File created C:\Windows\SysWOW64\Pfnjfepp.exe Pjgiad32.exe File created C:\Windows\SysWOW64\Blfnin32.exe Belfldoh.exe File opened for modification C:\Windows\SysWOW64\Eoefea32.exe Dfmbmkgm.exe File created C:\Windows\SysWOW64\Ionbanpb.dll Pjgiad32.exe File created C:\Windows\SysWOW64\Bieegcid.exe Bpmqom32.exe File opened for modification C:\Windows\SysWOW64\Aipickfe.exe Adcakdhn.exe File created C:\Windows\SysWOW64\Bljeke32.exe Bepmokco.exe File created C:\Windows\SysWOW64\Fcehpbdm.exe Fjmdgmnl.exe File opened for modification C:\Windows\SysWOW64\Lbffga32.exe Lebemmbk.exe File created C:\Windows\SysWOW64\Fkhpogmi.dll Chccfe32.exe File created C:\Windows\SysWOW64\Cnflmc32.dll Ihmcelkk.exe File opened for modification C:\Windows\SysWOW64\Jbbgge32.exe Jijbnppi.exe File created C:\Windows\SysWOW64\Bncdfnog.dll Lobgah32.exe File opened for modification C:\Windows\SysWOW64\Qiqpmp32.exe Pqekin32.exe File opened for modification C:\Windows\SysWOW64\Gaahmd32.exe Gjgpqjqa.exe File opened for modification C:\Windows\SysWOW64\Gocpcfeb.exe Fpncbjqj.exe File created C:\Windows\SysWOW64\Jccjln32.exe Jncenh32.exe File opened for modification C:\Windows\SysWOW64\Klgbfo32.exe Kleeqp32.exe File created C:\Windows\SysWOW64\Nhfpjili.dll Giaddm32.exe File opened for modification C:\Windows\SysWOW64\Dbpmin32.exe Dkfdlclg.exe File created C:\Windows\SysWOW64\Iccqedfa.exe Ikhlaaif.exe File opened for modification C:\Windows\SysWOW64\Fimedaoe.exe Eapcjo32.exe File created C:\Windows\SysWOW64\Komhoebi.dll Lgjfmlkm.exe File opened for modification C:\Windows\SysWOW64\Knmjmodm.exe Kqijck32.exe File created C:\Windows\SysWOW64\Pdhifd32.dll Gimmbg32.exe File created C:\Windows\SysWOW64\Gamcglgp.dll Bbkkbpjc.exe File opened for modification C:\Windows\SysWOW64\Belcck32.exe Boakgapg.exe File opened for modification C:\Windows\SysWOW64\Mabihm32.exe Mjialchg.exe File created C:\Windows\SysWOW64\Hmafge32.dll Edahca32.exe File opened for modification C:\Windows\SysWOW64\Jkhhpeka.exe Jbpcgo32.exe File created C:\Windows\SysWOW64\Pcajpjoi.exe Pfnjfepp.exe File created C:\Windows\SysWOW64\Holgpe32.dll Jmhkdnfp.exe File opened for modification C:\Windows\SysWOW64\Lobgah32.exe Lifoia32.exe File created C:\Windows\SysWOW64\Hfqddkgm.dll Jbpcgo32.exe File created C:\Windows\SysWOW64\Eapcjo32.exe Eckcak32.exe File created C:\Windows\SysWOW64\Gkaghf32.exe Ghpngkhm.exe File created C:\Windows\SysWOW64\Akpfmnmh.exe Aipickfe.exe File created C:\Windows\SysWOW64\Eqninhmc.exe Ekqqea32.exe File created C:\Windows\SysWOW64\Ifddhm32.dll Inffdd32.exe File opened for modification C:\Windows\SysWOW64\Kbljmd32.exe Kgffpk32.exe File created C:\Windows\SysWOW64\Koacjg32.exe Kcjcefbd.exe File opened for modification C:\Windows\SysWOW64\Gfnpek32.exe Gaahmd32.exe File created C:\Windows\SysWOW64\Jbbgge32.exe Jijbnppi.exe File opened for modification C:\Windows\SysWOW64\Noiiaj32.exe Nhmdoq32.exe File opened for modification C:\Windows\SysWOW64\Ndoenlcf.exe Nlcpjj32.exe File created C:\Windows\SysWOW64\Ohofimje.exe Oenngb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4672 4640 WerFault.exe 371 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fodljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihedan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgknffcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkagc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndoenlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaokhdja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdgnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfmfchfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmbmkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghndjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpmqom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieegcid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcjfgbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aapkdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icidlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfdpfjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inopce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkdfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjialchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giogonlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enjcfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caofmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeegfkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnmjokn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmefcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caomgjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjckcbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leilnllb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikooghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfdffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocoobngl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbgbaio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkqpfmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajqoqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geqnho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhkdnfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqklhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fobodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inffdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdejpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgebfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkpie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceijg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okmqlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkkbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aipickfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idojon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbcjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledpjdid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncellpog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqninhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbpmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgoief32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjcefbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqlikc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajelmiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjmdgmnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibehna32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohpepmf.dll" Idnako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgked32.dll" Qlaffbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqopgbak.dll" Ickaaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiahci32.dll" Jijbnppi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qakkncmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbmgapgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbphedgp.dll" Hmcimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoakfcf.dll" Ajqoqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dclikp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioopon32.dll" Kqijck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abkqle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgjno32.dll" Lljolodf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjqlbdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqklhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epblob32.dll" Hgjdcghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcide32.dll" Nmifla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aapkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmfmc32.dll" Idcdjmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pneiaidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gabohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcjcefbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blfnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhplfp32.dll" Gfkagc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckgapo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhfida32.dll" Ioonfaed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kceijg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhnah32.dll" Abkqle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmplqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogfagmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Belcck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjcigcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekljoh32.dll" Kbljmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghndjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gckknqkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkammkgj.dll" Dbpmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmjdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcjleq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glbcpokl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnphlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgjfmlkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjblk32.dll" Nndjhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geqnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nelkme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbegkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhhpeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggniamja.dll" Ngajeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfajlg32.dll" Bieegcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halhkamm.dll" Ejqmahdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jncenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmkkfek.dll" Pghklq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckdlgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edahca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jccjln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bodhlane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdqjdkm.dll" Iobbfggm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihmcelkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mahinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpecddpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpliec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlckoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apppkecb.dll" Blfnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgpnn32.dll" Kfmfchfo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2580 