Analysis
-
max time kernel
114s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/10/2024, 04:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
62cb795f2a66de29395a7e6b2d00a1c820c9dad589c4b78140ed5dbcb7ec3aa7N.exe
Resource
win7-20241010-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
62cb795f2a66de29395a7e6b2d00a1c820c9dad589c4b78140ed5dbcb7ec3aa7N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
62cb795f2a66de29395a7e6b2d00a1c820c9dad589c4b78140ed5dbcb7ec3aa7N.exe
-
Size
96KB
-
MD5
992a1b49c065f3c50db98c2225b72d90
-
SHA1
45c6434e4e0a39aef2fbd54bfb7be308ed0948e3
-
SHA256
62cb795f2a66de29395a7e6b2d00a1c820c9dad589c4b78140ed5dbcb7ec3aa7
-
SHA512
a3941a69d13da535245a9de237c8e3a523f734ee31326898a2833cd87d5423c4f9afeaff885eede09583ea82d61093f4e9d9d673acff0069a1fc53c65466f661
-
SSDEEP
1536:Xc9TFbvGFjhVnl/zoLEC2Lmy7RZObZUUWaegPYA:MXOjbVClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcpjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmhogjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmaoem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehilgikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeajcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfbnfcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okciddnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbkmki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obijpgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqgahh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apbeeppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccbojk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfednma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiccbfoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgblphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkdjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkebgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfbbabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkiiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdpjaga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhhcaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlifie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlcmhann.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbilmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidppaio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khjkiikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfonhgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnphlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlifie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmbilhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idabbpgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naqkki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ephhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqcffi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flcjjdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjadh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imokbhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odlnkmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcekbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmpckbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngngo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjieace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbqpgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Angafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efakhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpcgl32.exe -
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/files/0x0004000000020561-4681.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2584 Mekanbol.exe 2904 Mncfgh32.exe 3012 Ncbkenba.exe 2616 Nplhooec.exe 2796 Nidmhd32.exe 868 Odlnkmjg.exe 2024 Okolfkjg.exe 2092 Oolelj32.exe 2340 Oheieo32.exe 2848 Pkebgj32.exe 2528 Pcagkmaj.exe 1976 Pjpicfdb.exe 2460 Qjbehfbo.exe 2284 Qdkfic32.exe 908 Adncoc32.exe 320 Abachg32.exe 1668 Aqgqid32.exe 236 Ankabh32.exe 1680 Aqljdclg.exe 676 Bmbkid32.exe 1464 Bjfkbhae.exe 932 Bcopkn32.exe 2164 Bineidcj.exe 1740 Bklaepbn.exe 1716 Bkonkpqk.exe 2472 Cmbghgdg.exe 2900 Cghkepdm.exe 2976 Cpcpjbah.exe 3008 Cfmhfm32.exe 3068 Cjkamk32.exe 2764 Degobhjg.exe 2608 Danohi32.exe 1672 Dkfcqo32.exe 1140 Dhjdjc32.exe 316 Eplood32.exe 2368 Epqhjdhc.exe 1968 Elgioe32.exe 2696 Fepnhjdh.exe 1956 Fljfdd32.exe 1588 Fdekigip.exe 2280 Fplknh32.exe 2288 Fkdlaplh.exe 1020 Fcoaebjc.exe 704 Gmgenh32.exe 2056 Ggmjkapi.exe 2100 Gmjbchnq.exe 1132 Gjnbmlmj.exe 1456 Gojkecka.exe 1636 Gomhkb32.exe 752 Gbkdgn32.exe 2832 Gielchpp.exe 2840 Hqpahkmj.exe 2956 Hkfeec32.exe 2996 Hqbnnj32.exe 2776 Hngngo32.exe 2620 Hccfoehi.exe 2020 Hmlkhk32.exe 432 Hgaoec32.exe 3044 Hpmdjf32.exe 1972 Icjmpd32.exe 2152 Indnqb32.exe 1548 Iijbnkne.exe 2272 Ibbffq32.exe 560 Iniglajj.exe -
