Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 15:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d0fe03509d4104b0bf8590ba2e0e35f6e2ab46d450db22a1490963425341573N.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
120 seconds
General
-
Target
8d0fe03509d4104b0bf8590ba2e0e35f6e2ab46d450db22a1490963425341573N.exe
-
Size
163KB
-
MD5
74e970f83e973d51f0a9f36014aaae84
-
SHA1
a356bf45a522758f63fb0ca2484294fec6690d2d
-
SHA256
575db22d0765649c8d21ab6bef489a0d46d39c53979d85e4f0c0a863bf0b4268
-
SHA512
7a6edda3a6788a7e8994e0236db74c7e44299beb37d4dc3e41d855ecb8c38c8fa80695d33a4971d628789f2e8b290da943df2b36c86b4048c58422788c51ce4d
-
SSDEEP
1536:Par7wIa9kSyoWLWaCuaZZfbtJDlyplProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUk:k7nKcoZazUVypltOrWKDBr+yJbk
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmfimga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpnjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epokedmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Milidebi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmoijje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhndpol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmblagmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddadpdmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcnjijoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpiljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpadhll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojgjndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibobdqid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiggbhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhpao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjaleemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbqklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfpkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaopfjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lepleocn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cancekeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdbhkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilpmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlolpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppikbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qapnmopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgkkkcbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncabfkqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glipgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnjdpaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggbcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfpbpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Indmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kefdbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmeede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhckcgpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pleaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmidndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qachgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjffpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joiccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpekef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophjiaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqpcjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmjaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpkchqdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plmmif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlgdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhhpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqegecm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaoaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnebd32.exe -
Berbew family
-
Gozi family
-
Executes dropped EXE 64 IoCs
pid Process 3604 Feapkk32.exe 3836 Fknicb32.exe 4808 Fdfmlhna.exe 4576 Fkqeib32.exe 1192 Fggfnc32.exe 3748 Fehfljca.exe 2940 Fkeodaai.exe 1444 Ghipne32.exe 440 Gaadfkgc.exe 3664 Gkjhoq32.exe 3644 Gdbmhf32.exe 208 Gafmaj32.exe 1728 Gojnko32.exe 3684 Gfdfgiid.exe 4624 Goljqnpd.exe 2200 Hdicienl.exe 592 Hfipbh32.exe 4256 Hhgloc32.exe 3420 Hoadkn32.exe 4160 Hbpphi32.exe 3656 Hfningai.exe 3652 Hfpecg32.exe 932 Iohjlmeg.exe 2924 Ihqoeb32.exe 892 Ibicnh32.exe 1600 Iomcgl32.exe 2936 Ifgldfio.exe 1496 Ioopml32.exe 1436 Ieliebnf.exe 3580 Indmnh32.exe 4360 Igmagnkg.exe 5024 Jkhngl32.exe 2668 Jbbfdfkn.exe 32 Jkkjmlan.exe 700 Jbdbjf32.exe 2912 Jecofa32.exe 1924 Joiccj32.exe 4036 Jfbkpd32.exe 4084 Jgdhgmep.exe 1852 Jpkphjeb.exe 2024 Jkaqnk32.exe 464 Jghabl32.exe 3904 Kldmckic.exe 5080 Kelalp32.exe 2000 Klfjijgq.exe 5052 Knefeffd.exe 4904 Kflnfcgg.exe 2256 Khmknk32.exe 1640 Kimghn32.exe 552 Kpgodhkd.exe 3876 Kechmoil.exe 2528 Kpiljh32.exe 4568 Kefdbo32.exe 4392 Lhdqnj32.exe 4420 Lnnikdnj.exe 2964 Lidmhmnp.exe 4384 Lfhnaa32.exe 2140 Lifjnm32.exe 2496 Lppbkgcj.exe 1340 Lfjjga32.exe 5068 Lhkgoiqe.exe 4116 Lbqklb32.exe 2992 Leoghn32.exe 1472 