Analysis
-
max time kernel
35s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 07:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6280f788a171c9cedb966bd013bf9fbb4c7fb788ea427297e50b8a28bf9f79cN.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
d6280f788a171c9cedb966bd013bf9fbb4c7fb788ea427297e50b8a28bf9f79cN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
120 seconds
General
-
Target
d6280f788a171c9cedb966bd013bf9fbb4c7fb788ea427297e50b8a28bf9f79cN.exe
-
Size
163KB
-
MD5
d4d902ea9a18170bb18541d0e8d91da0
-
SHA1
d83b9e02df07edebac76281df8894fb8732cc317
-
SHA256
d6280f788a171c9cedb966bd013bf9fbb4c7fb788ea427297e50b8a28bf9f79c
-
SHA512
dd33b1e6c5022a9693f26a6a5eb6dc6ce89b9fae50642418dc9eef0b143012663c0070e0988a564f1e511ce7ef0daa4704fb63b9dd12f159aec9941b23683841
-
SSDEEP
1536:PuY2+JZgWsvOIIL0Jfezm1c2g1kbOwplProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:XTgHWIG82yRgWiwpltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbcdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnogmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hedllgjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedkbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbneekan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdgane32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgpmgod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhehmkqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pihbbgjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlqjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glhhgahg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojdlkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgdpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfghagio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjkbfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goekpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babbpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjikadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfflfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kanfgofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjngej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjcnfcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ophanl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbenpqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnfjpib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhekodik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibgbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khcdijac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggeiooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiiilm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdgdlnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkoodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jalmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbnckg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pceqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnanefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcadd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnneabff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odfjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddbpmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkemli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oedqcdim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmcbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lamkllea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombhgljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnopmegg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfmlgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqidme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lamkllea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emlhfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcfioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhahcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgaqohql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciknhb32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
