Analysis
-
max time kernel
45s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-01-2025 15:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795N.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795N.exe
-
Size
96KB
-
MD5
cccc9d6347c5dd6b29e815fdab7bd7f0
-
SHA1
b29cbcccc4f3b043454b5348a6de665608d1d7d8
-
SHA256
8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795
-
SHA512
642ef17d512700234928f1bdf1c057d3946254816e0a042b4e5132e1a7f9a776f8e010e3d01ca232b32c85ae896919643ccb7af172e72904cf2776a32676b357
-
SSDEEP
1536:TaLl4AW4i49zAAbCwElHM13dV+/f2LF7RZObZUUWaegPYAW:ul64jl1NxFClUUWaeF
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpbokj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpkckneh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjacai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckeekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdnpicb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjpdphd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajpdmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajpdmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibehna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnoaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlleni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhmdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocmdeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemfahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iglngj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgcdjip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Campbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hikpnkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aieihpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcaehhnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmegaaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dllnphkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgablmfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhibenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnqdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbcij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dihojnqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elleai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnaihhgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiafff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imkbeqem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mefiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmjmodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmhla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofkoijhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjqbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eklgjbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neihmpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kceijg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baakem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hekhid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igjabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbhecjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oilgje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognakk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlgdecf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodejhfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpikmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chiedc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbokj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgmak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcccglnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgibeklf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liibigjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdnffpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqibjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkggel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecdhonoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeameodq.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/files/0x0005000000020107-3807.