Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 01:43
Behavioral task
behavioral1
Sample
87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
120 seconds
General
-
Target
87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe
-
Size
163KB
-
MD5
e1d2e397cce23871d6800f0131836900
-
SHA1
ad38e84a0906be2ab26336c3fcdfa906c339263e
-
SHA256
87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4
-
SHA512
c042027335b5d368765be502162774461d951a200916ceb13e742623d507e3f83f077356fe44a4369997146639c54f54017edda20e993fcdc978b7d8f5a20a20
-
SSDEEP
1536:PzFUEg/T48+taofUtZkJlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:Bk/c8+4yUt2JltOrWKDBr+yJb
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fqikob32.exeBpedeiff.exeGggfme32.exeDmdonkgc.exeGiinpa32.exeBahdob32.exeFkjmlaac.exeAbcppq32.exeHjoeoo32.exeOcihgnam.exeDllffa32.exeJcbdgb32.exeJjpode32.exeQpeahb32.exeOjnfihmo.exeAadghn32.exeNhpbfpka.exeKmaopfjm.exeKgipcogp.exeDbocfo32.exePohnnqgo.exeMhdckaeo.exeOimkbaed.exeBgbpaipl.exeNchhfild.exeLpjjmg32.exeBfpkbfdi.exeOoejohhq.exeDikpbl32.exeAbmjqe32.exeFcddkggf.exeIenlbf32.exeNgifef32.exeCnnllhpa.exeKhfkfedn.exeGklnjj32.exeMnphmkji.exeCdolgfbp.exeCmklglpn.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqikob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpedeiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gggfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdonkgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giinpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkjmlaac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abcppq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjoeoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocihgnam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dllffa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpode32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpeahb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnfihmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhpbfpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgipcogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbocfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohnnqgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdckaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oimkbaed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbpaipl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchhfild.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfpkbfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooejohhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dikpbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmjqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcddkggf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienlbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngifef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnllhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khfkfedn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnphmkji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdolgfbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmklglpn.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x0007000000024349-6691.dat family_bruteratel -
Gozi family
-
Executes dropped EXE 64 IoCs
Processes:
Pfnegggi.exePqcjepfo.exeQcbfakec.exeQjlnnemp.exeQhonib32.exeAokcklid.exeAhchda32.exeAcilajpk.exeAjcdnd32.exeAjeadd32.exeAqoiqn32.exeAflaie32.exeAglnbhal.exeBcbohigp.exeBqfoamfj.exeBfchidda.exeBcghch32.exeBqkill32.exeBfhadc32.exeBppfmigl.exeBclang32.exeBihjfnmm.exeCqpbglno.exeCpbbch32.exeCcnncgmc.exeCflkpblf.exeCjhfpa32.exeCmfclm32.exeCabomkll.exeCpeohh32.exeCcqkigkp.exeCfogeb32.exeCjjcfabm.exeCimcan32.exeCadlbk32.exeCpglnhad.exeCcchof32.exeCgndoeag.exeCippgm32.exeCmklglpn.exeCpihcgoa.exeCceddf32.exeCfcqpa32.exeCjomap32.exeCmniml32.exeCaienjfd.exeCcgajfeh.exeCgcmjd32.exeCjaifp32.exeCidjbmcp.exeDakacjdb.exeDpnbog32.exeDgejpd32.exeDfhjkabi.exeDiffglam.exeDannij32.exeDpqodfij.exeDhhfedil.exeDfjgaq32.exeDiicml32.exeDmdonkgc.exeDpckjfgg.exeDhjckcgi.exeDfmcfp32.exepid Process 4408 Pfnegggi.exe 2056 Pqcjepfo.exe 2632 Qcbfakec.exe 2856 Qjlnnemp.exe 1716 Qhonib32.exe 184 Aokcklid.exe 3740 Ahchda32.exe 2232 Acilajpk.exe 4632 Ajcdnd32.exe 208 Ajeadd32.exe 2104 Aqoiqn32.exe 2744 Aflaie32.exe 3964 Aglnbhal.exe 3164 Bcbohigp.exe 2800 Bqfoamfj.exe 4084 Bfchidda.exe 3872 Bcghch32.exe 2900 Bqkill32.exe 4780 Bfhadc32.exe 1136 Bppfmigl.exe 4932 Bclang32.exe 4344 Bihjfnmm.exe 2260 Cqpbglno.exe 5100 Cpbbch32.exe 1972 Ccnncgmc.exe 2676 Cflkpblf.exe 4144 Cjhfpa32.exe 436 Cmfclm32.exe 4216 Cabomkll.exe 1092 Cpeohh32.exe 2688 Ccqkigkp.exe 2348 Cfogeb32.exe 4300 Cjjcfabm.exe 1484 Cimcan32.exe 1664 Cadlbk32.exe 5112 Cpglnhad.exe 3256 Ccchof32.exe 1556 Cgndoeag.exe 4596 Cippgm32.exe 2080 Cmklglpn.exe 2796 Cpihcgoa.exe 1712 Cceddf32.exe 3336 Cfcqpa32.exe 1344 Cjomap32.exe 5004 Cmniml32.exe 3732 Caienjfd.exe 1832 Ccgajfeh.exe 2288 Cgcmjd32.exe 224 Cjaifp32.exe 1624 Cidjbmcp.exe 3104 