resource yara_rule behavioral1/files/0x000500000001a5bf-376.dat family_bruteratel behavioral1/files/0x000400000002051b-3924.dat family_bruteratel behavioral1/files/0x0003000000020990-4909.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 1832 Jddbpmpm.exe 2188 Kjakhcne.exe 2760 Kahciaog.exe 2640 Kfjibdbf.exe 2856 Kfmehdpc.exe 2648 Klfndn32.exe 2224 Kkljfj32.exe 1708 Lbfcbdce.exe 1608 Lkngkj32.exe 1044 Lnopmegg.exe 2920 Lnambeed.exe 1516 Lkemli32.exe 340 Lncjhd32.exe 2040 Ljjjmeie.exe 2436 Mcbofk32.exe 1584 Mkpppmko.exe 1496 Mnaiah32.exe 472 Mlejkl32.exe 1860 Mncfgh32.exe 1004 Nhljpmlm.exe 1540 Nadoiccn.exe 3052 Nmkpnd32.exe 396 Naihdb32.exe 2468 Ndgdpn32.exe 2796 Nidmhd32.exe 2580 Njcibgcf.exe 2828 Odlnkmjg.exe 2948 Olgboogb.exe 2836 Obakli32.exe 2784 Oohlaj32.exe 1640 Oojhfj32.exe 2212 Oedqcdim.exe 2372 Olnipn32.exe 2520 Oefmid32.exe 1504 Pghjqlmi.exe 2664 Pmabmf32.exe 2388 Pdljjplb.exe 2248 Pihbbgjj.exe 2968 Pdngpp32.exe 544 Ppegdapd.exe 272 Peapmhnk.exe 780 Pceqfl32.exe 2276 Phbinc32.exe 2940 Qhdfdb32.exe 2084 Qkcbpn32.exe 1712 Qamjmh32.exe 1800 Qhgbibgg.exe 1256 Ahioobed.exe 2116 Anfggicl.exe 1488 Anhdmh32.exe 2816 Acemeo32.exe 2960 Aklefm32.exe 2632 Amnanefa.exe 2616 Adeiobgc.exe 2724 Afffgjma.exe 1444 Ampncd32.exe 2584 Acjfpokk.exe 2876 Bigohejb.exe 1108 Bqngjcje.exe 580 Bfkobj32.exe 1696 Biikne32.exe 2152 Bcopkn32.exe 2080 Bfmlgi32.exe 1532 Bkjdpp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2540 d6280f788a171c9cedb966bd013bf9fbb4c7fb788ea427297e50b8a28bf9f79cN.exe 2540 d6280f788a171c9cedb966bd013bf9fbb4c7fb788ea427297e50b8a28bf9f79cN.exe 1832 Jddbpmpm.exe 1832 Jddbpmpm.exe 2188 Kjakhcne.exe 2188 Kjakhcne.exe 2760 Kahciaog.exe 2760 Kahciaog.exe 2640 Kfjibdbf.exe 2640 Kfjibdbf.exe 2856 Kfmehdpc.exe 2856 Kfmehdpc.exe 2648 Klfndn32.exe 2648 Klfndn32.exe 2224 Kkljfj32.exe 2224 Kkljfj32.exe 1708 Lbfcbdce.exe 1708 Lbfcbdce.exe 1608 Lkngkj32.exe 1608 Lkngkj32.exe 1044 Lnopmegg.exe 1044 Lnopmegg.exe 2920 Lnambeed.exe 2920 Lnambeed.exe 1516 Lkemli32.exe 1516 Lkemli32.exe 340 Lncjhd32.exe 340 Lncjhd32.exe 2040 Ljjjmeie.exe 2040 Ljjjmeie.exe 2436 Mcbofk32.exe 2436 Mcbofk32.exe 1584 Mkpppmko.exe 1584 Mkpppmko.exe 1496 Mnaiah32.exe 1496 Mnaiah32.exe 472 Mlejkl32.exe 472 Mlejkl32.exe 1860 Mncfgh32.exe 1860 Mncfgh32.exe 1004 Nhljpmlm.exe 1004 Nhljpmlm.exe 1540 Nadoiccn.exe 1540 Nadoiccn.exe 3052 Nmkpnd32.exe 3052 Nmkpnd32.exe 396 Naihdb32.exe 396 Naihdb32.exe 2468 Ndgdpn32.exe 2468 Ndgdpn32.exe 2796 Nidmhd32.exe 2796 Nidmhd32.exe 2580 Njcibgcf.exe 2580 Njcibgcf.exe 2828 Odlnkmjg.exe 2828 Odlnkmjg.exe 2948 Olgboogb.exe 2948 Olgboogb.exe 2836 Obakli32.exe 2836 Obakli32.exe 2784 Oohlaj32.exe 2784 Oohlaj32.exe 1640 Oojhfj32.exe 1640 Oojhfj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gijfeqbn.dll Pfjiod32.exe File opened for modification C:\Windows\SysWOW64\Peapmhnk.exe Ppegdapd.exe File opened for modification C:\Windows\SysWOW64\Cbcikn32.exe Cabldeik.exe File created C:\Windows\SysWOW64\Mjkckf32.dll Anngkg32.exe File created C:\Windows\SysWOW64\Ckmbcq32.dll Fondonbc.exe File created C:\Windows\SysWOW64\Hfiofefm.exe Hkdkhl32.exe File opened for modification C:\Windows\SysWOW64\Mjofanld.exe Mlkegimk.exe File created C:\Windows\SysWOW64\Gadllf32.dll Degqka32.exe File opened for modification C:\Windows\SysWOW64\Lphlck32.exe Ljndga32.exe File created C:\Windows\SysWOW64\Jhenkpja.dll Cifdmbib.exe File created C:\Windows\SysWOW64\Dpolmb32.dll Eecgafkj.exe File created C:\Windows\SysWOW64\Bllndljk.dll Njmejaqb.exe File created C:\Windows\SysWOW64\Npdlphmj.dll Gnbelong.exe File created C:\Windows\SysWOW64\Nnkekfkd.exe Nmjicn32.exe File created C:\Windows\SysWOW64\Deacbgdc.dll Cmapna32.exe File created C:\Windows\SysWOW64\Mliibj32.exe Mjkmfn32.exe File created C:\Windows\SysWOW64\Bichcm32.dll Iimhfj32.exe File created C:\Windows\SysWOW64\Agakog32.exe Aadbfp32.exe File opened for modification C:\Windows\SysWOW64\Blcmbmip.exe Bjdqfajl.exe File created C:\Windows\SysWOW64\Lpbmcd32.dll Faljqcmk.exe File created C:\Windows\SysWOW64\Fehldloe.dll Ampncd32.exe File created C:\Windows\SysWOW64\Ebhkaa32.dll Bfmlgi32.exe File opened for modification C:\Windows\SysWOW64\Fkapkq32.exe Fdggofgn.exe File created C:\Windows\SysWOW64\Moedaakj.dll Mpaoojjb.exe File created C:\Windows\SysWOW64\Klgpmgod.exe Kihcakpa.exe File created C:\Windows\SysWOW64\Jbdlphnb.dll Dpmeij32.exe File created C:\Windows\SysWOW64\Bbfibj32.exe Bphmfo32.exe File created C:\Windows\SysWOW64\Khpaidpk.exe Jafilj32.exe File created C:\Windows\SysWOW64\Bigohejb.exe Acjfpokk.exe File opened for