Analysis
-
max time kernel
39s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 16:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bf4ce6823a137af0e0b288c685867ef166758f5b9089da99efeedc7f9a5a29d1.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
bf4ce6823a137af0e0b288c685867ef166758f5b9089da99efeedc7f9a5a29d1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
bf4ce6823a137af0e0b288c685867ef166758f5b9089da99efeedc7f9a5a29d1.exe
-
Size
96KB
-
MD5
c0c9ce979d47a0ea84d8cf10a377e35b
-
SHA1
5a54dfaed4d7714ee27e18b279576ae4f7d6b701
-
SHA256
bf4ce6823a137af0e0b288c685867ef166758f5b9089da99efeedc7f9a5a29d1
-
SHA512
0e5dba42788c41b4a9e8f896091239dabf6ebd9d15b782597727b16cae92fcc2222c76b71e51581d286cd6732898f61afdaeff99b2b46d8f37e00cf65498e719
-
SSDEEP
1536:lU60S224YjZKj5kCL2LH7RZObZUUWaegPYAW:/224eDHClUUWael
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llomhllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjkcedgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efifjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgenh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieohfemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kononm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fooghg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmcni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khfcgbge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobehpok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qolmip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbokoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llainlje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kphbmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmiojla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajghgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceanmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcahjqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oikeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmafmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgeel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafjfokk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcahjqfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeilbhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmfhqmge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nloedjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dihmae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqciha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcojbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbegonmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbdbbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbgghhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnagijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecjkkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imqdcjkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peooek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiniaboi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcmeogam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmlnmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pihnqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhjjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflpdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flphccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklkdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjomoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgoaiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbndqnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmcni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbkaoce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbbjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabgjeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbndqnc.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/files/0x000400000001dcd0-2626.