Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 07:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44bN.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44bN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44bN.exe
-
Size
96KB
-
MD5
74b880bc3ce10b1d4d2622384af2e650
-
SHA1
50f13dbbed52e8946ccc207476446d5a4cea40d8
-
SHA256
8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44b
-
SHA512
83658891b6e58cf417a397129b9091264689338ff1826fb56ea66b01aaa014f21d537906698c8591ffc2d89d1cd3c2f3ecdc8662a2c442b449cbae820358c2ff
-
SSDEEP
1536:xTQK7WmIiCq85g5iUImO9bDpIaMN3LBX2LY7RZObZUUWaegPYA:JJ7WmIiC1y5iUcDpIaMN3LB8YClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhhgpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbchni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gglbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqdgom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djiqdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefjdgjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pacajg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anogijnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdkef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdgcfmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieibdnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlfjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjkkbjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeclebja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjmmdbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klhgfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbemboof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajqbakc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeiheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbdleol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgfjggll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehhdkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpidki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfcop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klecfkff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgghac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkdmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfmkbebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiioon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ingkdeak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnmbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblcbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbkqdepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nppofado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efedga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olbogqoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchbgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnibcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgkkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbchni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegeonpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbfnjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgaebe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iichjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgngbmjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknimnap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbiocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iichjc32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
resource yara_rule behavioral1/files/0x000400000001d3ba-1348.dat family_bruteratel behavioral1/files/0x000400000001de6f-2735.dat family_bruteratel behavioral1/files/0x00030000000208eb-4867.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2320 Pifbjn32.exe 2324 Pleofj32.exe 1840 Qiioon32.exe 2772 Qpbglhjq.exe 2776 Qeppdo32.exe 2728 Apedah32.exe 2544 Aebmjo32.exe 3004 Apgagg32.exe 1560 Aaimopli.exe 1644 Ajpepm32.exe 1932 Achjibcl.exe 1608 Afffenbp.exe 1956 Akcomepg.exe 2868 Abmgjo32.exe 2400 Agjobffl.exe 540 Aoagccfn.exe 1920 Aqbdkk32.exe 1976 Bgllgedi.exe 1800 Bnfddp32.exe 2144 Bdqlajbb.exe 2916 Bccmmf32.exe 2104 Bniajoic.exe 3052 Bqgmfkhg.exe 2468 Bgaebe32.exe 780 Bnknoogp.exe 1524 Bqijljfd.exe 868 Bchfhfeh.exe 2096 Bieopm32.exe 2752 Bmpkqklh.exe 2092 Bjdkjpkb.exe 2836 Bkegah32.exe 2540 Cbppnbhm.exe 2660 Cenljmgq.exe 1952 Ckhdggom.exe 2832 Cepipm32.exe 320 Ckjamgmk.exe 1404 Cbdiia32.exe 2848 Cinafkkd.exe 2880 Cjonncab.exe 2420 Cbffoabe.exe 2636 Cchbgi32.exe 1896 Clojhf32.exe 1864 Cnmfdb32.exe 2244 Cegoqlof.exe 1020 Cfhkhd32.exe 2500 Dnpciaef.exe 1760 Dmbcen32.exe 1216 Dcllbhdn.exe 1228 Dhhhbg32.exe 1732 Diidjpbe.exe 2812 Daplkmbg.exe 2804 Dbaice32.exe 2548 Djiqdb32.exe 1880 Dmgmpnhl.exe 2612 Dljmlj32.exe 376 Ddaemh32.exe 772 Dfpaic32.exe 1356 Dinneo32.exe 2444 Dphfbiem.exe 2828 Deenjpcd.exe 2120 Dhckfkbh.exe 1112 Domccejd.exe 1540 Dbiocd32.exe 2160 Eibgpnjk.exe -
Loads dropped DLL 64 IoCs