modification C:\Windows\SysWOW64\Fejjah32.exe Fclmem32.exe File opened for modification C:\Windows\SysWOW64\Dendcg32.exe Dodlfmlb.exe File created C:\Windows\SysWOW64\Ecdofe32.dll Bdoeipjh.exe File created C:\Windows\SysWOW64\Obmmfhbc.dll Dlifcqfl.exe File created C:\Windows\SysWOW64\Dkfdpa32.dll Mjofanld.exe File created C:\Windows\SysWOW64\Foidii32.exe Fholmo32.exe File created C:\Windows\SysWOW64\Lnicncli.dll Hdapggln.exe File opened for modification C:\Windows\SysWOW64\Jekoljgo.exe Jaoblk32.exe File created C:\Windows\SysWOW64\Qgbbec32.dll Pknakhig.exe File created C:\Windows\SysWOW64\Dpeack32.dll Ojdlkp32.exe File created C:\Windows\SysWOW64\Djpmocdn.dll Lamkllea.exe File created C:\Windows\SysWOW64\Koehka32.dll Hkiknb32.exe File created C:\Windows\SysWOW64\Jeiiaq32.dll Oefmid32.exe File created C:\Windows\SysWOW64\Kpaihe32.dll Mnneabff.exe File created C:\Windows\SysWOW64\Mmcbbo32.exe Mgfjjh32.exe File created C:\Windows\SysWOW64\Llcppm32.dll Hobcok32.exe File created C:\Windows\SysWOW64\Ddcadd32.exe Dmiihjak.exe File opened for modification C:\Windows\SysWOW64\Gocnjn32.exe Fhifmcfa.exe File created C:\Windows\SysWOW64\Giadfimp.dll Fkpeojha.exe File created C:\Windows\SysWOW64\Gppoqa32.dll Npkaei32.exe File created C:\Windows\SysWOW64\Hdcedhee.dll Ahoamplo.exe File opened for modification C:\Windows\SysWOW64\Nmkbfmpf.exe Njmejaqb.exe File created C:\Windows\SysWOW64\Mkdfpb32.dll Cabldeik.exe File opened for modification C:\Windows\SysWOW64\Gcocnk32.exe Fangfcki.exe File created C:\Windows\SysWOW64\Odlnkmjg.exe Njcibgcf.exe File created C:\Windows\SysWOW64\Olnipn32.exe Oedqcdim.exe File opened for modification C:\Windows\SysWOW64\Dbcnpk32.exe Dlifcqfl.exe File created C:\Windows\SysWOW64\Bfqaph32.exe Bdoeipjh.exe File created C:\Windows\SysWOW64\Dpbenpqh.exe Dmcibdad.exe File created C:\Windows\SysWOW64\Niqcoabo.dll Fefpfi32.exe File created C:\Windows\SysWOW64\Bipaodah.exe Bbfibj32.exe File created C:\Windows\SysWOW64\Hglahnha.dll Oikeal32.exe File created C:\Windows\SysWOW64\Flingf32.dll Lobbpg32.exe File created C:\Windows\SysWOW64\Jbpfpd32.exe Janihlcf.exe File opened for modification C:\Windows\SysWOW64\Jpfcohfk.exe Jilkbn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6328 6300 WerFault.exe 616 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcnfjpib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldndng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqambacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbcnajn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejjah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekoljgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmhogjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjieapck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odaqikaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbmbpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhegcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moahdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfkefad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmdpcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcankb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpgkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echoepmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamjghnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnplk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgdqef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjofanld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccakij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdngpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agakog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkigfdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnobfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npfhjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocnjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgpiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiiilm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbdje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olnipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cghkepdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohqhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegbce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janihlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ienfml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknakhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbhcfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefmid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biikne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekppjmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkafib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldlghhde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcdijac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmeojbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjolpkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mookod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkljfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbgdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfekkgla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cngfqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoegoqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhehmkqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcaghm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbinc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omlahqeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacgli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqaph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpnjkgi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kicnbp32.dll" Dodlfmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphoal32.dll" Moflkfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foidii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obakli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhdfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfcgkfo.dll" Mbgela32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cifdmbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpbenpqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fclmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllndljk.dll" Njmejaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcibgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jafilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faljqcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdekigip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnneabff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimbabic.dll" Dfegjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emqfen32.dll" Qamleagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hngngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmabknal.dll" Flphccbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peapmhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphmfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmiihjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognoodja.dll" Acnpjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjcnfcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhnfqhnk.dll" Eonhpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfiofefm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkcbpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmapo32.dll" Bjnjfffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnife32.dll" Fholmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggeiooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdhbhf32.dll" Qpocno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eonhpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egljjmkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkbglmp.dll" Kidjfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdehgnqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iioinckp.dll" Ggmldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbhfgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddcadd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijenpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkhjcing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Didgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iimhfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkcbpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljlkmo32.dll" Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcopkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojdlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oocqlibj.dll" Hjieapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkdpgdb.dll" Omjeba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahobdpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iapfmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbfeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gemfghek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pghjqlmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qajfmbna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfmbfkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Babbpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nadoiccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nigbpkok.dll" Gccjpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eecgafkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlkegimk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ombhgljn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2540 wrote to memory of 1832 2540 d6280f788a171c9cedb966bd013bf9fbb4c7fb788ea427297e50b8a28bf9f79cN.exe 29 PID 2540 wrote to memory of 1832 2540 d6280f788a171c9cedb966bd013bf9fbb4c7fb788ea427297e50b8a28bf9f79cN.exe 29 PID 2540 wrote to memory of 1832 2540 d6280f788a171c9cedb966bd013bf9fbb4c7fb788ea427297e50b8a28bf9f79cN.exe 29 PID 2540 wrote to memory of 1832 2540 d6280f788a171c9cedb966bd013bf9fbb4c7fb788ea427297e50b8a28bf9f79cN.exe 29 PID 1832 wrote to memory of 2188 1832 Jddbpmpm.exe 30 PID 1832 wrote to memory of 2188 1832 Jddbpmpm.exe 30 PID 1832 wrote to memory of 2188 1832 Jddbpmpm.exe 30 PID 1832 wrote to memory of 2188 1832 Jddbpmpm.exe 30 PID 2188 wrote to memory of 2760 2188 Kjakhcne.exe 31 PID 2188 wrote to memory of 2760 2188 Kjakhcne.exe 31 PID 2188 wrote to memory of 2760 2188 Kjakhcne.exe 31 PID 2188 wrote to memory of 2760 2188 Kjakhcne.exe 31 PID 2760 wrote to memory of 2640 2760 Kahciaog.exe 32 PID 2760 wrote to memory of 2640 2760 Kahciaog.exe 32 PID 2760 wrote to memory of 2640 2760 Kahciaog.exe 32 PID 2760 wrote to memory of 2640 2760 Kahciaog.exe 32 PID 2640 wrote to memory of 2856 2640 Kfjibdbf.exe 33 PID 2640 wrote to memory of 2856 2640 Kfjibdbf.exe 33 PID 2640 wrote to memory of 2856 2640 Kfjibdbf.exe 33 PID 2640 wrote to memory of 2856 2640 Kfjibdbf.exe 33 PID 2856 wrote to memory of 2648 2856 Kfmehdpc.exe 34 PID 2856 wrote to memory of 2648 2856 Kfmehdpc.exe 34 PID 2856 wrote to memory of 2648 2856 Kfmehdpc.exe 34 PID 2856 wrote to memory of 2648 2856 Kfmehdpc.exe 34 PID 2648 wrote to memory of 2224 2648 Klfndn32.exe 35 PID 2648 wrote to memory of 2224 2648 Klfndn32.exe 35 PID 2648 wrote to memory of 2224 2648 Klfndn32.exe 35 PID 2648 wrote to memory of 2224 2648 Klfndn32.exe 35 PID 2224 wrote to memory of 1708 2224 Kkljfj32.exe 36 PID 2224 wrote to memory of 1708 2224 Kkljfj32.exe 36 PID 2224 wrote to memory of 1708 2224 Kkljfj32.exe 36 PID 2224 wrote to memory of 1708 2224 Kkljfj32.exe 36 PID 1708 wrote to memory of 1608 1708 Lbfcbdce.exe 37 PID 1708 wrote to memory of 1608 1708 Lbfcbdce.exe 37 PID 1708 wrote to memory of 1608 1708 Lbfcbdce.exe 37 PID 1708 wrote to memory of 1608 1708 Lbfcbdce.exe 37 PID 1608 wrote to memory of 1044 1608 Lkngkj32.exe 38 PID 1608 wrote to memory of 1044 1608 Lkngkj32.exe 38 PID 1608 wrote to memory of 1044 1608 Lkngkj32.exe 38 PID 1608 wrote to memory of 1044 1608 Lkngkj32.exe 38 PID 1044 wrote to memory of 2920 1044 Lnopmegg.exe 39 PID 1044 wrote to memory of 2920 1044 Lnopmegg.exe 39 PID 1044 wrote to memory of 2920 1044 Lnopmegg.exe 39 PID 1044 wrote to memory of 2920 1044 Lnopmegg.exe 39 PID 2920 wrote to memory of 1516 2920 Lnambeed.exe 40 PID 2920 wrote to memory of 1516 2920 Lnambeed.exe 40 PID 2920 wrote to memory of 1516 2920 Lnambeed.exe 40 PID 2920 wrote to memory of 1516 2920 Lnambeed.exe 40 PID 1516 wrote to memory of 340 1516 Lkemli32.exe 41 PID 1516 wrote to memory of 340 1516 Lkemli32.exe 41 PID 1516 wrote to memory of 340 1516 Lkemli32.exe 41 PID 1516 wrote to memory of 340 1516 Lkemli32.exe 41 PID 340 wrote to memory of 2040 340 Lncjhd32.exe 42 PID 340 wrote to memory of 2040 340 Lncjhd32.exe 42 PID 340 wrote to memory of 2040 340 Lncjhd32.exe 42 PID 340 wrote to memory of 2040 340 Lncjhd32.exe 42 PID 2040 wrote to memory of 2436 2040 Ljjjmeie.exe 43 PID 2040 wrote to memory of 2436 2040 Ljjjmeie.exe 43 PID 2040 wrote to memory of 2436 2040 Ljjjmeie.exe 43 PID 2040 wrote to memory of 2436 2040 Ljjjmeie.exe 43 PID 2436 wrote to memory of 1584 2436 Mcbofk32.exe 44 PID 2436 wrote to memory of 1584 2436 Mcbofk32.exe 44 PID 2436 wrote to memory of 1584 2436 Mcbofk32.exe 44 PID 2436 wrote to memory of 1584 2436 Mcbofk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6280f788a171c9cedb966bd013bf9fbb4c7fb788ea427297e50b8a28bf9f79cN.exe"C:\Users\Admin\AppData\Local\Temp\d6280f788a171c9cedb966bd013bf9fbb4c7fb788ea427297e50b8a28bf9f79cN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Jddbpmpm.exeC:\Windows\system32\Jddbpmpm.