Lhncdi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jcdjbk32.exe Jpenfp32.exe File created C:\Windows\SysWOW64\Cmedjl32.exe Cgklmacf.exe File created C:\Windows\SysWOW64\Oqkclhkh.dll Gdbmhf32.exe File opened for modification C:\Windows\SysWOW64\Bcelmhen.exe Bqfoamfj.exe File created C:\Windows\SysWOW64\Fgeaiknl.dll Kncaec32.exe File opened for modification C:\Windows\SysWOW64\Cibain32.exe Bagmdllg.exe File opened for modification C:\Windows\SysWOW64\Cqpbglno.exe Cmdfgm32.exe File created C:\Windows\SysWOW64\Aiffheej.dll Bhpfqcln.exe File created C:\Windows\SysWOW64\Ifaciolc.dll Enigke32.exe File created C:\Windows\SysWOW64\Kmfpdfnd.dll Fqbliicp.exe File created C:\Windows\SysWOW64\Hejeak32.dll Pmkofa32.exe File created C:\Windows\SysWOW64\Afcmfe32.exe Apjdikqd.exe File created C:\Windows\SysWOW64\Bpcgpihi.exe Bmdkcnie.exe File created C:\Windows\SysWOW64\Gpihol32.dll Fipbdikp.exe File opened for modification C:\Windows\SysWOW64\Qepkbpak.exe Qlggjk32.exe File created C:\Windows\SysWOW64\Pfkbfh32.dll Aefjii32.exe File opened for modification C:\Windows\SysWOW64\Fmmmfj32.exe Fefedmil.exe File created C:\Windows\SysWOW64\Mfnoqc32.exe Mqafhl32.exe File created C:\Windows\SysWOW64\Gbhhlfgd.dll Bahdob32.exe File created C:\Windows\SysWOW64\Qgiiak32.dll Iiopca32.exe File opened for modification C:\Windows\SysWOW64\Pmkofa32.exe Pjlcjf32.exe File opened for modification C:\Windows\SysWOW64\Ajjokd32.exe Aabkbono.exe File created C:\Windows\SysWOW64\Aflaie32.exe Acnemi32.exe File created C:\Windows\SysWOW64\Hfegkoem.dll Qhonib32.exe File created C:\Windows\SysWOW64\Dbilgi32.dll Gmcdffmq.exe File created C:\Windows\SysWOW64\Cpchnbbb.dll Llhikacp.exe File created C:\Windows\SysWOW64\Poajkgnc.exe Plbmokop.exe File opened for modification C:\Windows\SysWOW64\Johggfha.exe Jeocna32.exe File created C:\Windows\SysWOW64\Ghipne32.exe Fkeodaai.exe File created C:\Windows\SysWOW64\Bchace32.dll Lkabjbih.exe File opened for modification C:\Windows\SysWOW64\Gldglf32.exe Gfhndpol.exe File created C:\Windows\SysWOW64\Pdbeojmh.dll Mcelpggq.exe File created C:\Windows\SysWOW64\Dojqjdbl.exe Dhphmj32.exe File created C:\Windows\SysWOW64\Ncbafoge.exe Nmhijd32.exe File opened for modification C:\Windows\SysWOW64\Ioopml32.exe Ifgldfio.exe File created C:\Windows\SysWOW64\Lbqklb32.exe Lhkgoiqe.exe File created C:\Windows\SysWOW64\Niipjj32.exe Mfjcnold.exe File opened for modification C:\Windows\SysWOW64\Ncabfkqo.exe Nmgjia32.exe File created C:\Windows\SysWOW64\Mnhdgpii.exe Mcbpjg32.exe File created C:\Windows\SysWOW64\Dgpeha32.exe Cpfmlghd.exe File created C:\Windows\SysWOW64\Heolpdjf.dll Ibmeoq32.exe File created C:\Windows\SysWOW64\Pmdpecjm.dll Iknmla32.exe File created C:\Windows\SysWOW64\Hojpmg32.dll Paelfmaf.exe File created C:\Windows\SysWOW64\Gqhejb32.dll Gbalopbn.exe File created C:\Windows\SysWOW64\Benibond.dll Jafdcbge.exe File created C:\Windows\SysWOW64\Lehagi32.dll Fgdbnmji.exe File opened for modification C:\Windows\SysWOW64\Gafmaj32.exe Gdbmhf32.exe File created C:\Windows\SysWOW64\Nkpcjeml.dll Dannij32.exe File created C:\Windows\SysWOW64\Epaobqhf.dll Ghkeio32.exe File opened for modification C:\Windows\SysWOW64\Mgclpkac.exe Maiccajf.exe File opened for modification C:\Windows\SysWOW64\Phigif32.exe Palbgl32.exe File created C:\Windows\SysWOW64\Cndeii32.exe Clchbqoo.exe File opened for modification C:\Windows\SysWOW64\Enigke32.exe Eofgpikj.exe File created C:\Windows\SysWOW64\Pjmdlh32.dll Hpiecd32.exe File opened for modification C:\Windows\SysWOW64\Jinboekc.exe Jcdjbk32.exe File created C:\Windows\SysWOW64\Lncmdghm.dll Cgmhcaac.exe File created C:\Windows\SysWOW64\Mpeaedjn.dll Hpbiip32.exe File created C:\Windows\SysWOW64\Lfinqm32.dll Akoqpg32.exe File created C:\Windows\SysWOW64\Ibclmgdb.dll Cfldelik.exe File created C:\Windows\SysWOW64\Mcqjon32.exe Lmgabcge.exe File created C:\Windows\SysWOW64\Lpefcn32.dll Jghpbk32.exe File opened for modification C:\Windows\SysWOW64\Lojmcdgl.exe Lebijnak.exe File created C:\Windows\SysWOW64\Ngaionfl.exe Niniei32.exe File created C:\Windows\SysWOW64\Oohnonij.exe Ohnebd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7904 3964 WerFault.exe 1004 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmoen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maodigil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoalgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejeiocj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieojgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleaoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkbjqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhngl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdbjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnblg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqfoamfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibhpbea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdhgmep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kechmoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjmoag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmenca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkaobnio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbliicp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblajhje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfdpfaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhgbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qepkbpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amodep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhkgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelalp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbldphde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omopjcjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppnpjel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqafhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieliebnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plcdiabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikejgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcncibp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngaionfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmcfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjahlgpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhndpol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmgejhgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqkqiai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajndioga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlobkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqhfoebo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goljqnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomcgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgcih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkekjdck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqgedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpedjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnibokbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpclce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpiljh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgdkbfj.dll" Noblkqca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqgimkfi.dll" Fineoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleoiomo.dll" Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjepjkhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcndbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfokoelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onnmdcjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnjdpaki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmkigh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpfgmnfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljeafb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mekgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdilnojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikdcmpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbiffko.dll" Kcndbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmddqemj.dll" Olfghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll" Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegbnohh.dll" Ljdkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodoah32.dll" Nlhkgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njhgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnbfhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhldbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aihaoqlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmlqhcc.dll" Kheekkjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lebijnak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbaa32.dll" Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfegnkqm.dll" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbcpc32.dll" Panhbfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjkcfod.dll" Fooclapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkpcjeml.dll" Dannij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Filiii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlhkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjefc32.dll" Amjillkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll" Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpkknmgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amlogfel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffgmig.dll" Glfmgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjlcjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbnffffp.dll" Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdppiif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmhijd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfgcakon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooaafghm.dll" Hlhccj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnelok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnmmboed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmonnmjm.dll" 