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2236 Bineidcj.exe 2096 Bklaepbn.exe 2136 Cakfcfoc.exe 2756 Cancif32.exe 2732 Cjhdgk32.exe 2768 Cbcikn32.exe 1576 Dlnjjc32.exe 752 Doocln32.exe 2308 Dbmlal32.exe 2916 Dkhpfo32.exe 2944 Dgoakpjn.exe 1824 Eganqo32.exe 468 Ecjkkp32.exe 2160 Eghdanac.exe 2684 Ehlmnfeo.exe 808 Fljfdd32.exe 1148 Fhqfie32.exe 2384 Fdggofgn.exe 1768 Fqnhcgma.exe 796 Fkdlaplh.exe 1832 Fgjmfa32.exe 916 Gmgenh32.exe 2388 Ggmjkapi.exe 2392 Gccjpb32.exe 1716 Gojkecka.exe 2344 Gicpnhbb.exe 2872 Gielchpp.exe 1568 Hbnqln32.exe 2484 Hbpmbndm.exe 2828 Hkhbkc32.exe 2792 Hmlkhk32.exe 2572 Hpmdjf32.exe 568 Hjbhgolp.exe 1740 Imqdcjkd.exe 2816 Ibmmkaik.exe 2920 Indnqb32.exe 1704 Iaegbmlq.exe 1756 Idepdhia.exe 2356 Jhchjgoh.exe 2060 Jgpklb32.exe 900 Keehmobp.exe 2616 Kkaaee32.exe 2512 Kopikdgn.exe 2528 Kneflplf.exe 2016 Kgmkef32.exe 1700 Kjlgaa32.exe 1056 Kcdljghj.exe 1276 Lkkckdhm.exe 264 Ldchdjom.exe 2808 Lgbdpena.exe 2856 Llomhllh.exe 2304 Lomidgkl.exe 2912 Ljbmbpkb.exe 2888 Llainlje.exe 1308 Ljejgp32.exe 2500 Lhhjcmpj.exe 1748 Llfcik32.exe 2960 Lngpac32.exe 2676 Mkkpjg32.exe 632 Mgaqohql.exe 2144 Mqjehngm.exe 2408 Mgdmeh32.exe 1392 Mmafmo32.exe 932 Mdhnnl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2608 bf4ce6823a137af0e0b288c685867ef166758f5b9089da99efeedc7f9a5a29d1.exe 2608 bf4ce6823a137af0e0b288c685867ef166758f5b9089da99efeedc7f9a5a29d1.exe 2236 Bineidcj.exe 2236 Bineidcj.exe 2096 Bklaepbn.exe 2096 Bklaepbn.exe 2136 Cakfcfoc.exe 2136 Cakfcfoc.exe 2756 Cancif32.exe 2756 Cancif32.exe 2732 Cjhdgk32.exe 2732 Cjhdgk32.exe 2768 Cbcikn32.exe 2768 Cbcikn32.exe 1576 Dlnjjc32.exe 1576 Dlnjjc32.exe 752 Doocln32.exe 752 Doocln32.exe 2308 Dbmlal32.exe 2308 Dbmlal32.exe 2916 Dkhpfo32.exe 2916 Dkhpfo32.exe 2944 Dgoakpjn.exe 2944 Dgoakpjn.exe 1824 Eganqo32.exe 1824 Eganqo32.exe 468 Ecjkkp32.exe 468 Ecjkkp32.exe 2160 Eghdanac.exe 2160 Eghdanac.exe 2684 Ehlmnfeo.exe 2684 Ehlmnfeo.exe 808 Fljfdd32.exe 808 Fljfdd32.exe 1148 Fhqfie32.exe 1148 Fhqfie32.exe 2384 Fdggofgn.exe 2384 Fdggofgn.exe 1768 Fqnhcgma.exe 1768 Fqnhcgma.exe 796 Fkdlaplh.exe 796 Fkdlaplh.exe 1832 Fgjmfa32.exe 1832 Fgjmfa32.exe 916 Gmgenh32.exe 916 Gmgenh32.exe 2388 Ggmjkapi.exe 2388 Ggmjkapi.exe 2392 Gccjpb32.exe 2392 Gccjpb32.exe 1716 Gojkecka.exe 1716 Gojkecka.exe 3012 Gnphfppi.exe 3012 Gnphfppi.exe 2872 Gielchpp.exe 2872 Gielchpp.exe 1568 Hbnqln32.exe 1568 Hbnqln32.exe 2484 Hbpmbndm.exe 2484 Hbpmbndm.exe 2828 Hkhbkc32.exe 2828 Hkhbkc32.exe 2792 Hmlkhk32.exe 2792 Hmlkhk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bkpdpg32.dll Bfqaph32.exe File opened for modification C:\Windows\SysWOW64\Kcahjqfa.exe Kekkkm32.exe File created C:\Windows\SysWOW64\Dcpkli32.dll Ahancp32.exe File opened for modification C:\Windows\SysWOW64\Bdmhcp32.exe Bbolge32.exe File created C:\Windows\SysWOW64\Igoagpja.exe Iodlcnmf.exe File opened for modification C:\Windows\SysWOW64\Aflkiapg.exe Apbblg32.exe File created C:\Windows\SysWOW64\Efkjha32.dll Emfbgg32.exe File opened for modification C:\Windows\SysWOW64\Cfmjoe32.exe Cjfjjd32.exe File created C:\Windows\SysWOW64\Elkbipdi.exe Dbcnpk32.exe File created C:\Windows\SysWOW64\Hjcajn32.exe Hfalaj32.exe File created C:\Windows\SysWOW64\Jlgcncli.exe Jocceo32.exe File created C:\Windows\SysWOW64\Iknkfi32.dll Nbaafocg.exe File created C:\Windows\SysWOW64\Bnafjo32.exe Aajedn32.exe File created C:\Windows\SysWOW64\Logkbl32.dll Gohjnf32.exe File opened for modification C:\Windows\SysWOW64\Jhchjgoh.exe Idepdhia.exe File opened for modification C:\Windows\SysWOW64\Dbcnpk32.exe Dmffhd32.exe File created C:\Windows\SysWOW64\Dfpcdh32.exe Denglpkc.exe File created C:\Windows\SysWOW64\Giemhaee.dll Ollncgjq.exe File created C:\Windows\SysWOW64\Pahemgbf.dll Pjchjcmf.exe File opened for modification C:\Windows\SysWOW64\Lgbfin32.exe Linfpi32.exe File created C:\Windows\SysWOW64\Eimien32.exe Dmfhqmge.exe File opened for modification C:\Windows\SysWOW64\Kobhillo.exe Kejdqffo.exe File created C:\Windows\SysWOW64\Nkgkop32.dll Bpbokj32.exe File opened for modification C:\Windows\SysWOW64\Fcgdjmlo.exe Fmjkbfnh.exe File created C:\Windows\SysWOW64\Chidkl32.dll Bcmeogam.exe File created C:\Windows\SysWOW64\Acblea32.dll Iaheqe32.exe File opened for modification C:\Windows\SysWOW64\Lhhmle32.exe Lmolkg32.exe File created C:\Windows\SysWOW64\Dnonjqdq.exe Dcijmhdj.exe File created C:\Windows\SysWOW64\Ledcahkp.dll Ldchdjom.exe File opened for modification C:\Windows\SysWOW64\Iodlcnmf.exe Ieohfemq.exe File created C:\Windows\SysWOW64\Mjofanld.exe Kcahjqfa.exe File created C:\Windows\SysWOW64\Ngafdepl.exe Nkjeod32.exe File created C:\Windows\SysWOW64\Cccgni32.exe Cjkcedgp.exe File opened for modification C:\Windows\SysWOW64\Nhffikob.exe