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Kjakhcne.exeC:\Windows\system32\Kjakhcne.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Kahciaog.exeC:\Windows\system32\Kahciaog.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Kfjibdbf.exeC:\Windows\system32\Kfjibdbf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Kfmehdpc.exeC:\Windows\system32\Kfmehdpc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Klfndn32.exeC:\Windows\system32\Klfndn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Kkljfj32.exeC:\Windows\system32\Kkljfj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Lbfcbdce.exeC:\Windows\system32\Lbfcbdce.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Lkngkj32.exeC:\Windows\system32\Lkngkj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Lnambeed.exeC:\Windows\system32\Lnambeed.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Lkemli32.exeC:\Windows\system32\Lkemli32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Lncjhd32.exeC:\Windows\system32\Lncjhd32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Ljjjmeie.exeC:\Windows\system32\Ljjjmeie.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Mcbofk32.exeC:\Windows\system32\Mcbofk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Mkpppmko.exeC:\Windows\system32\Mkpppmko.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Mnaiah32.exeC:\Windows\system32\Mnaiah32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\Mncfgh32.exeC:\Windows\system32\Mncfgh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Nadoiccn.exeC:\Windows\system32\Nadoiccn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Nmkpnd32.exeC:\Windows\system32\Nmkpnd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Olgboogb.exeC:\Windows\system32\Olgboogb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Obakli32.exeC:\Windows\system32\Obakli32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Oojhfj32.exeC:\Windows\system32\Oojhfj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Oefmid32.exeC:\Windows\system32\Oefmid32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Pmabmf32.exeC:\Windows\system32\Pmabmf32.exe37⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe38⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Pdngpp32.exeC:\Windows\system32\Pdngpp32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Ppegdapd.exeC:\Windows\system32\Ppegdapd.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:544 -
C:\Windows\SysWOW64\Peapmhnk.exeC:\Windows\system32\Peapmhnk.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Qkcbpn32.exeC:\Windows\system32\Qkcbpn32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe47⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe48⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ahioobed.exeC:\Windows\system32\Ahioobed.exe49⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe50⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe51⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe52⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Aklefm32.exeC:\Windows\system32\Aklefm32.exe53⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Amnanefa.exeC:\Windows\system32\Amnanefa.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe55⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Afffgjma.exeC:\Windows\system32\Afffgjma.exe56⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe59⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe60⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe61⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Bcopkn32.exeC:\Windows\system32\Bcopkn32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Bkjdpp32.exeC:\Windows\system32\Bkjdpp32.exe65⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Bnhqll32.exeC:\Windows\system32\Bnhqll32.exe66⤵PID:1512