8d0fe03509d4104b0bf8590ba2e0e35f6e2ab46d450db22a1490963425341573N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcfbkpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfipbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fineoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbohd32.dll" Gehbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lojmcdgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afghneoo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4296 wrote to memory of 3604 4296 8d0fe03509d4104b0bf8590ba2e0e35f6e2ab46d450db22a1490963425341573N.exe 83 PID 4296 wrote to memory of 3604 4296 8d0fe03509d4104b0bf8590ba2e0e35f6e2ab46d450db22a1490963425341573N.exe 83 PID 4296 wrote to memory of 3604 4296 8d0fe03509d4104b0bf8590ba2e0e35f6e2ab46d450db22a1490963425341573N.exe 83 PID 3604 wrote to memory of 3836 3604 Feapkk32.exe 84 PID 3604 wrote to memory of 3836 3604 Feapkk32.exe 84 PID 3604 wrote to memory of 3836 3604 Feapkk32.exe 84 PID 3836 wrote to memory of 4808 3836 Fknicb32.exe 85 PID 3836 wrote to memory of 4808 3836 Fknicb32.exe 85 PID 3836 wrote to memory of 4808 3836 Fknicb32.exe 85 PID 4808 wrote to memory of 4576 4808 Fdfmlhna.exe 86 PID 4808 wrote to memory of 4576 4808 Fdfmlhna.exe 86 PID 4808 wrote to memory of 4576 4808 Fdfmlhna.exe 86 PID 4576 wrote to memory of 1192 4576 Fkqeib32.exe 87 PID 4576 wrote to memory of 1192 4576 Fkqeib32.exe 87 PID 4576 wrote to memory of 1192 4576 Fkqeib32.exe 87 PID 1192 wrote to memory of 3748 1192 Fggfnc32.exe 89 PID 1192 wrote to memory of 3748 1192 Fggfnc32.exe 89 PID 1192 wrote to memory of 3748 1192 Fggfnc32.exe 89 PID 3748 wrote to memory of 2940 3748 Fehfljca.exe 90 PID 3748 wrote to memory of 2940 3748 Fehfljca.exe 90 PID 3748 wrote to memory of 2940 3748 Fehfljca.exe 90 PID 2940 wrote to memory of 1444 2940 Fkeodaai.exe 91 PID 2940 wrote to memory of 1444 2940 Fkeodaai.exe 91 PID 2940 wrote to memory of 1444 2940 Fkeodaai.exe 91 PID 1444 wrote to memory of 440 1444 Ghipne32.exe 92 PID 1444 wrote to memory of 440 1444 Ghipne32.exe 92 PID 1444 wrote to memory of 440 1444 Ghipne32.exe 92 PID 440 wrote to memory of 3664 440 Gaadfkgc.exe 94 PID 440 wrote to memory of 3664 440 Gaadfkgc.exe 94 PID 440 wrote to memory of 3664 440 Gaadfkgc.exe 94 PID 3664 wrote to memory of 3644 3664 Gkjhoq32.exe 95 PID 3664 wrote to memory of 3644 3664 Gkjhoq32.exe 95 PID 3664 wrote to memory of 3644 3664 Gkjhoq32.exe 95 PID 3644 wrote to memory of 208 3644 Gdbmhf32.exe 96 PID 3644 wrote to memory of 208 3644 Gdbmhf32.exe 96 PID 3644 wrote to memory of 208 3644 Gdbmhf32.exe 96 PID 208 wrote to memory of 1728 208 Gafmaj32.exe 97 PID 208 wrote to memory of 1728 208 Gafmaj32.exe 97 PID 208 wrote to memory of 1728 208 Gafmaj32.exe 97 PID 1728 wrote to memory of 3684 1728 Gojnko32.exe 98 PID 1728 wrote to memory of 3684 1728 Gojnko32.exe 98 PID 1728 wrote to memory of 3684 1728 Gojnko32.exe 98 PID 3684 wrote to memory of 4624 3684 Gfdfgiid.exe 99 PID 3684 wrote to memory of 4624 3684 Gfdfgiid.exe 99 PID 3684 wrote to memory of 4624 3684 Gfdfgiid.exe 99 PID 4624 wrote to memory of 2200 4624 Goljqnpd.exe 100 PID 4624 wrote to memory of 2200 4624 Goljqnpd.exe 100 PID 4624 wrote to memory of 2200 4624 Goljqnpd.exe 100 PID 2200 wrote to memory of 592 2200 Hdicienl.exe 102 PID 2200 wrote to memory of 592 2200 Hdicienl.exe 102 PID 2200 wrote to memory of 592 2200 Hdicienl.exe 102 PID 592 wrote to memory of 4256 592 Hfipbh32.exe 103 PID 592 wrote to memory of 4256 592 Hfipbh32.exe 103 PID 592 wrote to memory of 4256 592 Hfipbh32.exe 103 PID 4256 wrote to memory of 3420 4256 Hhgloc32.exe 104 PID 4256 wrote to memory of 3420 4256 Hhgloc32.exe 104 PID 4256 wrote to memory of 3420 4256 Hhgloc32.exe 104 PID 3420 wrote to memory of 4160 3420 Hoadkn32.exe 105 PID 3420 wrote to memory of 4160 3420 Hoadkn32.exe 105 PID 3420 wrote to memory of 4160 3420 Hoadkn32.exe 105 PID 4160 wrote to memory of 3656 4160 Hbpphi32.exe 106 PID 4160 wrote to memory of 3656 4160 Hbpphi32.exe 106 PID 4160 wrote to memory of 3656 4160 Hbpphi32.exe 106 PID 3656 wrote to memory of 3652 3656 Hfningai.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d0fe03509d4104b0bf8590ba2e0e35f6e2ab46d450db22a1490963425341573N.exe"C:\Users\Admin\AppData\Local\Temp\8d0fe03509d4104b0bf8590ba2e0e35f6e2ab46d450db22a1490963425341573N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe23⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe24⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe25⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe26⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe29⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe32⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe34⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe35⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:700 