Nloedjin.exe File opened for modification C:\Windows\SysWOW64\Gdbchd32.exe Gacgli32.exe File opened for modification C:\Windows\SysWOW64\Kejdqffo.exe Khfcgbge.exe File opened for modification C:\Windows\SysWOW64\Pbppqf32.exe Plfhdlfb.exe File created C:\Windows\SysWOW64\Cjkcedgp.exe Ccakij32.exe File opened for modification C:\Windows\SysWOW64\Macnjk32.exe Mlfebcnd.exe File opened for modification C:\Windows\SysWOW64\Dfpcdh32.exe Denglpkc.exe File opened for modification C:\Windows\SysWOW64\Mlfebcnd.exe Lobehpok.exe File created C:\Windows\SysWOW64\Bpbokj32.exe Bdknfiea.exe File opened for modification C:\Windows\SysWOW64\Dpbgghhl.exe Djfooa32.exe File opened for modification C:\Windows\SysWOW64\Hmlkhk32.exe Hkhbkc32.exe File opened for modification C:\Windows\SysWOW64\Omjgkjof.exe Ocbbbd32.exe File opened for modification C:\Windows\SysWOW64\Bdknfiea.exe Bnafjo32.exe File created C:\Windows\SysWOW64\Nokabf32.dll Eamgeo32.exe File opened for modification C:\Windows\SysWOW64\Dahobdpe.exe Cnjbfhqa.exe File created C:\Windows\SysWOW64\Apeblc32.dll Nkjeod32.exe File opened for modification C:\Windows\SysWOW64\Eamgeo32.exe Eibbqmhd.exe File opened for modification C:\Windows\SysWOW64\Keehmobp.exe Jgpklb32.exe File created C:\Windows\SysWOW64\Edocjp32.dll Lomidgkl.exe File created C:\Windows\SysWOW64\Glanhbmn.dll Pdnihiad.exe File created C:\Windows\SysWOW64\Qpjchicb.exe Pbfcoedi.exe File created C:\Windows\SysWOW64\Qdapln32.dll Igoagpja.exe File opened for modification C:\Windows\SysWOW64\Oikeal32.exe Onfadc32.exe File opened for modification C:\Windows\SysWOW64\Aniffaim.exe Akjjifji.exe File opened for modification C:\Windows\SysWOW64\Mgdmeh32.exe Mqjehngm.exe File created C:\Windows\SysWOW64\Fcgdjmlo.exe Fmjkbfnh.exe File opened for modification C:\Windows\SysWOW64\Linfpi32.exe Lgpjcnhh.exe File created C:\Windows\SysWOW64\Kgmkef32.exe Kneflplf.exe File created C:\Windows\SysWOW64\Mkkpjg32.exe Lngpac32.exe File created C:\Windows\SysWOW64\Qpaknfnf.dll Goemhfco.exe File created C:\Windows\SysWOW64\Llomhllh.exe Lgbdpena.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5108 5048 WerFault.exe 408 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moahdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjeod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obopobhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchbcmlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaaee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiniaboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceanmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkiknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obniel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkbmcba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baakem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehilgikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmgnan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbkljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbfin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaqohql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphipbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpnbcfkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffgfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqidme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjehngm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajghgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebekej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fondonbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbcikn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocglmcdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjmfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldchdjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acplpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamobdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbfcoedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmafmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppogok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblpae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifinfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapfmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdibapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljfdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnfpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklkdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfalaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacgli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kphbmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfebcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflpdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njipabhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qckcdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngafdepl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cancif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbhgolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdknfiea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghnaaljp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djibogkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gebiefle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apbblg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alicahno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhqfie32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iglkoaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifikehii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbegonmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biehcmhh.dll" Conbmfif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bklaepbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjhdgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhqfie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhocnhce.dll" Pfgcff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahobdpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jffakm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlfebcnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apbblg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkkpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiniaboi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdgane32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpmeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcaajnk.dll" Njjbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkdlaplh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oelcho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccakij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cccgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofpmj32.dll" Moahdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obfoioei.dll" Hhjhgpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcqhn32.dll" Fljfdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggmjkapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oacdmpan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbekbnge.dll" Bdbkaoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfdnmfb.dll" Gnphfppi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckfbdjp.dll" Jffakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apeblc32.dll" Nkjeod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgbck32.dll" Cccgni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kobhillo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peakkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqfhb32.dll" Eghdanac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbnqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajghgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjfjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnoehoj.dll" Akpmhdqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaamobdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghpdqdc.dll" Njipabhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebghkjjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akjjifji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgefg32.dll" Fpijgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdneoh32.dll" Dfpcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfibnjf.dll" Pjqdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooneiddj.dll" Jplinckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jafkmh32.dll" Obniel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbmlal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljbmbpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbppqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfqaph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpjchicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjcmoqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpmdjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fondonbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmoai32.dll" Ngafdepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdjabn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eelfedpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckebbgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpocno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfebofm.dll" Onmgeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iodlcnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pihnqj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2608 wrote to memory of 2236 2608 bf4ce6823a137af0e0b288c685867ef166758f5b9089da99efeedc7f9a5a29d1.exe 29 PID 2608 wrote to memory of 2236 2608 bf4ce6823a137af0e0b288c685867ef166758f5b9089da99efeedc7f9a5a29d1.exe 29 PID 2608 wrote to memory of 2236 2608 bf4ce6823a137af0e0b288c685867ef166758f5b9089da99efeedc7f9a5a29d1.exe 29 PID 2608 wrote to memory of 2236 2608 bf4ce6823a137af0e0b288c685867ef166758f5b9089da99efeedc7f9a5a29d1.exe 29 PID 2236 wrote to memory of 2096 2236 Bineidcj.exe 30 PID 2236 wrote to memory of 2096 2236 Bineidcj.exe 30 PID 2236 wrote to memory of 2096 2236 Bineidcj.exe 30 PID 2236 wrote to memory of 2096 2236 Bineidcj.exe 30 PID 2096 wrote to memory of 2136 2096 Bklaepbn.exe 31 PID 2096 wrote to memory of 2136 2096 Bklaepbn.exe 31 PID 2096 wrote to memory of 2136 2096 Bklaepbn.exe 31 PID 2096 wrote to memory of 2136 2096 Bklaepbn.exe 31 PID 2136 wrote to memory of 2756 2136 Cakfcfoc.exe 32 PID 2136 wrote to memory of 2756 2136 Cakfcfoc.exe 32 PID 2136 wrote to memory of 2756 2136 Cakfcfoc.exe 32 PID 2136 wrote to memory of 2756 2136 Cakfcfoc.exe 32 PID 2756 wrote to memory of 2732 2756 Cancif32.exe 33 PID 2756 wrote to memory of 2732 2756 Cancif32.exe 33 PID 2756 wrote to memory of 2732 2756 Cancif32.exe 33 PID 2756 wrote to memory of 2732 2756 Cancif32.exe 33 PID 2732 wrote to memory of 2768 2732 Cjhdgk32.exe 34 PID 2732 wrote to memory of 2768 2732 Cjhdgk32.exe 34 PID 2732 wrote to memory of 2768 2732 Cjhdgk32.exe 34 PID 2732 wrote to memory of 2768 2732 Cjhdgk32.exe 34 PID 2768 wrote to memory of 1576 2768 Cbcikn32.exe 35 PID 2768 wrote to memory of 1576 2768 Cbcikn32.exe 35 PID 2768 wrote to memory of 1576 2768 Cbcikn32.exe 35 PID 2768 wrote to memory of 1576 2768 Cbcikn32.exe 35 PID 1576 wrote to memory of 752 1576 Dlnjjc32.exe 36 PID 1576 wrote to memory of 752 1576 Dlnjjc32.exe 36 PID 1576 wrote to memory of 752 1576 Dlnjjc32.exe 36 PID 1576 wrote to memory of 752 1576 Dlnjjc32.exe 36 PID 752 wrote to memory of 2308 752 Doocln32.exe 37 PID 752 wrote to memory of 2308 752 Doocln32.exe 37 PID 752 wrote to memory of 2308 752 Doocln32.exe 37 PID 752 wrote to memory of 2308 752 Doocln32.exe 37 PID 2308 wrote to memory of 2916 2308 Dbmlal32.exe 38 PID 2308 wrote to memory of 2916 2308 Dbmlal32.exe 38 PID 2308 wrote to memory of 2916 2308 Dbmlal32.exe 38 PID 2308 wrote to memory of 2916 2308 Dbmlal32.exe 38 PID 2916 wrote to memory of 2944 2916 Dkhpfo32.exe 39 PID 2916 wrote to memory of 2944 2916 Dkhpfo32.exe 39 PID 2916 wrote to memory of 2944 2916 Dkhpfo32.exe 39 PID 2916 wrote to memory of 2944 2916 Dkhpfo32.exe 39 PID 2944 wrote to memory of 1824 2944 Dgoakpjn.exe 40 PID 2944 wrote to memory of 1824 2944 Dgoakpjn.exe 40 PID 2944 wrote to memory of 1824 2944 Dgoakpjn.exe 40 PID 2944 wrote to memory of 1824 2944 Dgoakpjn.exe 40 PID 1824 wrote to memory of 468 1824 Eganqo32.exe 41 PID 1824 wrote to memory of 468 1824 Eganqo32.exe 41 PID 1824 wrote to memory of 468 1824 Eganqo32.exe 41 PID 1824 wrote to memory of 468 1824 Eganqo32.exe 41 PID 468 wrote to memory of 2160 468 Ecjkkp32.exe 42 PID 468 wrote to memory of 2160 468 Ecjkkp32.exe 42 PID 468 wrote to memory of 2160 468 Ecjkkp32.exe 42 PID 468 wrote to memory of 2160 468 Ecjkkp32.exe 42 PID 2160 wrote to memory of 2684 2160 Eghdanac.exe 43 PID 2160 wrote to memory of 2684 2160 Eghdanac.exe 43 PID 2160 wrote to memory of 2684 2160 Eghdanac.exe 43 PID 2160 wrote to memory of 2684 2160 Eghdanac.exe 43 PID 2684 wrote to memory of 808 2684 Ehlmnfeo.exe 44 PID 2684 wrote to memory of 808 2684 Ehlmnfeo.exe 44 PID 2684 wrote to memory of 808 2684 Ehlmnfeo.exe 44 PID 2684 wrote to memory of 808 2684 Ehlmnfeo.