wrote to memory of 2160 2580 d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe 29 PID 2580 wrote to memory of 2160 2580 d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe 29 PID 2580 wrote to memory of 2160 2580 d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe 29 PID 2580 wrote to memory of 2160 2580 d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe 29 PID 2160 wrote to memory of 2392 2160 Eckcak32.exe 30 PID 2160 wrote to memory of 2392 2160 Eckcak32.exe 30 PID 2160 wrote to memory of 2392 2160 Eckcak32.exe 30 PID 2160 wrote to memory of 2392 2160 Eckcak32.exe 30 PID 2392 wrote to memory of 2912 2392 Eapcjo32.exe 31 PID 2392 wrote to memory of 2912 2392 Eapcjo32.exe 31 PID 2392 wrote to memory of 2912 2392 Eapcjo32.exe 31 PID 2392 wrote to memory of 2912 2392 Eapcjo32.exe 31 PID 2912 wrote to memory of 2428 2912 Fimedaoe.exe 32 PID 2912 wrote to memory of 2428 2912 Fimedaoe.exe 32 PID 2912 wrote to memory of 2428 2912 Fimedaoe.exe 32 PID 2912 wrote to memory of 2428 2912 Fimedaoe.exe 32 PID 2428 wrote to memory of 536 2428 Fioajqmb.exe 33 PID 2428 wrote to memory of 536 2428 Fioajqmb.exe 33 PID 2428 wrote to memory of 536 2428 Fioajqmb.exe 33 PID 2428 wrote to memory of 536 2428 Fioajqmb.exe 33 PID 536 wrote to memory of 2692 536 Fplgljbm.exe 34 PID 536 wrote to memory of 2692 536 Fplgljbm.exe 34 PID 536 wrote to memory of 2692 536 Fplgljbm.exe 34 PID 536 wrote to memory of 2692 536 Fplgljbm.exe 34 PID 2692 wrote to memory of 1920 2692 Fpncbjqj.exe 35 PID 2692 wrote to memory of 1920 2692 Fpncbjqj.exe 35 PID 2692 wrote to memory of 1920 2692 Fpncbjqj.exe 35 PID 2692 wrote to memory of 1920 2692 Fpncbjqj.exe 35 PID 1920 wrote to memory of 308 1920 Gocpcfeb.exe 36 PID 1920 wrote to memory of 308 1920 Gocpcfeb.exe 36 PID 1920 wrote to memory of 308 1920 Gocpcfeb.exe 36 PID 1920 wrote to memory of 308 1920 Gocpcfeb.exe 36 PID 308 wrote to memory of 1692 308 Ghlell32.exe 37 PID 308 wrote to memory of 1692 308 Ghlell32.exe 37 PID 308 wrote to memory of 1692 308 Ghlell32.exe 37 PID 308 wrote to memory of 1692 308 Ghlell32.exe 37 PID 1692 wrote to memory of 2984 1692 Ghnaaljp.exe 38 PID 1692 wrote to memory of 2984 1692 Ghnaaljp.exe 38 PID 1692 wrote to memory of 2984 1692 Ghnaaljp.exe 38 PID 1692 wrote to memory of 2984 1692 Ghnaaljp.exe 38 PID 2984 wrote to memory of 912 2984 Ghpngkhm.exe 39 PID 2984 wrote to memory of 912 2984 Ghpngkhm.exe 39 PID 2984 wrote to memory of 912 2984 Ghpngkhm.exe 39 PID 2984 wrote to memory of 912 2984 Ghpngkhm.exe 39 PID 912 wrote to memory of 1012 912 Gkaghf32.exe 40 PID 912 wrote to memory of 1012 912 Gkaghf32.exe 40 PID 912 wrote to memory of 1012 912 Gkaghf32.exe 40 PID 912 wrote to memory of 1012 912 Gkaghf32.exe 40 PID 1012 wrote to memory of 1064 1012 Glbcpokl.exe 41 PID 1012 wrote to memory of 1064 1012 Glbcpokl.exe 41 PID 1012 wrote to memory of 1064 1012 Glbcpokl.exe 41 PID 1012 wrote to memory of 1064 1012 Glbcpokl.exe 41 PID 1064 wrote to memory of 1992 1064 Hgjdcghp.exe 42 PID 1064 wrote to memory of 1992 1064 Hgjdcghp.exe 42 PID 1064 wrote to memory of 1992 1064 Hgjdcghp.exe 42 PID 1064 wrote to memory of 1992 1064 Hgjdcghp.exe 42 PID 1992 wrote to memory of 2260 1992 Hpbilmop.exe 43 PID 1992 wrote to memory of 2260 1992 Hpbilmop.exe 43 PID 1992 wrote to memory of 2260 1992 Hpbilmop.exe 43 PID 1992 wrote to memory of 2260 1992 Hpbilmop.exe 43 PID 2260 wrote to memory of 1056 2260 Hddoep32.exe 44 PID 2260 wrote to memory of 1056 2260 Hddoep32.exe 44 PID 2260 wrote to memory of 1056 2260 Hddoep32.exe 44 PID 2260 wrote to memory of 1056 2260 Hddoep32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe"C:\Users\Admin\AppData\Local\Temp\d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Eapcjo32.exeC:\Windows\system32\Eapcjo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Fimedaoe.exeC:\Windows\system32\Fimedaoe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Fioajqmb.exeC:\Windows\system32\Fioajqmb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Fplgljbm.exeC:\Windows\system32\Fplgljbm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Fpncbjqj.exeC:\Windows\system32\Fpncbjqj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Gocpcfeb.exeC:\Windows\system32\Gocpcfeb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Ghlell32.exeC:\Windows\system32\Ghlell32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Ghnaaljp.exeC:\Windows\system32\Ghnaaljp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Ghpngkhm.exeC:\Windows\system32\Ghpngkhm.