-
C:\Windows\SysWOW64\Bfphmi32.exeC:\Windows\system32\Bfphmi32.exe67⤵PID:796
-
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe68⤵PID:2328
-
C:\Windows\SysWOW64\Bphmfo32.exeC:\Windows\system32\Bphmfo32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Bbfibj32.exeC:\Windows\system32\Bbfibj32.exe70⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Bipaodah.exeC:\Windows\system32\Bipaodah.exe71⤵PID:2200
-
C:\Windows\SysWOW64\Bkonkpqk.exeC:\Windows\system32\Bkonkpqk.exe72⤵PID:2800
-
C:\Windows\SysWOW64\Bbhfgj32.exeC:\Windows\system32\Bbhfgj32.exe73⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Cegbce32.exeC:\Windows\system32\Cegbce32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe75⤵PID:3044
-
C:\Windows\SysWOW64\Cnogmk32.exeC:\Windows\system32\Cnogmk32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Ceioieei.exeC:\Windows\system32\Ceioieei.exe77⤵PID:2044
-
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe78⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Cappnf32.exeC:\Windows\system32\Cappnf32.exe79⤵PID:956
-
C:\Windows\SysWOW64\Ccolja32.exeC:\Windows\system32\Ccolja32.exe80⤵PID:344
-
C:\Windows\SysWOW64\Cjhdgk32.exeC:\Windows\system32\Cjhdgk32.exe81⤵PID:2380
-
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe82⤵
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Cbcikn32.exeC:\Windows\system32\Cbcikn32.exe83⤵PID:1344
-
C:\Windows\SysWOW64\Cinahhff.exeC:\Windows\system32\Cinahhff.exe84⤵PID:1744
-
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Cbfeam32.exeC:\Windows\system32\Cbfeam32.exe86⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Dmljnfll.exeC:\Windows\system32\Dmljnfll.exe87⤵PID:2756
-
C:\Windows\SysWOW64\Dpjfjalp.exeC:\Windows\system32\Dpjfjalp.exe88⤵PID:2844
-
C:\Windows\SysWOW64\Degobhjg.exeC:\Windows\system32\Degobhjg.exe89⤵PID:1680
-
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Dbkolmia.exeC:\Windows\system32\Dbkolmia.exe91⤵PID:2588
-
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe92⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Doapanne.exeC:\Windows\system32\Doapanne.exe93⤵PID:500
-
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe94⤵PID:1764
-
C:\Windows\SysWOW64\Dlepjbmo.exeC:\Windows\system32\Dlepjbmo.exe95⤵PID:936
-
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Dendcg32.exeC:\Windows\system32\Dendcg32.exe97⤵PID:3060
-
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe98⤵PID:984
-
C:\Windows\SysWOW64\Dmiihjak.exeC:\Windows\system32\Dmiihjak.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Ddcadd32.exeC:\Windows\system32\Ddcadd32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Ekmjanpd.exeC:\Windows\system32\Ekmjanpd.exe101⤵PID:1092
-
C:\Windows\SysWOW64\Eagbnh32.exeC:\Windows\system32\Eagbnh32.exe102⤵PID:1984
-
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe103⤵
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Eibgbj32.exeC:\Windows\system32\Eibgbj32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:988 -
C:\Windows\SysWOW64\Edhkpcdb.exeC:\Windows\system32\Edhkpcdb.exe105⤵PID:2204
-
C:\Windows\SysWOW64\Elcpdeam.exeC:\Windows\system32\Elcpdeam.exe106⤵PID:1648
-
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe107⤵PID:684
-
C:\Windows\SysWOW64\Ecodfogg.exeC:\Windows\system32\Ecodfogg.exe108⤵PID:1808
-
C:\Windows\SysWOW64\Ekjikadb.exeC:\Windows\system32\Ekjikadb.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe110⤵PID:2472
-
C:\Windows\SysWOW64\Fkmfpabp.exeC:\Windows\system32\Fkmfpabp.exe111⤵PID:2320
-
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe112⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Fkocfa32.exeC:\Windows\system32\Fkocfa32.exe113⤵PID:2352
-
C:\Windows\SysWOW64\Fdggofgn.exeC:\Windows\system32\Fdggofgn.exe114⤵
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe115⤵PID:3020
-
C:\Windows\SysWOW64\Fqnhcgma.exeC:\Windows\system32\Fqnhcgma.exe116⤵PID:2720
-
C:\Windows\SysWOW64\Fcmdpcle.exeC:\Windows\system32\Fcmdpcle.exe117⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Gfmmanif.exeC:\Windows\system32\Gfmmanif.exe119⤵PID:1624
-
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe120⤵PID:2416
-
C:\Windows\SysWOW64\Gcankb32.exeC:\Windows\system32\Gcankb32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-