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf4ce6823a137af0e0b288c685867ef166758f5b9089da99efeedc7f9a5a29d1.exe"C:\Users\Admin\AppData\Local\Temp\bf4ce6823a137af0e0b288c685867ef166758f5b9089da99efeedc7f9a5a29d1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Cancif32.exeC:\Windows\system32\Cancif32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Cjhdgk32.exeC:\Windows\system32\Cjhdgk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Cbcikn32.exeC:\Windows\system32\Cbcikn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Doocln32.exeC:\Windows\system32\Doocln32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Dkhpfo32.exeC:\Windows\system32\Dkhpfo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Eganqo32.exeC:\Windows\system32\Eganqo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Ecjkkp32.exeC:\Windows\system32\Ecjkkp32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Eghdanac.exeC:\Windows\system32\Eghdanac.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Ehlmnfeo.exeC:\Windows\system32\Ehlmnfeo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Fhqfie32.exeC:\Windows\system32\Fhqfie32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Fdggofgn.exeC:\Windows\system32\Fdggofgn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Fqnhcgma.exeC:\Windows\system32\Fqnhcgma.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Fgjmfa32.exeC:\Windows\system32\Fgjmfa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Gccjpb32.exeC:\Windows\system32\Gccjpb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Gicpnhbb.exeC:\Windows\system32\Gicpnhbb.exe27⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Gnphfppi.exeC:\Windows\system32\Gnphfppi.exe28⤵
- Loads dropped DLL
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Gielchpp.exeC:\Windows\system32\Gielchpp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Hbpmbndm.exeC:\Windows\system32\Hbpmbndm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Hkhbkc32.exeC:\Windows\system32\Hkhbkc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Hmlkhk32.exeC:\Windows\system32\Hmlkhk32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Hjbhgolp.exeC:\Windows\system32\Hjbhgolp.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:568 -
C:\Windows\SysWOW64\Imqdcjkd.exeC:\Windows\system32\Imqdcjkd.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ibmmkaik.exeC:\Windows\system32\Ibmmkaik.exe37⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Indnqb32.exeC:\Windows\system32\Indnqb32.exe38⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe39⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Idepdhia.exeC:\Windows\system32\Idepdhia.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Jhchjgoh.exeC:\Windows\system32\Jhchjgoh.exe41⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Jgpklb32.exeC:\Windows\system32\Jgpklb32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe43⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Kkaaee32.exeC:\Windows\system32\Kkaaee32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Kopikdgn.exeC:\Windows\system32\Kopikdgn.exe45⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Kneflplf.exeC:\Windows\system32\Kneflplf.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Kgmkef32.exeC:\Windows\system32\Kgmkef32.exe47⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Kjlgaa32.exeC:\Windows\system32\Kjlgaa32.exe48⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Kcdljghj.exeC:\Windows\system32\Kcdljghj.exe49⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Lkkckdhm.exeC:\Windows\system32\Lkkckdhm.exe50⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Ldchdjom.exeC:\Windows\system32\Ldchdjom.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Lgbdpena.exeC:\Windows\system32\Lgbdpena.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Llomhllh.exeC:\Windows\system32\Llomhllh.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Lomidgkl.exeC:\Windows\system32\Lomidgkl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Ljejgp32.exeC:\Windows\system32\Ljejgp32.exe57⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Lhhjcmpj.exeC:\Windows\system32\Lhhjcmpj.exe58⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe59⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:632 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe64⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Windows\SysWOW64\Mdhnnl32.exeC:\Windows\system32\Mdhnnl32.exe66⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe67⤵PID:1336