Loads dropped DLL 64 IoCs
pid Process 2936 62cb795f2a66de29395a7e6b2d00a1c820c9dad589c4b78140ed5dbcb7ec3aa7N.exe 2936 62cb795f2a66de29395a7e6b2d00a1c820c9dad589c4b78140ed5dbcb7ec3aa7N.exe 2584 Mekanbol.exe 2584 Mekanbol.exe 2904 Mncfgh32.exe 2904 Mncfgh32.exe 3012 Ncbkenba.exe 3012 Ncbkenba.exe 2616 Nplhooec.exe 2616 Nplhooec.exe 2796 Nidmhd32.exe 2796 Nidmhd32.exe 868 Odlnkmjg.exe 868 Odlnkmjg.exe 2024 Okolfkjg.exe 2024 Okolfkjg.exe 2092 Oolelj32.exe 2092 Oolelj32.exe 2340 Oheieo32.exe 2340 Oheieo32.exe 2848 Pkebgj32.exe 2848 Pkebgj32.exe 2528 Pcagkmaj.exe 2528 Pcagkmaj.exe 1976 Pjpicfdb.exe 1976 Pjpicfdb.exe 2460 Qjbehfbo.exe 2460 Qjbehfbo.exe 2284 Qdkfic32.exe 2284 Qdkfic32.exe 908 Adncoc32.exe 908 Adncoc32.exe 320 Abachg32.exe 320 Abachg32.exe 1668 Aqgqid32.exe 1668 Aqgqid32.exe 236 Ankabh32.exe 236 Ankabh32.exe 1680 Aqljdclg.exe 1680 Aqljdclg.exe 676 Bmbkid32.exe 676 Bmbkid32.exe 1464 Bjfkbhae.exe 1464 Bjfkbhae.exe 932 Bcopkn32.exe 932 Bcopkn32.exe 2164 Bineidcj.exe 2164 Bineidcj.exe 1740 Bklaepbn.exe 1740 Bklaepbn.exe 1716 Bkonkpqk.exe 1716 Bkonkpqk.exe 2472 Cmbghgdg.exe 2472 Cmbghgdg.exe 2900 Cghkepdm.exe 2900 Cghkepdm.exe 2976 Cpcpjbah.exe 2976 Cpcpjbah.exe 3008 Cfmhfm32.exe 3008 Cfmhfm32.exe 3068 Cjkamk32.exe 3068 Cjkamk32.exe 2764 Degobhjg.exe 2764 Degobhjg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Niohnd32.dll Process not Found File created C:\Windows\SysWOW64\Lfamkl32.dll Fmnakege.exe File created C:\Windows\SysWOW64\Ioplglop.dll Njfbno32.exe File created C:\Windows\SysWOW64\Fadmenpg.exe Fjjeid32.exe File opened for modification C:\Windows\SysWOW64\Colgpo32.exe Cmkkhfmn.exe File created C:\Windows\SysWOW64\Dfjegl32.exe Dfhial32.exe File opened for modification C:\Windows\SysWOW64\Iehcajjc.exe Hddjcbfh.exe File created C:\Windows\SysWOW64\Dmpckbci.exe Dgfkoh32.exe File opened for modification C:\Windows\SysWOW64\Hnfigmhk.exe Process not Found File created C:\Windows\SysWOW64\Mbehgabe.exe Mgodjico.exe File created C:\Windows\SysWOW64\Kqpaln32.dll Licpki32.exe File opened for modification C:\Windows\SysWOW64\Hpbilmop.exe Hgjdcghp.exe File opened for modification C:\Windows\SysWOW64\Kmedck32.exe Kfklgape.exe File opened for modification C:\Windows\SysWOW64\Fgaibb32.exe Process not Found File created C:\Windows\SysWOW64\Anhomg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pejcab32.exe Popkeh32.exe File opened for modification C:\Windows\SysWOW64\Mqgahh32.exe Mgomoboc.exe File opened for modification C:\Windows\SysWOW64\Feeldk32.exe Fjpggb32.exe File created C:\Windows\SysWOW64\Ifmgljnf.dll Process not Found File created C:\Windows\SysWOW64\Jakhckdb.exe Process not Found File created C:\Windows\SysWOW64\Hgaoec32.exe Hmlkhk32.exe File created C:\Windows\SysWOW64\Aceapdem.dll Kleeqp32.exe File created C:\Windows\SysWOW64\Hllpfdfe.dll Kjpdoj32.exe File created C:\Windows\SysWOW64\Kahedf32.exe Process not Found File created C:\Windows\SysWOW64\Gmhibenb.exe Gfnpek32.exe File opened for modification C:\Windows\SysWOW64\Mboekp32.exe Lmbmbi32.exe File created C:\Windows\SysWOW64\Ebkibk32.exe Egedebgc.exe File opened for modification C:\Windows\SysWOW64\Lflklaoc.exe Llcfck32.exe File created C:\Windows\SysWOW64\Apgnpo32.exe Aeajcf32.exe File created C:\Windows\SysWOW64\Alombeqd.dll Eepakc32.exe File opened for modification C:\Windows\SysWOW64\Dkelhemb.exe Process not Found File created C:\Windows\SysWOW64\Mhnfqhnk.dll Ekblplgo.exe File created C:\Windows\SysWOW64\Napibq32.exe Nkfpefme.exe File opened for modification C:\Windows\SysWOW64\Bdbfpafn.exe Bkjbgk32.exe File opened for modification C:\Windows\SysWOW64\Nibcgb32.exe Nagobp32.exe File created C:\Windows\SysWOW64\Nofbnd32.dll Lmmcgilj.exe File created