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 1508 Jehklc32.exe 2904 Jjdcdjcm.exe 2880 Jfkdik32.exe 3060 Jmelfeqn.exe 2712 Jbdadl32.exe 2036 Kiafff32.exe 1708 Klapha32.exe 2244 Kmeiei32.exe 2248 Lpfagd32.exe 2996 Lmjbphod.exe 936 Ldfgbb32.exe 2368 Llalgdbj.exe 1836 Lpodmb32.exe 2112 Lelmei32.exe 2184 Meojkide.exe 2412 Meafpibb.exe 2164 Mahgejhf.exe 2528 Mkplnp32.exe 1752 Mgglcqdk.exe 328 Mnqdpj32.exe 1724 Nlfaag32.exe 960 Nfnfjmgp.exe 2004 Nfqbol32.exe 2280 Ncdciq32.exe 996 Nkphmc32.exe 868 Nkbdbbop.exe 2148 Oemfahcn.exe 2228 Onejjm32.exe 1720 Ocbbbd32.exe 2820 Picdejbg.exe 3048 Ppnmbd32.exe 2660 Pejejkhl.exe 2492 Pbqbioeb.exe 2944 Phmkaf32.exe 2448 Pbcooo32.exe 1356 Pnjpdphd.exe 2724 Qdfhlggl.exe 2964 Qpmiahlp.exe 1076 Akejdp32.exe 976 Aflkiapg.exe 1988 Bkbjmd32.exe 2152 Bgijbede.exe 2200 Bpbokj32.exe 1952 Baakem32.exe 820 Bpfhfjgq.exe 1492 Bgqqcd32.exe 1688 Blmikkle.exe 1728 Ccgahe32.exe 2516 Clpeajjb.exe 1816 Ccinnd32.exe 1592 Copobe32.exe 3036 Cdmgkl32.exe 2120 Ckgogfmg.exe 2868 Ckilmfke.exe 2672 Dklibf32.exe 2800 Dddmkkpb.exe 580 Djaedbnj.exe 2452 Ddfjak32.exe 2652 Djcbib32.exe 1216 Dggcbf32.exe 2472 Dihojnqo.exe 1372 Dbadcdgp.exe 2400 Dmfhqmge.exe 2364 Eeameodq.exe -
Loads dropped DLL 64 IoCs
pid Process 796 8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795N.exe 796 8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795N.exe 1508 Jehklc32.exe 1508 Jehklc32.exe 2904 Jjdcdjcm.exe 2904 Jjdcdjcm.exe 2880 Jfkdik32.exe 2880 Jfkdik32.exe 3060 Jmelfeqn.exe 3060 Jmelfeqn.exe 2712 Jbdadl32.exe 2712 Jbdadl32.exe 2036 Kiafff32.exe 2036 Kiafff32.exe 1708 Klapha32.exe 1708 Klapha32.exe 2244 Kmeiei32.exe 2244 Kmeiei32.exe 2248 Lpfagd32.exe 2248 Lpfagd32.exe 2996 Lmjbphod.exe 2996 Lmjbphod.exe 936 Ldfgbb32.exe 936 Ldfgbb32.exe 2368 Llalgdbj.exe 2368 Llalgdbj.exe 1836 Lpodmb32.exe 1836 Lpodmb32.exe 2112 Lelmei32.exe 2112 Lelmei32.exe 2184 Meojkide.exe 2184 Meojkide.exe 2412 Meafpibb.exe 2412 Meafpibb.exe 2164 Mahgejhf.exe 2164 Mahgejhf.exe 2528 Mkplnp32.exe 2528 Mkplnp32.exe 1752 Mgglcqdk.exe 1752 Mgglcqdk.exe 328 Mnqdpj32.exe 328 Mnqdpj32.exe 1724 Nlfaag32.exe 1724 Nlfaag32.exe 960 Nfnfjmgp.exe 960 Nfnfjmgp.exe 2004 Nfqbol32.exe 2004 Nfqbol32.exe 2280 Ncdciq32.exe 2280 Ncdciq32.exe 996 Nkphmc32.exe 996 Nkphmc32.exe 868 Nkbdbbop.exe 868 Nkbdbbop.exe 2148 Oemfahcn.exe 2148 Oemfahcn.exe 2228 Onejjm32.exe 2228 Onejjm32.exe 1720 Ocbbbd32.exe 1720 Ocbbbd32.exe 2820 Picdejbg.exe 2820 Picdejbg.exe 3048 Ppnmbd32.exe 3048 Ppnmbd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dfbfcn32.exe Cdejpg32.exe File opened for modification C:\Windows\SysWOW64\Gboolneo.exe Gigjch32.exe File opened for modification C:\Windows\SysWOW64\Fflgahfm.exe Eopbooqb.exe File created C:\Windows\SysWOW64\Oahfnj32.dll Ppnmbd32.exe File opened for modification C:\Windows\SysWOW64\Dbadcdgp.exe Dihojnqo.exe File opened for modification C:\Windows\SysWOW64\Fjlaod32.exe Fpgmak32.exe File created C:\Windows\SysWOW64\Nbabfmjp.dll Edafjiqe.exe File created C:\Windows\SysWOW64\Chdlidjm.exe Colgpo32.exe File created C:\Windows\SysWOW64\Efoobkej.exe Dfmbmkgm.exe File created C:\Windows\SysWOW64\Npqbka32.dll Jjdcdjcm.exe File created C:\Windows\SysWOW64\Ebjdjpda.dll Cdmgkl32.exe File created C:\Windows\SysWOW64\Liibigjq.exe Lanmde32.exe File created C:\Windows\SysWOW64\Ajmihn32.exe Afoqbpid.exe File created C:\Windows\SysWOW64\Fgaopcqk.dll Ncbilimn.exe File created C:\Windows\SysWOW64\Mnokki32.dll Hdjnje32.exe File created C:\Windows\SysWOW64\Hhbelo32.dll Dejnme32.exe File created C:\Windows\SysWOW64\Lkahbkgk.exe Ldgpea32.exe File created C:\Windows\SysWOW64\Poabochn.dll Geqnho32.exe File created C:\Windows\SysWOW64\Jkpilg32.exe Jknlfg32.exe File created C:\Windows\SysWOW64\Peoanckj.exe Pgkqeo32.exe File opened for modification C:\Windows\SysWOW64\Efoobkej.exe Dfmbmkgm.exe File opened for modification C:\Windows\SysWOW64\Bfkbfg32.exe Blfnin32.exe File created C:\Windows\SysWOW64\Elkdakmp.dll Fooghg32.exe File created C:\Windows\SysWOW64\Giakoc32.exe Ghpngkhm.exe File created C:\Windows\SysWOW64\Jadnoc32.exe Jnaihhgf.exe File created C:\Windows\SysWOW64\Pildih32.exe Ppcoqbao.exe File created C:\Windows\SysWOW64\Ikfffh32.exe Iejnna32.exe File opened for modification C:\Windows\SysWOW64\Hmpemkkf.exe Gfcqkafl.exe File created C:\Windows\SysWOW64\Jmelfeqn.exe Jfkdik32.exe File created C:\Windows\SysWOW64\Mgglcqdk.exe Mkplnp32.exe File created C:\Windows\SysWOW64\Dbgqnm32.dll Ehilgikj.exe File created C:\Windows\SysWOW64\Kicednho.exe Kbgqbdbd.exe File created C:\Windows\SysWOW64\Bmggemgf.dll Kicednho.exe File created C:\Windows\SysWOW64\Jlmkdf32.dll Kgibeklf.exe File opened for modification C:\Windows\SysWOW64\Hlijan32.exe Hcaehhnd.exe File opened for modification C:\Windows\SysWOW64\Mgmbbkij.exe Mdnffpif.exe File opened for modification C:\Windows\SysWOW64\Bkmegaaf.exe Bkkiab32.exe File opened for modification C:\Windows\SysWOW64\Oodejhfg.exe Oigmbagp.exe File created C:\Windows\SysWOW64\Cbdpag32.exe Bbbckh32.exe File created C:\Windows\SysWOW64\Lmhnknmi.dll Qjofljho.exe File