pid Process 276 8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44bN.exe 276 8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44bN.exe 2320 Pifbjn32.exe 2320 Pifbjn32.exe 2324 Pleofj32.exe 2324 Pleofj32.exe 1840 Qiioon32.exe 1840 Qiioon32.exe 2772 Qpbglhjq.exe 2772 Qpbglhjq.exe 2776 Qeppdo32.exe 2776 Qeppdo32.exe 2728 Apedah32.exe 2728 Apedah32.exe 2544 Aebmjo32.exe 2544 Aebmjo32.exe 3004 Apgagg32.exe 3004 Apgagg32.exe 1560 Aaimopli.exe 1560 Aaimopli.exe 1644 Ajpepm32.exe 1644 Ajpepm32.exe 1932 Achjibcl.exe 1932 Achjibcl.exe 1608 Afffenbp.exe 1608 Afffenbp.exe 1956 Akcomepg.exe 1956 Akcomepg.exe 2868 Abmgjo32.exe 2868 Abmgjo32.exe 2400 Agjobffl.exe 2400 Agjobffl.exe 540 Aoagccfn.exe 540 Aoagccfn.exe 1920 Aqbdkk32.exe 1920 Aqbdkk32.exe 1976 Bgllgedi.exe 1976 Bgllgedi.exe 1800 Bnfddp32.exe 1800 Bnfddp32.exe 2144 Bdqlajbb.exe 2144 Bdqlajbb.exe 2916 Bccmmf32.exe 2916 Bccmmf32.exe 2104 Bniajoic.exe 2104 Bniajoic.exe 3052 Bqgmfkhg.exe 3052 Bqgmfkhg.exe 2468 Bgaebe32.exe 2468 Bgaebe32.exe 780 Bnknoogp.exe 780 Bnknoogp.exe 1524 Bqijljfd.exe 1524 Bqijljfd.exe 868 Bchfhfeh.exe 868 Bchfhfeh.exe 2096 Bieopm32.exe 2096 Bieopm32.exe 2752 Bmpkqklh.exe 2752 Bmpkqklh.exe 2092 Bjdkjpkb.exe 2092 Bjdkjpkb.exe 2836 Bkegah32.exe 2836 Bkegah32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oabhggjd.dll Bqgmfkhg.exe File created C:\Windows\SysWOW64\Pgejcl32.dll Hjohmbpd.exe File opened for modification C:\Windows\SysWOW64\Eoblnd32.exe Elcpbigl.exe File opened for modification C:\Windows\SysWOW64\Nlilqbgp.exe Nijpdfhm.exe File created C:\Windows\SysWOW64\Aaqbpk32.dll Jpgmpk32.exe File created C:\Windows\SysWOW64\Khnapkjg.exe Kpgionie.exe File created C:\Windows\SysWOW64\Gefmcp32.exe Gajqbakc.exe File created C:\Windows\SysWOW64\Hqkmplen.exe Hnmacpfj.exe File created C:\Windows\SysWOW64\Hnmacpfj.exe Hffibceh.exe File created C:\Windows\SysWOW64\Cegfepjn.dll Kdmban32.exe File created C:\Windows\SysWOW64\Klcjnl32.dll Ohbikbkb.exe File created C:\Windows\SysWOW64\Jagkpl32.dll Fgfdie32.exe File created C:\Windows\SysWOW64\Cillnojb.dll Fhljkm32.exe File opened for modification C:\Windows\SysWOW64\Gdcjpncm.exe Fnibcd32.exe File created C:\Windows\SysWOW64\Baefnmml.exe Bcbfbp32.exe File created C:\Windows\SysWOW64\Emoldlmc.exe Efedga32.exe File opened for modification C:\Windows\SysWOW64\Akcomepg.exe Afffenbp.exe File created C:\Windows\SysWOW64\Ehnfpifm.exe Eeojcmfi.exe File created C:\Windows\SysWOW64\Hkahgk32.exe Hiclkp32.exe File created C:\Windows\SysWOW64\Aebmjo32.exe Apedah32.exe File created C:\Windows\SysWOW64\Fkkfgi32.exe Fhljkm32.exe File created C:\Windows\SysWOW64\Gckobc32.dll Gqdgom32.exe File opened for modification C:\Windows\SysWOW64\Khadpa32.exe Kechdf32.exe File opened for modification C:\Windows\SysWOW64\Lgpdglhn.exe Lcdhgn32.exe File opened for modification C:\Windows\SysWOW64\Ojeobm32.exe Olbogqoe.exe File opened for modification C:\Windows\SysWOW64\Dljmlj32.exe Dmgmpnhl.exe File opened for modification C:\Windows\SysWOW64\Hfbcidmk.exe Hcdgmimg.exe File opened for modification C:\Windows\SysWOW64\Eppefg32.exe Eldiehbk.exe File created C:\Windows\SysWOW64\Nbhebh32.dll Hcjilgdb.exe File created C:\Windows\SysWOW64\Gkddco32.dll Inojhc32.exe File opened for modification C:\Windows\SysWOW64\Jdhifooi.exe Jajmjcoe.exe File opened for modification C:\Windows\SysWOW64\Afliclij.exe Aobpfb32.exe File created C:\Windows\SysWOW64\Qaamhelq.dll Lcmklh32.exe File created C:\Windows\SysWOW64\Qiflohqk.exe Qejpoi32.exe File opened for modification C:\Windows\SysWOW64\Achjibcl.exe Ajpepm32.exe File created C:\Windows\SysWOW64\Igiani32.dll Ggdcbi32.exe File opened for modification C:\Windows\SysWOW64\Gckdgjeb.exe Gqlhkofn.exe File created C:\Windows\SysWOW64\Gblakg32.dll Hkahgk32.exe File opened for modification C:\Windows\SysWOW64\Fhgppnan.exe Fiepea32.exe File opened for modification C:\Windows\SysWOW64\Omhhke32.exe Ncpdbohb.exe File created C:\Windows\SysWOW64\Iffhohhi.dll Fakdcnhh.exe File created C:\Windows\SysWOW64\Hkjkle32.exe Hgnokgcc.exe File opened for modification C:\Windows\SysWOW64\Iejiodbl.exe Ifgicg32.exe File created C:\Windows\SysWOW64\Nijpdfhm.exe Njgpij32.exe File opened for modification C:\Windows\SysWOW64\Pfpibn32.exe Pbemboof.exe File opened for modification C:\Windows\SysWOW64\Bnlgbnbp.exe Blkjkflb.exe File created C:\Windows\SysWOW64\Jnokbe32.dll Dmkcil32.exe File opened for modification C:\Windows\SysWOW64\Flnlkgjq.exe Feddombd.exe File opened for modification C:\Windows\SysWOW64\Apgagg32.exe Aebmjo32.exe File opened for modification C:\Windows\SysWOW64\Epeekmjk.exe Emgioakg.exe File opened for modification C:\Windows\SysWOW64\Kijkje32.exe Kdmban32.exe File opened for modification C:\Windows\SysWOW64\Injqmdki.exe Ikldqile.exe File created C:\Windows\SysWOW64\Codebccd.dll Qemldifo.exe File created C:\Windows\SysWOW64\Cdmepgce.exe Cmfmojcb.exe File created C:\Windows\SysWOW64\Klecfkff.exe Kdnkdmec.exe File created C:\Windows\SysWOW64\Ljnfmlph.dll Jcnoejch.exe File opened for modification C:\Windows\SysWOW64\Jkbaci32.exe Jdhifooi.exe File opened for modification C:\Windows\SysWOW64\Ikjhki32.exe Iikkon32.exe File opened for modification C:\Windows\SysWOW64\Pioeoi32.exe Pfpibn32.exe File opened for modification C:\Windows\SysWOW64\Ikfbbjdj.exe Hcojam32.exe File created C:\Windows\SysWOW64\Lnhjhg32.dll Boemlbpk.exe File opened for modification C:\Windows\SysWOW64\Dahkok32.exe Dnjoco32.exe File created C:\Windows\SysWOW64\Pjihmmbk.exe Phklaacg.exe File opened for modification C:\Windows\SysWOW64\Pacajg32.exe Pmhejhao.