C:\Windows\SysWOW64\Nakcfhia.dll Cceenilo.exe File created C:\Windows\SysWOW64\Oemmad32.dll Oahpahel.exe File created C:\Windows\SysWOW64\Opoocb32.exe Ooncljom.exe File opened for modification C:\Windows\SysWOW64\Nknmplji.exe Ncplfj32.exe File created C:\Windows\SysWOW64\Ggldlpoc.exe Process not Found File created C:\Windows\SysWOW64\Hmjoiblj.dll Oaolne32.exe File created C:\Windows\SysWOW64\Lkjadh32.exe Lilehl32.exe File opened for modification C:\Windows\SysWOW64\Anpekggc.exe Qfdpgd32.exe File created C:\Windows\SysWOW64\Ikfhqc32.dll Anepooja.exe File created C:\Windows\SysWOW64\Kneacffj.dll Indnqb32.exe File created C:\Windows\SysWOW64\Ibplji32.exe Hnimeg32.exe File opened for modification C:\Windows\SysWOW64\Eloimcca.exe Ecfednma.exe File opened for modification C:\Windows\SysWOW64\Pinqoh32.exe Pbdhbnnp.exe File created C:\Windows\SysWOW64\Eoajcohc.dll Kbdmboqk.exe File created C:\Windows\SysWOW64\Dhgehheg.dll Goadik32.exe File created C:\Windows\SysWOW64\Ehlidiph.dll Jgbkdkdk.exe File created C:\Windows\SysWOW64\Okolfkjg.exe Odlnkmjg.exe File opened for modification C:\Windows\SysWOW64\Ikembicd.exe Hhbgkn32.exe File opened for modification C:\Windows\SysWOW64\Angklf32.exe Aacjba32.exe File opened for modification C:\Windows\SysWOW64\Lfckko32.exe Lmkgajnm.exe File opened for modification C:\Windows\SysWOW64\Jkjfpe32.exe Process not Found File created C:\Windows\SysWOW64\Indnqb32.exe Icjmpd32.exe File opened for modification C:\Windows\SysWOW64\Dgkike32.exe Dnbdbomn.exe File created C:\Windows\SysWOW64\Heclbhec.dll Hjdhpg32.exe File opened for modification C:\Windows\SysWOW64\Ljdjildq.exe Lqleqg32.exe File created C:\Windows\SysWOW64\Lpmnln32.dll Process not Found File created C:\Windows\SysWOW64\Jajbfeop.exe Iionacad.exe File opened for modification C:\Windows\SysWOW64\Jciaki32.exe Jnlhbb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4636 4856 Process not Found 1390 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcjjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnoempk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbiadm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgagnjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfeljlqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhhcaik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkebgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknnil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmbiojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqmbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkhfnea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihlhagn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambnlmja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmhmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjpdphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfbia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bijobb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomghchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbcha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlacdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdobjgqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbdllld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpkdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfklgape.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cibnfpjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcfeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdapggln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcljlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnqdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdnffpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jphcgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijbnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodlcnmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnmhajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpegka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpegdik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceenilo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaqnmbdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpdoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcplg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnlolhoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcignoki.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmpmg32.dll" Pmjohoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcdinbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annhoa32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhbgkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqnjgmfe.dll" Kknkncbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmkgajnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkepcb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggknde32.dll" Aqljdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkfcqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phckglbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aennhcpi.dll" Ejfnfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aajedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghcmedmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aippolfc.dll" Ppcplg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcffeo32.dll" Dknehe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgienc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knjclp32.dll" Okhboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmnpc32.dll" Emnelbdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pifakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcdfiom.dll" Ifajif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iobdopna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lenapcbd.dll" Nbddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edqbhk32.dll" Geckno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjdhpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahbcda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajghgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedhac32.dll" Cjdmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khlbdkhd.dll" Kbljmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnjfc32.dll" Lmkgajnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdkfco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfjaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefhfe32.dll" Mmaghc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nibcgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmlokdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkahbkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfjdmggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongicemc.dll" Ipmgncii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpoinb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglcoefp.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggmjkapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephhmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjdiigbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfdpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhggndkp.dll" Eqmbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klqmaebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnbqeoe.dll" Kngcbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phclhp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpgpi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdigp32.dll" Degobhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdlld32.dll" Cbihpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbajcaio.dll" Hobcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabmdd32.dll" Kkiiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepipcbp.dll" Lmbadfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkgeaneg.dll" Nlcnaaog.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2584 2936 62cb795f2a66de29395a7e6b2d00a1c820c9dad589c4b78140ed5dbcb7ec3aa7N.exe 29 PID 2936 wrote to memory of 2584 2936 62cb795f2a66de29395a7e6b2d00a1c820c9dad589c4b78140ed5dbcb7ec3aa7N.exe 29 PID 2936 wrote to memory of 2584 2936 62cb795f2a66de29395a7e6b2d00a1c820c9dad589c4b78140ed5dbcb7ec3aa7N.exe 29 PID 2936 wrote to memory of 2584 2936 62cb795f2a66de29395a7e6b2d00a1c820c9dad589c4b78140ed5dbcb7ec3aa7N.exe 29 PID 2584 wrote to memory of 2904 2584 Mekanbol.exe 30 PID 2584 wrote to memory of 2904 2584 Mekanbol.exe 30 PID 2584 wrote to memory of 2904 2584 Mekanbol.exe 30 PID 2584 wrote to memory of 2904 2584 Mekanbol.exe 30 PID 