created C:\Windows\SysWOW64\Ddclhk32.dll Dhnoocab.exe File created C:\Windows\SysWOW64\Fggkpgmn.dll Jehklc32.exe File created C:\Windows\SysWOW64\Nkgkop32.dll Bpbokj32.exe File created C:\Windows\SysWOW64\Edimlq32.dll Enokidgl.exe File created C:\Windows\SysWOW64\Ffcbce32.exe Fpijgk32.exe File created C:\Windows\SysWOW64\Iegaha32.exe Ilolol32.exe File created C:\Windows\SysWOW64\Jofhqiec.exe Jjjohbgl.exe File created C:\Windows\SysWOW64\Pqekin32.exe Pjlbld32.exe File created C:\Windows\SysWOW64\Qmffaheh.dll Copobe32.exe File opened for modification C:\Windows\SysWOW64\Bamdcf32.exe Bhdpjaga.exe File opened for modification C:\Windows\SysWOW64\Colgpo32.exe Bgablmfa.exe File created C:\Windows\SysWOW64\Jbcibnmm.dll Hpqoofhg.exe File opened for modification C:\Windows\SysWOW64\Kpndlobg.exe Kgcpgl32.exe File created C:\Windows\SysWOW64\Pmnede32.dll Looahi32.exe File created C:\Windows\SysWOW64\Ohcnekjc.dll Ooccap32.exe File opened for modification C:\Windows\SysWOW64\Gpaikiig.exe Fhfdffll.exe File created C:\Windows\SysWOW64\Jlqniihl.exe Jchjqc32.exe File created C:\Windows\SysWOW64\Ndaaclac.exe Nlfmoidh.exe File opened for modification C:\Windows\SysWOW64\Iaknmm32.exe Ihcidgpj.exe File created C:\Windows\SysWOW64\Igomfb32.exe Infhmmhi.exe File created C:\Windows\SysWOW64\Nfnfjmgp.exe Nlfaag32.exe File created C:\Windows\SysWOW64\Bpbokj32.exe Bgijbede.exe File opened for modification C:\Windows\SysWOW64\Inopce32.exe Igeggkoq.exe File created C:\Windows\SysWOW64\Mhbdligd.dll Npecjdaf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4468 2420 WerFault.exe 472 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfpkbbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqnghfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjnje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkolmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhqmogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnkjfcik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfdpfjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopbooqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadfbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmndbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckdnpicb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemeod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkoijhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbcij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhmki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimfcedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaknmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acafnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqijck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olclimif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjpdphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mheekb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilolol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilaieljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbcjfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmbmkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfdnijp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpehn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbidffao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhibenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdcdjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baakem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkjahg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdohq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbobn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodejhfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejnpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onejjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maplcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpdoffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geehcoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclikp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmegaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcehpbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgogfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oofpgolq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edghighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmiahlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcpgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjohbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmifla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picdejbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejejkhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpekggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfqmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkqeo32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djcbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgfbj32.dll" Glbcpokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikkoagjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lanpmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Albhablg.dll" Cbdpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdqfaiab.dll" Bkbjmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgbmpqjn.dll" Ajmihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhcon32.dll" Mojmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aakepd32.dll" Cgkoejig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egmhjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdcdjcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phmkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfhfjgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolcmd32.dll" Njmhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmglfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibehna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljjkgfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Copobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdakej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnbfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldfgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgqqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdmgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklibf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkfnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iegaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npoomg32.dll" Ndaaclac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkpjknd.dll" Ocbbbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kagkebpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daedpf32.dll" Pnhegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpncbjqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohkhjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Colgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmpemkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neihmpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdjffln.dll" Ckgogfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelbl32.dll" Jcekbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hehgbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edieng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkdakmp.dll" Fooghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nocgbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efihcpqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioocfn32.dll" Geehcoaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqaliabh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmbpda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhnoocab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agkfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfkdik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmkhmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkafoflh.dll" Ghlgdecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nndhfngb.dll" Hiichkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akejdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjikefbe.dll" Ebhjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmnpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjdoo32.dll" Kfmfchfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiacmfbb.dll" Ppcoqbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgablmfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dclikp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnhmqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjmco32.dll" Picdejbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Picdejbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmjpoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbfbfe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 796 wrote to memory of 1508 796 8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795N.exe 29 PID 796 wrote to memory of 1508 796 8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795N.exe 29 PID 796 wrote to memory of 1508 796 8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795N.exe 29 PID 796 wrote to memory of 1508 796 