-
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe69⤵PID:2444
-
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Nfbmlckg.exeC:\Windows\system32\Nfbmlckg.exe71⤵PID:1724
-
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe73⤵PID:2976
-
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe74⤵PID:1668
-
C:\Windows\SysWOW64\Onbkle32.exeC:\Windows\system32\Onbkle32.exe75⤵PID:2760
-
C:\Windows\SysWOW64\Oelcho32.exeC:\Windows\system32\Oelcho32.exe76⤵
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Ojilqf32.exeC:\Windows\system32\Ojilqf32.exe77⤵PID:2080
-
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe78⤵
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Pfgcff32.exeC:\Windows\system32\Pfgcff32.exe80⤵
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe82⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Pbppqf32.exeC:\Windows\system32\Pbppqf32.exe83⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe84⤵PID:976
-
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe85⤵PID:1548
-
C:\Windows\SysWOW64\Poinkg32.exeC:\Windows\system32\Poinkg32.exe86⤵PID:748
-
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe87⤵PID:2012
-
C:\Windows\SysWOW64\Qicoleno.exeC:\Windows\system32\Qicoleno.exe88⤵PID:2592
-
C:\Windows\SysWOW64\Qckcdj32.exeC:\Windows\system32\Qckcdj32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe90⤵PID:2072
-
C:\Windows\SysWOW64\Qpocno32.exeC:\Windows\system32\Qpocno32.exe91⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Ajghgd32.exeC:\Windows\system32\Ajghgd32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Acplpjpj.exeC:\Windows\system32\Acplpjpj.exe93⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Ajjeld32.exeC:\Windows\system32\Ajjeld32.exe94⤵PID:2688
-
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe95⤵PID:892
-
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe96⤵PID:2464
-
C:\Windows\SysWOW64\Acdfki32.exeC:\Windows\system32\Acdfki32.exe97⤵PID:2124
-
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe98⤵
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Afeold32.exeC:\Windows\system32\Afeold32.exe99⤵PID:2204
-
C:\Windows\SysWOW64\Bblpae32.exeC:\Windows\system32\Bblpae32.exe100⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe101⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe102⤵PID:2652
-
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Bfqaph32.exeC:\Windows\system32\Bfqaph32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe105⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Cbnhfhoc.exeC:\Windows\system32\Cbnhfhoc.exe106⤵PID:328
-
C:\Windows\SysWOW64\Ceanmc32.exeC:\Windows\system32\Ceanmc32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe108⤵
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Cnjbfhqa.exeC:\Windows\system32\Cnjbfhqa.exe109⤵
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe110⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Dcfknooi.exeC:\Windows\system32\Dcfknooi.exe111⤵PID:1944
-
C:\Windows\SysWOW64\Djqcki32.exeC:\Windows\system32\Djqcki32.exe112⤵PID:1272
-
C:\Windows\SysWOW64\Difplf32.exeC:\Windows\system32\Difplf32.exe113⤵PID:1516
-
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe114⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Dihmae32.exeC:\Windows\system32\Dihmae32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Ddnaonia.exeC:\Windows\system32\Ddnaonia.exe116⤵PID:2832
-
C:\Windows\SysWOW64\Dmffhd32.exeC:\Windows\system32\Dmffhd32.exe117⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Dbcnpk32.exeC:\Windows\system32\Dbcnpk32.exe118⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Elkbipdi.exeC:\Windows\system32\Elkbipdi.exe119⤵PID:2704
-
C:\Windows\SysWOW64\Ebekej32.exeC:\Windows\system32\Ebekej32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Ekppjmia.exeC:\Windows\system32\Ekppjmia.exe121⤵PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-