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Gkaghf32.exeC:\Windows\system32\Gkaghf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Glbcpokl.exeC:\Windows\system32\Glbcpokl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Hgjdcghp.exeC:\Windows\system32\Hgjdcghp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Hpbilmop.exeC:\Windows\system32\Hpbilmop.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Hddoep32.exeC:\Windows\system32\Hddoep32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Hojbbiae.exeC:\Windows\system32\Hojbbiae.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Inopce32.exeC:\Windows\system32\Inopce32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Ihedan32.exeC:\Windows\system32\Ihedan32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Idkdfo32.exeC:\Windows\system32\Idkdfo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Windows\SysWOW64\Idnako32.exeC:\Windows\system32\Idnako32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Inffdd32.exeC:\Windows\system32\Inffdd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Iccnmk32.exeC:\Windows\system32\Iccnmk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Iqgofo32.exeC:\Windows\system32\Iqgofo32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Jfdgnf32.exeC:\Windows\system32\Jfdgnf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Jkqpfmje.exeC:\Windows\system32\Jkqpfmje.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Jmplqp32.exeC:\Windows\system32\Jmplqp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Jekaeb32.exeC:\Windows\system32\Jekaeb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Jncenh32.exeC:\Windows\system32\Jncenh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Jccjln32.exeC:\Windows\system32\Jccjln32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Knhoig32.exeC:\Windows\system32\Knhoig32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Knkkngol.exeC:\Windows\system32\Knkkngol.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Kcjqlm32.exeC:\Windows\system32\Kcjqlm32.exe33⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Kleeqp32.exeC:\Windows\system32\Kleeqp32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Klgbfo32.exeC:\Windows\system32\Klgbfo32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Kfmfchfo.exeC:\Windows\system32\Kfmfchfo.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Lljolodf.exeC:\Windows\system32\Lljolodf.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Lebcdd32.exeC:\Windows\system32\Lebcdd32.exe38⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Ledpjdid.exeC:\Windows\system32\Ledpjdid.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Lmpdoffo.exeC:\Windows\system32\Lmpdoffo.exe40⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Lgjfmlkm.exeC:\Windows\system32\Lgjfmlkm.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Mikooghn.exeC:\Windows\system32\Mikooghn.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Mheekb32.exeC:\Windows\system32\Mheekb32.exe43⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Mamjchoa.exeC:\Windows\system32\Mamjchoa.exe44⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Nndjhi32.exeC:\Windows\system32\Nndjhi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Nabcog32.exeC:\Windows\system32\Nabcog32.exe46⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Nadpdg32.exeC:\Windows\system32\Nadpdg32.exe47⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ncellpog.exeC:\Windows\system32\Ncellpog.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe49⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Nffenj32.exeC:\Windows\system32\Nffenj32.exe50⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Nqlikc32.exeC:\Windows\system32\Nqlikc32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Ogfagmck.exeC:\Windows\system32\Ogfagmck.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe53⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Ojgkih32.exeC:\Windows\system32\Ojgkih32.exe54⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Ocoobngl.exeC:\Windows\system32\Ocoobngl.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Onipbl32.exeC:\Windows\system32\Onipbl32.exe56⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Okmqlp32.exeC:\Windows\system32\Okmqlp32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Pcjbfbmm.exeC:\Windows\system32\Pcjbfbmm.exe59⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Pjdjbl32.exeC:\Windows\system32\Pjdjbl32.exe60⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Pghklq32.exeC:\Windows\system32\Pghklq32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Pnbcij32.exeC:\Windows\system32\Pnbcij32.exe62⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Pjicnlqe.exeC:\Windows\system32\Pjicnlqe.exe63⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe64⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Pfpdcm32.exeC:\Windows\system32\Pfpdcm32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Pllmkcdp.exeC:\Windows\system32\Pllmkcdp.exe66⤵PID:1424