8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795N.exe 29 PID 1508 wrote to memory of 2904 1508 Jehklc32.exe 30 PID 1508 wrote to memory of 2904 1508 Jehklc32.exe 30 PID 1508 wrote to memory of 2904 1508 Jehklc32.exe 30 PID 1508 wrote to memory of 2904 1508 Jehklc32.exe 30 PID 2904 wrote to memory of 2880 2904 Jjdcdjcm.exe 31 PID 2904 wrote to memory of 2880 2904 Jjdcdjcm.exe 31 PID 2904 wrote to memory of 2880 2904 Jjdcdjcm.exe 31 PID 2904 wrote to memory of 2880 2904 Jjdcdjcm.exe 31 PID 2880 wrote to memory of 3060 2880 Jfkdik32.exe 32 PID 2880 wrote to memory of 3060 2880 Jfkdik32.exe 32 PID 2880 wrote to memory of 3060 2880 Jfkdik32.exe 32 PID 2880 wrote to memory of 3060 2880 Jfkdik32.exe 32 PID 3060 wrote to memory of 2712 3060 Jmelfeqn.exe 33 PID 3060 wrote to memory of 2712 3060 Jmelfeqn.exe 33 PID 3060 wrote to memory of 2712 3060 Jmelfeqn.exe 33 PID 3060 wrote to memory of 2712 3060 Jmelfeqn.exe 33 PID 2712 wrote to memory of 2036 2712 Jbdadl32.exe 34 PID 2712 wrote to memory of 2036 2712 Jbdadl32.exe 34 PID 2712 wrote to memory of 2036 2712 Jbdadl32.exe 34 PID 2712 wrote to memory of 2036 2712 Jbdadl32.exe 34 PID 2036 wrote to memory of 1708 2036 Kiafff32.exe 35 PID 2036 wrote to memory of 1708 2036 Kiafff32.exe 35 PID 2036 wrote to memory of 1708 2036 Kiafff32.exe 35 PID 2036 wrote to memory of 1708 2036 Kiafff32.exe 35 PID 1708 wrote to memory of 2244 1708 Klapha32.exe 36 PID 1708 wrote to memory of 2244 1708 Klapha32.exe 36 PID 1708 wrote to memory of 2244 1708 Klapha32.exe 36 PID 1708 wrote to memory of 2244 1708 Klapha32.exe 36 PID 2244 wrote to memory of 2248 2244 Kmeiei32.exe 37 PID 2244 wrote to memory of 2248 2244 Kmeiei32.exe 37 PID 2244 wrote to memory of 2248 2244 Kmeiei32.exe 37 PID 2244 wrote to memory of 2248 2244 Kmeiei32.exe 37 PID 2248 wrote to memory of 2996 2248 Lpfagd32.exe 38 PID 2248 wrote to memory of 2996 2248 Lpfagd32.exe 38 PID 2248 wrote to memory of 2996 2248 Lpfagd32.exe 38 PID 2248 wrote to memory of 2996 2248 Lpfagd32.exe 38 PID 2996 wrote to memory of 936 2996 Lmjbphod.exe 39 PID 2996 wrote to memory of 936 2996 Lmjbphod.exe 39 PID 2996 wrote to memory of 936 2996 Lmjbphod.exe 39 PID 2996 wrote to memory of 936 2996 Lmjbphod.exe 39 PID 936 wrote to memory of 2368 936 Ldfgbb32.exe 40 PID 936 wrote to memory of 2368 936 Ldfgbb32.exe 40 PID 936 wrote to memory of 2368 936 Ldfgbb32.exe 40 PID 936 wrote to memory of 2368 936 Ldfgbb32.exe 40 PID 2368 wrote to memory of 1836 2368 Llalgdbj.exe 41 PID 2368 wrote to memory of 1836 2368 Llalgdbj.exe 41 PID 2368 wrote to memory of 1836 2368 Llalgdbj.exe 41 PID 2368 wrote to memory of 1836 2368 Llalgdbj.exe 41 PID 1836 wrote to memory of 2112 1836 Lpodmb32.exe 42 PID 1836 wrote to memory of 2112 1836 Lpodmb32.exe 42 PID 1836 wrote to memory of 2112 1836 Lpodmb32.exe 42 PID 1836 wrote to memory of 2112 1836 Lpodmb32.exe 42 PID 2112 wrote to memory of 2184 2112 Lelmei32.exe 43 PID 2112 wrote to memory of 2184 2112 Lelmei32.exe 43 PID 2112 wrote to memory of 2184 2112 Lelmei32.exe 43 PID 2112 wrote to memory of 2184 2112 Lelmei32.exe 43 PID 2184 wrote to memory of 2412 2184 Meojkide.exe 44 PID 2184 wrote to memory of 2412 2184 Meojkide.exe 44 PID 2184 wrote to memory of 2412 2184 Meojkide.exe 44 PID 2184 wrote to memory of 2412 2184 Meojkide.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795N.exe"C:\Users\Admin\AppData\Local\Temp\8f3b84757350d524d22dcb8dc66f256f4f3a4aafd73bef1970969f977a4c3795N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Jmelfeqn.exeC:\Windows\system32\Jmelfeqn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Jbdadl32.exeC:\Windows\system32\Jbdadl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Kiafff32.exeC:\Windows\system32\Kiafff32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Kmeiei32.exeC:\Windows\system32\Kmeiei32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Lpfagd32.exeC:\Windows\system32\Lpfagd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Lmjbphod.exeC:\Windows\system32\Lmjbphod.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ldfgbb32.exeC:\Windows\system32\Ldfgbb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Llalgdbj.exeC:\Windows\system32\Llalgdbj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Lpodmb32.exeC:\Windows\system32\Lpodmb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Lelmei32.exeC:\Windows\system32\Lelmei32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Meojkide.exeC:\Windows\system32\Meojkide.