2904 wrote to memory of 3012 2904 Mncfgh32.exe 31 PID 2904 wrote to memory of 3012 2904 Mncfgh32.exe 31 PID 2904 wrote to memory of 3012 2904 Mncfgh32.exe 31 PID 2904 wrote to memory of 3012 2904 Mncfgh32.exe 31 PID 3012 wrote to memory of 2616 3012 Ncbkenba.exe 32 PID 3012 wrote to memory of 2616 3012 Ncbkenba.exe 32 PID 3012 wrote to memory of 2616 3012 Ncbkenba.exe 32 PID 3012 wrote to memory of 2616 3012 Ncbkenba.exe 32 PID 2616 wrote to memory of 2796 2616 Nplhooec.exe 33 PID 2616 wrote to memory of 2796 2616 Nplhooec.exe 33 PID 2616 wrote to memory of 2796 2616 Nplhooec.exe 33 PID 2616 wrote to memory of 2796 2616 Nplhooec.exe 33 PID 2796 wrote to memory of 868 2796 Nidmhd32.exe 34 PID 2796 wrote to memory of 868 2796 Nidmhd32.exe 34 PID 2796 wrote to memory of 868 2796 Nidmhd32.exe 34 PID 2796 wrote to memory of 868 2796 Nidmhd32.exe 34 PID 868 wrote to memory of 2024 868 Odlnkmjg.exe 35 PID 868 wrote to memory of 2024 868 Odlnkmjg.exe 35 PID 868 wrote to memory of 2024 868 Odlnkmjg.exe 35 PID 868 wrote to memory of 2024 868 Odlnkmjg.exe 35 PID 2024 wrote to memory of 2092 2024 Okolfkjg.exe 36 PID 2024 wrote to memory of 2092 2024 Okolfkjg.exe 36 PID 2024 wrote to memory of 2092 2024 Okolfkjg.exe 36 PID 2024 wrote to memory of 2092 2024 Okolfkjg.exe 36 PID 2092 wrote to memory of 2340 2092 Oolelj32.exe 37 PID 2092 wrote to memory of 2340 2092 Oolelj32.exe 37 PID 2092 wrote to memory of 2340 2092 Oolelj32.exe 37 PID 2092 wrote to memory of 2340 2092 Oolelj32.exe 37 PID 2340 wrote to memory of 2848 2340 Oheieo32.exe 38 PID 2340 wrote to memory of 2848 2340 Oheieo32.exe 38 PID 2340 wrote to memory of 2848 2340 Oheieo32.exe 38 PID 2340 wrote to memory of 2848 2340 Oheieo32.exe 38 PID 2848 wrote to memory of 2528 2848 Pkebgj32.exe 39 PID 2848 wrote to memory of 2528 2848 Pkebgj32.exe 39 PID 2848 wrote to memory of 2528 2848 Pkebgj32.exe 39 PID 2848 wrote to memory of 2528 2848 Pkebgj32.exe 39 PID 2528 wrote to memory of 1976 2528 Pcagkmaj.exe 40 PID 2528 wrote to memory of 1976 2528 Pcagkmaj.exe 40 PID 2528 wrote to memory of 1976 2528 Pcagkmaj.exe 40 PID 2528 wrote to memory of 1976 2528 Pcagkmaj.exe 40 PID 1976 wrote to memory of 2460 1976 Pjpicfdb.exe 41 PID 1976 wrote to memory of 2460 1976 Pjpicfdb.exe 41 PID 1976 wrote to memory of 2460 1976 Pjpicfdb.exe 41 PID 1976 wrote to memory of 2460 1976 Pjpicfdb.exe 41 PID 2460 wrote to memory of 2284 2460 Qjbehfbo.exe 42 PID 2460 wrote to memory of 2284 2460 Qjbehfbo.exe 42 PID 2460 wrote to memory of 2284 2460 Qjbehfbo.exe 42 PID 2460 wrote to memory of 2284 2460 Qjbehfbo.exe 42 PID 2284 wrote to memory of 908 2284 Qdkfic32.exe 43 PID 2284 wrote to memory of 908 2284 Qdkfic32.exe 43 PID 2284 wrote to memory of 908 2284 Qdkfic32.exe 43 PID 2284 wrote to memory of 908 2284 Qdkfic32.exe 43 PID 908 wrote to memory of 320 908 Adncoc32.exe 44 PID 908 wrote to memory of 320 908 Adncoc32.exe 44 PID 908 wrote to memory of 320 908 Adncoc32.exe 44 PID 908 wrote to memory of 320 908 Adncoc32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\62cb795f2a66de29395a7e6b2d00a1c820c9dad589c4b78140ed5dbcb7ec3aa7N.exe"C:\Users\Admin\AppData\Local\Temp\62cb795f2a66de29395a7e6b2d00a1c820c9dad589c4b78140ed5dbcb7ec3aa7N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Mncfgh32.exeC:\Windows\system32\Mncfgh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Ncbkenba.exeC:\Windows\system32\Ncbkenba.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Oolelj32.exeC:\Windows\system32\Oolelj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Ankabh32.exeC:\Windows\system32\Ankabh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Bcopkn32.exeC:\Windows\system32\Bcopkn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Bkonkpqk.exeC:\Windows\system32\Bkonkpqk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Cmbghgdg.exeC:\Windows\system32\Cmbghgdg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Cpcpjbah.exeC:\Windows\system32\Cpcpjbah.