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6248 6224 WerFault.exe 588 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnqjnhge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgmpnhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpcchai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichmgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppinkcnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnapnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deakjjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fckhhgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeekmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiclkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpdglhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbdleol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhdgdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchbgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famaimfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljldnhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikkon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnoejch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqkofno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljigih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqgmfkhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giaidnkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnkdmec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadbdkld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmacpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegoqlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjedmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giolnomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiepea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdecea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeojcmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphfbiem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnchhllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdhgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlfdac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibgpnjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnmienj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koipglep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjkdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhabndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcekfad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcciqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgppnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piabdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaokjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcpkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfnecgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aacmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbnpgkh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hofngkga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll" Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnfak32.dll" Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgngbmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codebccd.dll" Qemldifo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbnjjkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkbaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodcbn32.dll" Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agglbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oalkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagojlib.dll" Qkghgpfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imaapa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefndikl.dll" Cgidfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll" Qpbglhjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpcoeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odkgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkjkflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difqji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfffifgk.dll" Jhjbqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgejcl32.dll" Hjohmbpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfjolf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgngbmjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdadjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnchhllf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll" Jfmkbebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjbpne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndfnecgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnochnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll" Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll" Cenljmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdbdc32.dll" Edcnakpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdjqamme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpopbabj.dll" Hbnmienj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkghgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll" Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahjmjal.dll" Ichmgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oalkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agpeaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebepdj32.dll" Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" Bieopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkbmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljmpigg.dll" Mfjkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdmepgce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Folhgbid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iakino32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgdgcfmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhgppnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonnhc32.dll" Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liefaj32.dll" Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licpomcb.dll" Ejcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jikhnaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbcen32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 276 wrote to memory of 2320 276 8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44bN.exe 31 PID 276 wrote to memory of 2320 276 8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44bN.exe 31 PID 276 wrote to memory of 2320 276 8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44bN.exe 31 PID 276 wrote to memory of 2320 276 8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44bN.exe 31 PID 2320 wrote to memory of 2324 2320 Pifbjn32.exe 32 PID 2320 wrote to memory of 2324 2320 Pifbjn32.exe 32 PID 2320 wrote to memory of 2324 2320 Pifbjn32.exe 32 PID 2320 wrote to memory of 2324 2320 Pifbjn32.exe 32 PID 2324 wrote to memory of 1840 2324 Pleofj32.exe 33 PID 2324 wrote to memory of 1840 2324 Pleofj32.exe 33 PID 2324 wrote to memory of 1840 2324 Pleofj32.exe 33 PID 2324 wrote to memory of 1840 2324 Pleofj32.exe 33 PID 1840 wrote to memory of 2772 1840 Qiioon32.exe 34 PID 1840 wrote to memory of 2772 1840 Qiioon32.exe 34 PID 1840 wrote to memory of 2772 1840 Qiioon32.exe 34 PID 1840 wrote to memory of 2772 1840 Qiioon32.exe 34 PID 2772 wrote to memory of 2776 2772 Qpbglhjq.exe 35 PID 2772 wrote to memory of 2776 2772 Qpbglhjq.exe 35 PID 2772 wrote to memory of 2776 2772 Qpbglhjq.exe 35 PID 2772 wrote to memory of 2776 2772 Qpbglhjq.exe 35 PID 2776 wrote to memory of 2728 2776 Qeppdo32.exe 36 PID 2776 wrote to memory of 2728 2776 Qeppdo32.exe 36 PID 2776 wrote to memory of 2728 2776 Qeppdo32.exe 36 PID 2776 wrote to memory of 2728 2776 Qeppdo32.exe 36 PID 2728 wrote to memory of 2544 2728 Apedah32.exe 37 PID 2728 wrote to memory of 2544 2728 Apedah32.exe 37 PID 2728 wrote to memory of 2544 2728 Apedah32.exe 37 PID 2728 wrote to memory of 2544 2728 Apedah32.exe 37 PID 2544 wrote to memory of 3004 2544 Aebmjo32.exe 38 PID 2544 wrote to memory of 3004 2544 Aebmjo32.exe 38 PID 2544 wrote to memory of 3004 2544 Aebmjo32.exe 38 PID 2544 wrote to memory of 3004 2544 Aebmjo32.exe 38 PID 3004 wrote to memory of 1560 3004 Apgagg32.exe 39 PID 3004 wrote to memory of 1560 3004 Apgagg32.exe 39 PID 3004 wrote to memory of 1560 3004 Apgagg32.exe 39 PID 3004 wrote to memory of 1560 3004 Apgagg32.exe 39 PID 1560 wrote to memory of 1644 1560 Aaimopli.exe 40 PID 1560 wrote to memory of 1644 1560 Aaimopli.exe 40 PID 1560 wrote to memory of 1644 1560 Aaimopli.exe 40 PID 1560 wrote to memory of 1644 1560 Aaimopli.exe 40 PID 1644 wrote to memory of 1932 1644 Ajpepm32.exe 41 PID 1644 wrote to memory of 1932 1644 Ajpepm32.exe 41 PID 1644 wrote to memory of 1932 1644 Ajpepm32.exe 41 PID 1644 wrote to memory of 1932 1644 Ajpepm32.exe 41 PID 1932 wrote to memory of 1608 1932 Achjibcl.exe 42 PID 1932 wrote to memory of 1608 1932 Achjibcl.exe 42 PID 1932 wrote to memory of 1608 1932 Achjibcl.exe 42 PID 1932 wrote to memory of 1608 1932 Achjibcl.exe 42 PID 1608 wrote to memory of 1956 1608 Afffenbp.exe 43 PID 1608 wrote to memory of 1956 1608 Afffenbp.exe 43 PID 1608 wrote to memory of 1956 1608 Afffenbp.exe 43 PID 1608 wrote to memory of 1956 1608 Afffenbp.exe 43 PID 1956 wrote to memory of 2868 1956 Akcomepg.exe 44 PID 1956 wrote to memory of 2868 1956 Akcomepg.exe 44 PID 1956 wrote to memory of 2868 1956 Akcomepg.exe 44 PID 1956 wrote to memory of 2868 1956 Akcomepg.exe 44 PID 2868 wrote to memory of 2400 2868 Abmgjo32.exe 45 PID 2868 wrote to memory of 2400 2868 Abmgjo32.exe 45 PID 2868 wrote to memory of 2400 2868 Abmgjo32.exe 45 PID 2868 wrote to memory of 2400 2868 Abmgjo32.exe 45 PID 2400 wrote to memory of 540 2400 Agjobffl.exe 46 PID 2400 wrote to memory of 540 2400 Agjobffl.exe 46 PID 2400 wrote to memory of 540 2400 Agjobffl.exe 46 PID 2400 wrote to memory of 540 2400 Agjobffl.