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Meafpibb.exeC:\Windows\system32\Meafpibb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Mahgejhf.exeC:\Windows\system32\Mahgejhf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Mkplnp32.exeC:\Windows\system32\Mkplnp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Mgglcqdk.exeC:\Windows\system32\Mgglcqdk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Nlfaag32.exeC:\Windows\system32\Nlfaag32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Nfnfjmgp.exeC:\Windows\system32\Nfnfjmgp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Ncdciq32.exeC:\Windows\system32\Ncdciq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Nkphmc32.exeC:\Windows\system32\Nkphmc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Onejjm32.exeC:\Windows\system32\Onejjm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Ocbbbd32.exeC:\Windows\system32\Ocbbbd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Picdejbg.exeC:\Windows\system32\Picdejbg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Ppnmbd32.exeC:\Windows\system32\Ppnmbd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Pejejkhl.exeC:\Windows\system32\Pejejkhl.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Pbqbioeb.exeC:\Windows\system32\Pbqbioeb.exe34⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Phmkaf32.exeC:\Windows\system32\Phmkaf32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Pbcooo32.exeC:\Windows\system32\Pbcooo32.exe36⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Pnjpdphd.exeC:\Windows\system32\Pnjpdphd.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Qdfhlggl.exeC:\Windows\system32\Qdfhlggl.exe38⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Qpmiahlp.exeC:\Windows\system32\Qpmiahlp.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Akejdp32.exeC:\Windows\system32\Akejdp32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Aflkiapg.exeC:\Windows\system32\Aflkiapg.exe41⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Bkbjmd32.exeC:\Windows\system32\Bkbjmd32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Bgijbede.exeC:\Windows\system32\Bgijbede.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Bpbokj32.exeC:\Windows\system32\Bpbokj32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Baakem32.exeC:\Windows\system32\Baakem32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Bpfhfjgq.exeC:\Windows\system32\Bpfhfjgq.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Bgqqcd32.exeC:\Windows\system32\Bgqqcd32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Blmikkle.exeC:\Windows\system32\Blmikkle.exe48⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ccgahe32.exeC:\Windows\system32\Ccgahe32.exe49⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Clpeajjb.exeC:\Windows\system32\Clpeajjb.exe50⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ccinnd32.exeC:\Windows\system32\Ccinnd32.exe51⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Copobe32.exeC:\Windows\system32\Copobe32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Cdmgkl32.exeC:\Windows\system32\Cdmgkl32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Ckgogfmg.exeC:\Windows\system32\Ckgogfmg.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ckilmfke.exeC:\Windows\system32\Ckilmfke.exe55⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Dklibf32.exeC:\Windows\system32\Dklibf32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Dddmkkpb.exeC:\Windows\system32\Dddmkkpb.exe57⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe58⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Ddfjak32.exeC:\Windows\system32\Ddfjak32.exe59⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Djcbib32.exeC:\Windows\system32\Djcbib32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Dggcbf32.exeC:\Windows\system32\Dggcbf32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Dihojnqo.exeC:\Windows\system32\Dihojnqo.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Dbadcdgp.exeC:\Windows\system32\Dbadcdgp.exe63⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Dmfhqmge.exeC:\Windows\system32\Dmfhqmge.exe64⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Eeameodq.exeC:\Windows\system32\Eeameodq.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Elleai32.exeC:\Windows\system32\Elleai32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Enjand32.exeC:\Windows\system32\Enjand32.exe67⤵PID:948
-
C:\Windows\SysWOW64\Ebhjdc32.exeC:\Windows\system32\Ebhjdc32.exe68⤵
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Eheblj32.exeC:\Windows\system32\Eheblj32.exe69⤵PID:1712
-
C:\Windows\SysWOW64\Enokidgl.exeC:\Windows\system32\Enokidgl.exe70⤵
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe71⤵PID:2436