Dakacjdb.exe 1456 Dpnbog32.exe 3676 Dgejpd32.exe 2664 Dfhjkabi.exe 4908 Diffglam.exe 3592 Dannij32.exe 3696 Dpqodfij.exe 3604 Dhhfedil.exe 4744 Dfjgaq32.exe 1760 Diicml32.exe 2528 Dmdonkgc.exe 2804 Dpckjfgg.exe 1224 Dhjckcgi.exe 2096 Dfmcfp32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ccqkigkp.exeEigonjcj.exeLokldg32.exeOadfkdgd.exeJihbip32.exeNjjmni32.exeIecmhlhb.exeHclccd32.exeMjkblhfo.exeGgkqgaol.exeLljdai32.exeAijlgkjq.exeDfjgaq32.exeFpmggb32.exeBdcmkgmm.exeNcaklhdi.exeOkolfj32.exeFpodlbng.exeLnbklm32.exeKhlklj32.exeBigbmpco.exePndhhnda.exePdfehh32.exeDooaoj32.exeDjmibn32.exeEmnbdioi.exePpahmb32.exeBljlfh32.exeEidlnd32.exeCpbbch32.exeDhclmp32.exeInfhebbh.exeQkchna32.exeNojjcj32.exedescription ioc Process File created C:\Windows\SysWOW64\Kcllei32.dll Ccqkigkp.exe File created C:\Windows\SysWOW64\Nocckb32.dll Eigonjcj.exe File created C:\Windows\SysWOW64\Ldhdlnli.exe Lokldg32.exe File opened for modification C:\Windows\SysWOW64\Aified32.exe File created C:\Windows\SysWOW64\Bpkajf32.dll Oadfkdgd.exe File opened for modification C:\Windows\SysWOW64\Jlgoek32.exe Jihbip32.exe File created C:\Windows\SysWOW64\Fmndkd32.exe File created C:\Windows\SysWOW64\Bkcghbbk.dll File opened for modification C:\Windows\SysWOW64\Nacboi32.exe File created C:\Windows\SysWOW64\Nqcejcha.exe Njjmni32.exe File created C:\Windows\SysWOW64\Kknikplo.dll Iecmhlhb.exe File opened for modification C:\Windows\SysWOW64\Inagpm32.exe Hclccd32.exe File created C:\Windows\SysWOW64\Cnjkgf32.exe File created C:\Windows\SysWOW64\Befmpdmq.exe File created C:\Windows\SysWOW64\Mnpice32.exe File created C:\Windows\SysWOW64\Ggiabl32.dll Mjkblhfo.exe File created C:\Windows\SysWOW64\Geoapenf.exe Ggkqgaol.exe File opened for modification C:\Windows\SysWOW64\Lafmjp32.exe Lljdai32.exe File created C:\Windows\SysWOW64\Abcppq32.exe Aijlgkjq.exe File created C:\Windows\SysWOW64\Dheiop32.dll File opened for modification C:\Windows\SysWOW64\Bqdlmo32.exe File opened for modification C:\Windows\SysWOW64\Ipqnknld.exe File opened for modification C:\Windows\SysWOW64\Diicml32.exe Dfjgaq32.exe File opened for modification C:\Windows\SysWOW64\Fhdohp32.exe Fpmggb32.exe File created C:\Windows\SysWOW64\Pjcfndog.dll Bdcmkgmm.exe File created C:\Windows\SysWOW64\Gipjam32.dll Ncaklhdi.exe File created C:\Windows\SysWOW64\Kmqbkkce.dll Okolfj32.exe File created C:\Windows\SysWOW64\Joaojf32.exe File created C:\Windows\SysWOW64\Fghoohma.dll File created C:\Windows\SysWOW64\Fjjcdn32.dll Fpodlbng.exe File opened for modification C:\Windows\SysWOW64\Laqhhi32.exe Lnbklm32.exe File opened for modification C:\Windows\SysWOW64\Kadpdp32.exe Khlklj32.exe File created C:\Windows\SysWOW64\Bboffejp.exe Bigbmpco.exe File created C:\Windows\SysWOW64\Philfgdh.exe Pndhhnda.exe File created C:\Windows\SysWOW64\Plmmif32.exe Pdfehh32.exe File created C:\Windows\SysWOW64\Dmcain32.exe Dooaoj32.exe File created C:\Windows\SysWOW64\Clhbhc32.exe File created C:\Windows\SysWOW64\Cllbll32.dll File created C:\Windows\SysWOW64\Emlenj32.exe Djmibn32.exe File created C:\Windows\SysWOW64\Icgdelol.dll File opened for modification C:\Windows\SysWOW64\Cpbgnlfo.exe File created C:\Windows\SysWOW64\Knghil32.dll Emnbdioi.exe File created C:\Windows\SysWOW64\Qjfmkk32.exe Ppahmb32.exe File created C:\Windows\SysWOW64\Ecoiapdj.exe File opened for modification C:\Windows\SysWOW64\Cohkinob.exe File created C:\Windows\SysWOW64\Mqpfofao.dll File created C:\Windows\SysWOW64\Jkglkc32.dll File opened for modification C:\Windows\SysWOW64\Hflclcle.exe File opened for modification C:\Windows\SysWOW64\Bjnmpl32.exe Bljlfh32.exe File opened for modification C:\Windows\SysWOW64\Eblpgjha.exe Eidlnd32.exe File opened for modification C:\Windows\SysWOW64\Fhfenmbe.exe File created C:\Windows\SysWOW64\Ifjoma32.exe File created C:\Windows\SysWOW64\Leffdi32.dll File created C:\Windows\SysWOW64\Egneae32.dll Cpbbch32.exe File created C:\Windows\SysWOW64\Jeciaina.dll Dhclmp32.exe File created C:\Windows\SysWOW64\Iccpniqp.exe Infhebbh.exe File created C:\Windows\SysWOW64\Qbmpjkqk.exe Qkchna32.exe File created C:\Windows\SysWOW64\Kblfejda.dll File created C:\Windows\SysWOW64\Onbiicqa.dll File opened for modification C:\Windows\SysWOW64\Pgkegn32.exe File opened for modification C:\Windows\SysWOW64\Dkjbgooi.exe File opened for modification C:\Windows\SysWOW64\Iaahjmkn.exe File created C:\Windows\SysWOW64\Cikkga32.exe File created C:\Windows\SysWOW64\Neccpd32.exe