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44bN.exe"C:\Users\Admin\AppData\Local\Temp\8f5d00a69cef43ce300b85873977fefd39223f9b04a60dc5d1cd6fcbb2d6a44bN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Pleofj32.exeC:\Windows\system32\Pleofj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Bjdkjpkb.exeC:\Windows\system32\Bjdkjpkb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe33⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe35⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe37⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe38⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe39⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe40⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe41⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe43⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe44⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe46⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe49⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe50⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe51⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe52⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe53⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Dljmlj32.exeC:\Windows\system32\Dljmlj32.exe56⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe57⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe58⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe59⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe61⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe62⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe63⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe66⤵PID:2188
-
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe67⤵PID:884
-
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe69⤵
- Drops file in System32 directory
PID:352 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe70⤵PID:1868
-
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe71⤵PID:2692
-
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe72⤵PID:2720
-
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe73⤵PID:2596
-
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe74⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe75⤵
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe76⤵PID:1620
-
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe77⤵PID:1516
-
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe78⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe79⤵PID:2860
-
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe80⤵PID:2520
-
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe81⤵PID:572
-
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe82⤵PID:1596
-
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe84⤵PID:2944
-
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe85⤵PID:2300
-
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe86⤵PID:2992
-
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe87⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe88⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe91⤵PID:1740
-
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe92⤵PID:588
-
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe93⤵PID:1696
-
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe94⤵PID:1568
-
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe95⤵PID:2940
-
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe96⤵
- Drops file in System32 directory
PID:704 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe97⤵PID:1348
-
C:\Windows\SysWOW64\Fnibcd32.exeC:\Windows\system32\Fnibcd32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe99⤵PID:3064
-
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe100⤵PID:2680
-
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe101⤵PID:2196
-
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe102⤵PID:3000
-
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe103⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe104⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe105⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe106⤵PID:1672
-
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe107⤵PID:1756
-
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe108⤵PID:896
-
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe109⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe110⤵PID:1652
-
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe111⤵PID:2688
-
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe112⤵PID:2820
-
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe113⤵PID:1964
-
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716 -
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe115⤵PID:1636
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe116⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe117⤵PID:2152
-
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe118⤵PID:2432
-
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe119⤵PID:2100
-
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe120⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe121⤵PID:2792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-