-
C:\Windows\SysWOW64\Enagnc32.exeC:\Windows\system32\Enagnc32.exe72⤵PID:1108
-
C:\Windows\SysWOW64\Ehilgikj.exeC:\Windows\system32\Ehilgikj.exe73⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Fmfdppia.exeC:\Windows\system32\Fmfdppia.exe74⤵PID:1584
-
C:\Windows\SysWOW64\Fjjeid32.exeC:\Windows\system32\Fjjeid32.exe75⤵PID:2936
-
C:\Windows\SysWOW64\Fpgmak32.exeC:\Windows\system32\Fpgmak32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Fjlaod32.exeC:\Windows\system32\Fjlaod32.exe77⤵PID:1640
-
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe78⤵
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Ffcbce32.exeC:\Windows\system32\Ffcbce32.exe79⤵PID:1744
-
C:\Windows\SysWOW64\Fmmjpoci.exeC:\Windows\system32\Fmmjpoci.exe80⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Fooghg32.exeC:\Windows\system32\Fooghg32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Fehodaqd.exeC:\Windows\system32\Fehodaqd.exe82⤵PID:2276
-
C:\Windows\SysWOW64\Fpncbjqj.exeC:\Windows\system32\Fpncbjqj.exe83⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Gledgkfn.exeC:\Windows\system32\Gledgkfn.exe84⤵PID:1872
-
C:\Windows\SysWOW64\Gdpikmci.exeC:\Windows\system32\Gdpikmci.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Gkjahg32.exeC:\Windows\system32\Gkjahg32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Gmhmdc32.exeC:\Windows\system32\Gmhmdc32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:920 -
C:\Windows\SysWOW64\Ggqamh32.exeC:\Windows\system32\Ggqamh32.exe88⤵PID:1564
-
C:\Windows\SysWOW64\Ghpngkhm.exeC:\Windows\system32\Ghpngkhm.exe89⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Giakoc32.exeC:\Windows\system32\Giakoc32.exe90⤵PID:2476
-
C:\Windows\SysWOW64\Gpkckneh.exeC:\Windows\system32\Gpkckneh.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Gcjogidl.exeC:\Windows\system32\Gcjogidl.exe92⤵PID:1504
-
C:\Windows\SysWOW64\Glbcpokl.exeC:\Windows\system32\Glbcpokl.exe93⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Hekhid32.exeC:\Windows\system32\Hekhid32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Hocmbjhn.exeC:\Windows\system32\Hocmbjhn.exe95⤵PID:2952
-
C:\Windows\SysWOW64\Hemeod32.exeC:\Windows\system32\Hemeod32.exe96⤵
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Hcaehhnd.exeC:\Windows\system32\Hcaehhnd.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Hlijan32.exeC:\Windows\system32\Hlijan32.exe98⤵PID:2840
-
C:\Windows\SysWOW64\Hfanjcke.exeC:\Windows\system32\Hfanjcke.exe99⤵PID:1756
-
C:\Windows\SysWOW64\Hkngbj32.exeC:\Windows\system32\Hkngbj32.exe100⤵PID:1520
-
C:\Windows\SysWOW64\Igeggkoq.exeC:\Windows\system32\Igeggkoq.exe101⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Inopce32.exeC:\Windows\system32\Inopce32.exe102⤵PID:1736
-
C:\Windows\SysWOW64\Ijfpif32.exeC:\Windows\system32\Ijfpif32.exe103⤵PID:2260
-
C:\Windows\SysWOW64\Ibmhjc32.exeC:\Windows\system32\Ibmhjc32.exe104⤵PID:2808
-
C:\Windows\SysWOW64\Igjabj32.exeC:\Windows\system32\Igjabj32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2464 -
C:\Windows\SysWOW64\Iglngj32.exeC:\Windows\system32\Iglngj32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Iogbllfc.exeC:\Windows\system32\Iogbllfc.exe107⤵PID:1580
-
C:\Windows\SysWOW64\Igojmjgf.exeC:\Windows\system32\Igojmjgf.exe108⤵PID:2956
-
C:\Windows\SysWOW64\Imkbeqem.exeC:\Windows\system32\Imkbeqem.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1380 -
C:\Windows\SysWOW64\Jcekbk32.exeC:\Windows\system32\Jcekbk32.exe110⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Jmnpkp32.exeC:\Windows\system32\Jmnpkp32.exe111⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Jnaihhgf.exeC:\Windows\system32\Jnaihhgf.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Jadnoc32.exeC:\Windows\system32\Jadnoc32.exe113⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Windows\SysWOW64\Kagkebpb.exeC:\Windows\system32\Kagkebpb.exe114⤵
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Kgcpgl32.exeC:\Windows\system32\Kgcpgl32.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Kpndlobg.exeC:\Windows\system32\Kpndlobg.exe116⤵PID:1604
-
C:\Windows\SysWOW64\Kjdiigbm.exeC:\Windows\system32\Kjdiigbm.exe117⤵PID:2848
-
C:\Windows\SysWOW64\Kpqaanqd.exeC:\Windows\system32\Kpqaanqd.exe118⤵PID:2116
-
C:\Windows\SysWOW64\Kfkjnh32.exeC:\Windows\system32\Kfkjnh32.exe119⤵PID:584
-
C:\Windows\SysWOW64\Kiifjd32.exeC:\Windows\system32\Kiifjd32.exe120⤵PID:2572
-
C:\Windows\SysWOW64\Kfmfchfo.exeC:\Windows\system32\Kfmfchfo.exe121⤵
- Modifies registry class
PID:2056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-