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe37⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe39⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe41⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe42⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe43⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe44⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe46⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe47⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe48⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe49⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe50⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe51⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe55⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe56⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe57⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe58⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe59⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe60⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe61⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5068 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe64⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe65⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4916 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe67⤵PID:4508
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe68⤵PID:2608
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe69⤵PID:2196
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe70⤵PID:3440
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe71⤵PID:4316
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe72⤵PID:112
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe73⤵PID:3000
-
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe74⤵PID:5072
-
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe75⤵PID:1740
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe76⤵PID:3448
-
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe77⤵PID:4700
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe78⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe79⤵PID:4540
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe80⤵
- Drops file in System32 directory
PID:4684 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe81⤵PID:4708
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe82⤵PID:4584
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe83⤵PID:4408
-
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe84⤵
- Drops file in System32 directory
PID:3632 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe85⤵
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe86⤵PID:1492
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe87⤵PID:2700
-
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe88⤵PID:724
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe89⤵PID:5128
-
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe90⤵PID:5164
-
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe91⤵PID:5212
-
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5252 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe93⤵PID:5296
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe94⤵PID:5340
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe95⤵
- System Location Discovery: System Language Discovery
PID:5384 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5428 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe97⤵PID:5472
-
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe98⤵PID:5516
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe99⤵PID:5560
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe100⤵PID:5604
-
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe101⤵PID:5648
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe102⤵
- System Location Discovery: System Language Discovery
PID:5692 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe104⤵PID:5776
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe105⤵PID:5820
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe106⤵PID:5864
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe107⤵PID:5908
-
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe108⤵
- Drops file in System32 directory
PID:5952 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe109⤵PID:5996
-
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe110⤵PID:6040
-
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe111⤵PID:6088
-
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe112⤵
- System Location Discovery: System Language Discovery
PID:6132 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe113⤵PID:5152
-
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe114⤵
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe115⤵PID:5292
-
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe116⤵PID:5380
-
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe117⤵PID:5440
-
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe118⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe119⤵PID:5592
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe120⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe121⤵PID:5760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-