Nojjcj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gigaka32.exePkegpb32.exeCnfaohbj.exeBfchidda.exeAoabad32.exeAeffgkkp.exePcpnhl32.exeCidjbmcp.exeChfegk32.exeJaemilci.exeFaenpf32.exeQffoejkg.exeMjmoag32.exeNcaklhdi.exeQmanljfo.exeFjgfgbek.exeKkeldnpi.exeCkeimm32.exeHalhfe32.exeCicqja32.exeLqbncb32.exeBhmbqm32.exeHfaajnfb.exeOikjkc32.exeDpmcmf32.exeJkhgmf32.exeBgbpaipl.exeOadfkdgd.exeKflide32.exeBdeiqgkj.exeIggaah32.exeDaeifj32.exeGdknpp32.exeCmfclm32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigaka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkegpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfaohbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfchidda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoabad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeffgkkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpnhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidjbmcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfegk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaemilci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faenpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qffoejkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjmoag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncaklhdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmanljfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjgfgbek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeldnpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halhfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicqja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqbncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaajnfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikjkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmcmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhgmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbpaipl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadfkdgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdeiqgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daeifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdknpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Kgninn32.exeDnonkq32.exeCbhbbn32.exeIgqkqiai.exeNghekkmn.exeFpkibf32.exeEqiibjlj.exePjlcjf32.exePbjddh32.exeNdpjnq32.exeOkneldkf.exeAkogio32.exeEoconenj.exeMkhapk32.exeHcedmkmp.exeDpglmjoj.exeDidjqoae.exePkholi32.exeAijlgkjq.exeCcchof32.exeDakacjdb.exeGpaqbbld.exeAfbgkl32.exeOophlo32.exeGjaphgpl.exeJhpqaiji.exeEiobceef.exeLjhnlb32.exeHlppno32.exeDfmcfp32.exeOkchnk32.exeIhceigec.exeKhfdlnab.exeMopeofjl.exeCfmahknh.exeGqmnpk32.exeBgkaip32.exeIefphb32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnonkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbhbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocoaob32.dll" Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehblpall.dll" Eqiibjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjlcjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkqpeh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhibfek.dll" Pbjddh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpjnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfjfc32.dll" Okneldkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akogio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoconenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfbco32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkohe32.dll" Mkhapk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcedmkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpglmjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Didjqoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkholi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll" Aijlgkjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccchof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dakacjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcnggo32.dll" Gpaqbbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afbgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpb32.dll" Oophlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll" Gjaphgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpgkc32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfpll32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mafnie32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjdecfcc.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimbcc32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhpqaiji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiobceef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljhnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlppno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfmcfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okchnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcafemmh.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caikpked.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkojihg.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihceigec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khfdlnab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mopeofjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmahknh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjmieq32.dll" Gqmnpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgkaip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefphb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exePfnegggi.exePqcjepfo.exeQcbfakec.exeQjlnnemp.exeQhonib32.exeAokcklid.exeAhchda32.exeAcilajpk.exeAjcdnd32.exeAjeadd32.exeAqoiqn32.exeAflaie32.exeAglnbhal.exeBcbohigp.exeBqfoamfj.exeBfchidda.exeBcghch32.exeBqkill32.exeBfhadc32.exeBppfmigl.exeBclang32.exedescription pid Process procid_target PID 3720 wrote to memory of 4408 3720 87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe 82 PID 3720 wrote to memory of 4408 3720 87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe 82 PID 3720 wrote to memory of 4408 3720 87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe 82 PID 4408 wrote to memory of 2056 4408 Pfnegggi.exe 83 PID 4408 wrote to memory of 2056 4408 Pfnegggi.exe 83 PID 4408 wrote to memory of 2056 4408 Pfnegggi.exe 83 PID 2056 wrote to memory of 2632 2056 Pqcjepfo.exe 84 PID 2056 wrote to memory of 2632 2056 Pqcjepfo.exe 84 PID 2056 wrote to memory of 2632 2056 Pqcjepfo.exe 84 PID 2632 wrote to memory of 2856 2632 Qcbfakec.exe 85 PID 2632 wrote to memory of 2856 2632 Qcbfakec.exe 85 PID 2632 wrote to memory of 2856 2632 Qcbfakec.exe 85 PID 2856 wrote to memory of 1716 2856 Qjlnnemp.exe 86 PID 2856 wrote to memory of 1716 2856 Qjlnnemp.exe 86 PID 2856 wrote to memory of 1716 2856 Qjlnnemp.exe 86 PID 1716 wrote to memory of 184 1716 Qhonib32.exe 87 PID 1716 wrote to memory of 184 1716 Qhonib32.exe 87 PID 1716 wrote to memory of 184 1716 Qhonib32.exe 87 PID 184 wrote to memory of 3740 184 Aokcklid.exe 88 PID 184 wrote to memory of 3740 184 Aokcklid.exe 88 PID 184 wrote to memory of 3740 184 Aokcklid.exe 88 PID 3740 wrote to memory of 2232 3740 Ahchda32.exe 89 PID 3740 wrote to memory of 2232 3740 Ahchda32.exe 89 PID 3740 wrote to memory of 2232 3740 Ahchda32.exe 89 PID 2232 wrote to memory of 4632 2232 Acilajpk.exe 90 PID 2232 wrote to memory of 4632 2232 Acilajpk.exe 90 PID 2232 wrote to memory of 4632 2232 Acilajpk.exe 90 PID 4632 wrote to memory of 208 4632 Ajcdnd32.exe 91 PID 4632 wrote to memory of 208 4632 Ajcdnd32.exe 91 PID 4632 wrote to memory of 208 4632 Ajcdnd32.exe 91 PID 208 wrote to memory of 2104 208 Ajeadd32.exe 92 PID 208 wrote to memory of 2104 208 Ajeadd32.exe 92 PID 208 wrote to memory of 2104 208 Ajeadd32.exe 92 PID 2104 wrote to memory of 2744 2104 Aqoiqn32.exe 93 PID 2104 wrote to memory of 2744 2104 Aqoiqn32.exe 93 PID 2104 wrote to memory of 2744 2104 Aqoiqn32.exe 93 PID 2744 wrote to memory of 3964 2744 Aflaie32.exe 94 PID 2744 wrote to memory of 3964 2744 Aflaie32.exe 94 PID 2744 wrote to memory of 3964 2744 Aflaie32.exe 94 PID 3964 wrote to memory of 3164 3964 Aglnbhal.exe 95 PID 3964 wrote to memory of 3164 3964 Aglnbhal.exe 95 PID 3964 wrote to memory of 3164 3964 Aglnbhal.exe 95 PID 3164 wrote to memory of 2800 3164 Bcbohigp.exe 96 PID 3164 wrote to memory of 2800 3164 Bcbohigp.exe 96 PID 3164 wrote to memory of 2800 3164 Bcbohigp.exe 96 PID 2800 wrote to memory of 4084 2800 Bqfoamfj.exe 97 PID 2800 wrote to memory of 4084 2800 Bqfoamfj.exe 97 PID 2800 wrote to memory of 4084 2800 Bqfoamfj.exe 97 PID 4084 wrote to memory of 3872 4084 Bfchidda.exe 98 PID 4084 wrote to memory of 3872 4084 Bfchidda.exe 98 PID 4084 wrote to memory of 3872 4084 Bfchidda.exe 98 PID 3872 wrote to memory of 2900 3872 Bcghch32.exe 99 PID 3872 wrote to memory of 2900 3872 Bcghch32.exe 99 PID 3872 wrote to memory of 2900 3872 Bcghch32.exe 99 PID 2900 wrote to memory of 4780 2900 Bqkill32.exe 100 PID 2900 wrote to memory of 4780 2900 Bqkill32.exe 100 PID 2900 wrote to memory of 4780 2900 Bqkill32.exe 100 PID 4780 wrote to memory of 1136 4780 Bfhadc32.exe 101 PID 4780 wrote to memory of 1136 4780 Bfhadc32.exe 101 PID 4780 wrote to memory of 1136 4780 Bfhadc32.exe 101 PID 1136 wrote to memory of 4932 1136 Bppfmigl.exe 102 PID 1136 wrote to memory of 4932 1136 Bppfmigl.exe 102 PID 1136 wrote to memory of 4932 1136 Bppfmigl.exe 102 PID 4932 wrote to memory of 4344 4932 Bclang32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe"C:\Users\Admin\AppData\Local\Temp\87d9fcaa7eb40de49984736df0cf4f9be6fa6adf1ab5b591ccf5f841610e83a4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe23⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe24⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5100 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe26⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe27⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe28⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:436 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe30⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe31⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe33⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe34⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe35⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe36⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe37⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3256 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe39⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe40⤵PID:4484