-
C:\Windows\SysWOW64\Qnmfmoaa.exeC:\Windows\system32\Qnmfmoaa.exe67⤵PID:776
-
C:\Windows\SysWOW64\Qlaffbqk.exeC:\Windows\system32\Qlaffbqk.exe68⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Alcclb32.exeC:\Windows\system32\Alcclb32.exe69⤵
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Aapkdi32.exeC:\Windows\system32\Aapkdi32.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Aabhiikm.exeC:\Windows\system32\Aabhiikm.exe71⤵PID:2112
-
C:\Windows\SysWOW64\Adadedjq.exeC:\Windows\system32\Adadedjq.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:668 -
C:\Windows\SysWOW64\Ajkmbo32.exeC:\Windows\system32\Ajkmbo32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Adcakdhn.exeC:\Windows\system32\Adcakdhn.exe74⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Aipickfe.exeC:\Windows\system32\Aipickfe.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Akpfmnmh.exeC:\Windows\system32\Akpfmnmh.exe76⤵PID:2728
-
C:\Windows\SysWOW64\Bbkkbpjc.exeC:\Windows\system32\Bbkkbpjc.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Biecoj32.exeC:\Windows\system32\Biecoj32.exe78⤵PID:2212
-
C:\Windows\SysWOW64\Boakgapg.exeC:\Windows\system32\Boakgapg.exe79⤵
- Drops file in System32 directory
PID:980 -
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe80⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Bodhlane.exeC:\Windows\system32\Bodhlane.exe81⤵
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Bhlmef32.exeC:\Windows\system32\Bhlmef32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Bepmokco.exeC:\Windows\system32\Bepmokco.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Bljeke32.exeC:\Windows\system32\Bljeke32.exe84⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Cdejpg32.exeC:\Windows\system32\Cdejpg32.exe85⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Cnnohmog.exeC:\Windows\system32\Cnnohmog.exe86⤵PID:1668
-
C:\Windows\SysWOW64\Chccfe32.exeC:\Windows\system32\Chccfe32.exe87⤵
- Drops file in System32 directory
PID:524 -
C:\Windows\SysWOW64\Cnpknl32.exeC:\Windows\system32\Cnpknl32.exe88⤵PID:1648
-
C:\Windows\SysWOW64\Ccmcfc32.exeC:\Windows\system32\Ccmcfc32.exe89⤵PID:2772
-
C:\Windows\SysWOW64\Ckdlgq32.exeC:\Windows\system32\Ckdlgq32.exe90⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Cdlppf32.exeC:\Windows\system32\Cdlppf32.exe91⤵PID:3016
-
C:\Windows\SysWOW64\Cfnmhnhm.exeC:\Windows\system32\Cfnmhnhm.exe92⤵PID:2712
-
C:\Windows\SysWOW64\Cpcaeghc.exeC:\Windows\system32\Cpcaeghc.exe93⤵PID:672
-
C:\Windows\SysWOW64\Choejien.exeC:\Windows\system32\Choejien.exe94⤵PID:900
-
C:\Windows\SysWOW64\Dbgjbo32.exeC:\Windows\system32\Dbgjbo32.exe95⤵PID:760
-
C:\Windows\SysWOW64\Dhaboi32.exeC:\Windows\system32\Dhaboi32.exe96⤵PID:2512
-
C:\Windows\SysWOW64\Dbighojl.exeC:\Windows\system32\Dbighojl.exe97⤵PID:2280
-
C:\Windows\SysWOW64\Dlokegib.exeC:\Windows\system32\Dlokegib.exe98⤵PID:1596
-
C:\Windows\SysWOW64\Dblcnngi.exeC:\Windows\system32\Dblcnngi.exe99⤵PID:688
-
C:\Windows\SysWOW64\Dqqqokla.exeC:\Windows\system32\Dqqqokla.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Dkfdlclg.exeC:\Windows\system32\Dkfdlclg.exe101⤵
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Dbpmin32.exeC:\Windows\system32\Dbpmin32.exe102⤵
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Edafjiqe.exeC:\Windows\system32\Edafjiqe.exe103⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Egobfdpi.exeC:\Windows\system32\Egobfdpi.exe104⤵PID:2920
-
C:\Windows\SysWOW64\Ecfcle32.exeC:\Windows\system32\Ecfcle32.exe105⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Emogdk32.exeC:\Windows\system32\Emogdk32.exe106⤵PID:1800
-
C:\Windows\SysWOW64\Efglmpbn.exeC:\Windows\system32\Efglmpbn.exe107⤵PID:1884
-
C:\Windows\SysWOW64\Fnifbaja.exeC:\Windows\system32\Fnifbaja.exe108⤵PID:1380
-
C:\Windows\SysWOW64\Fmnccn32.exeC:\Windows\system32\Fmnccn32.exe109⤵PID:2204
-
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe110⤵PID:2460
-
C:\Windows\SysWOW64\Fhfdffll.exeC:\Windows\system32\Fhfdffll.exe111⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe112⤵PID:1252
-
C:\Windows\SysWOW64\Gfkagc32.exeC:\Windows\system32\Gfkagc32.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Gpdfph32.exeC:\Windows\system32\Gpdfph32.exe114⤵PID:2256
-
C:\Windows\SysWOW64\Geqnho32.exeC:\Windows\system32\Geqnho32.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Gpfbfh32.exeC:\Windows\system32\Gpfbfh32.exe116⤵PID:2972
-
C:\Windows\SysWOW64\Giogonlb.exeC:\Windows\system32\Giogonlb.exe117⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe118⤵PID:2952
-
C:\Windows\SysWOW64\Giaddm32.exeC:\Windows\system32\Giaddm32.exe119⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Gkbplepn.exeC:\Windows\system32\Gkbplepn.exe120⤵PID:2296
-
C:\Windows\SysWOW64\Galhhp32.exeC:\Windows\system32\Galhhp32.exe121⤵PID:1236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-