-
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe41⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe43⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe44⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe45⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe46⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe47⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe48⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe49⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe50⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe51⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3104 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe54⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe55⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe56⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe57⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe58⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe59⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe60⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4744 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe62⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe64⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe65⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe68⤵PID:3432
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe69⤵PID:2916
-
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe70⤵PID:2540
-
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe71⤵PID:3600
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe72⤵PID:1840
-
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe73⤵PID:3320
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe74⤵PID:4868
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe75⤵PID:920
-
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe76⤵
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe77⤵PID:3780
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe78⤵PID:3836
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe79⤵PID:3444
-
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe80⤵PID:3704
-
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe81⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe82⤵PID:1652
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe83⤵PID:2944
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe84⤵PID:4224
-
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe85⤵PID:4280
-
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe86⤵PID:2224
-
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe87⤵PID:4032
-
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe88⤵PID:2848
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe89⤵
- Drops file in System32 directory
PID:3976 -
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe90⤵PID:2012
-
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe91⤵PID:3756
-
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe92⤵PID:4572
-
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe93⤵PID:4612
-
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe94⤵PID:3304
-
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe95⤵PID:2168
-
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe96⤵PID:2364
-
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe97⤵PID:1036
-
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe98⤵PID:2476
-
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe99⤵PID:1796
-
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe100⤵PID:2620
-
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe101⤵PID:1844
-
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe103⤵PID:2268
-
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe104⤵PID:2320
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe105⤵PID:2700
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe106⤵PID:2956
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe107⤵PID:3952
-
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe108⤵PID:1672
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe109⤵PID:5152
-
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe110⤵PID:5192
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe111⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe112⤵PID:5276
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe113⤵PID:5316
-
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe114⤵PID:5356
-
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe115⤵
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe116⤵PID:5436
-
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe117⤵PID:5476
-
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe118⤵PID:5516
-
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe119⤵
- Modifies registry class
PID:5552 -
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe120⤵PID:5592
-
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe121⤵PID:5632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-