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Degobhjg.exeC:\Windows\system32\Degobhjg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Danohi32.exeC:\Windows\system32\Danohi32.exe33⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Dkfcqo32.exeC:\Windows\system32\Dkfcqo32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Dhjdjc32.exeC:\Windows\system32\Dhjdjc32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Eplood32.exeC:\Windows\system32\Eplood32.exe36⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Epqhjdhc.exeC:\Windows\system32\Epqhjdhc.exe37⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe38⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Fepnhjdh.exeC:\Windows\system32\Fepnhjdh.exe39⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe40⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe41⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Fplknh32.exeC:\Windows\system32\Fplknh32.exe42⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe43⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Fcoaebjc.exeC:\Windows\system32\Fcoaebjc.exe44⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe45⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe47⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Gjnbmlmj.exeC:\Windows\system32\Gjnbmlmj.exe48⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe49⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe50⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Gbkdgn32.exeC:\Windows\system32\Gbkdgn32.exe51⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Gielchpp.exeC:\Windows\system32\Gielchpp.exe52⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe53⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Hkfeec32.exeC:\Windows\system32\Hkfeec32.exe54⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Hqbnnj32.exeC:\Windows\system32\Hqbnnj32.exe55⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Hngngo32.exeC:\Windows\system32\Hngngo32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Hccfoehi.exeC:\Windows\system32\Hccfoehi.exe57⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Hmlkhk32.exeC:\Windows\system32\Hmlkhk32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Hgaoec32.exeC:\Windows\system32\Hgaoec32.exe59⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe60⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Icjmpd32.exeC:\Windows\system32\Icjmpd32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Indnqb32.exeC:\Windows\system32\Indnqb32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Ibbffq32.exeC:\Windows\system32\Ibbffq32.exe64⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Iniglajj.exeC:\Windows\system32\Iniglajj.exe65⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe66⤵PID:780
-
C:\Windows\SysWOW64\Imndmnob.exeC:\Windows\system32\Imndmnob.exe67⤵PID:900
-
C:\Windows\SysWOW64\Jffhec32.exeC:\Windows\system32\Jffhec32.exe68⤵PID:112
-
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe69⤵PID:2268
-
C:\Windows\SysWOW64\Jkdalb32.exeC:\Windows\system32\Jkdalb32.exe70⤵PID:1188
-
C:\Windows\SysWOW64\Jdmfdgbj.exeC:\Windows\system32\Jdmfdgbj.exe71⤵PID:2356
-
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe72⤵PID:2892
-
C:\Windows\SysWOW64\Jdobjgqg.exeC:\Windows\system32\Jdobjgqg.exe73⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Jmggcmgg.exeC:\Windows\system32\Jmggcmgg.exe74⤵PID:2756
-
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe75⤵PID:1376
-
C:\Windows\SysWOW64\Jhahcjcf.exeC:\Windows\system32\Jhahcjcf.exe76⤵PID:2728
-
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe77⤵PID:1172
-
C:\Windows\SysWOW64\Kloqiijm.exeC:\Windows\system32\Kloqiijm.exe78⤵PID:3064
-
C:\Windows\SysWOW64\Kaliaphd.exeC:\Windows\system32\Kaliaphd.exe79⤵PID:1980
-
C:\Windows\SysWOW64\Klamohhj.exeC:\Windows\system32\Klamohhj.exe80⤵PID:2704
-
C:\Windows\SysWOW64\Kejahn32.exeC:\Windows\system32\Kejahn32.exe81⤵PID:2464
-
C:\Windows\SysWOW64\Kgknpfdi.exeC:\Windows\system32\Kgknpfdi.exe82⤵PID:2544
-
C:\Windows\SysWOW64\Kapbmo32.exeC:\Windows\system32\Kapbmo32.exe83⤵PID:1072
-
C:\Windows\SysWOW64\Khjkiikl.exeC:\Windows\system32\Khjkiikl.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760 -
C:\Windows\SysWOW64\Kngcbpjc.exeC:\Windows\system32\Kngcbpjc.exe85⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Lkkckdhm.exeC:\Windows\system32\Lkkckdhm.exe86⤵PID:524
-
C:\Windows\SysWOW64\Lllpclnk.exeC:\Windows\system32\Lllpclnk.exe87⤵PID:2132
-
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe88⤵PID:1104
-
C:\Windows\SysWOW64\Lcieef32.exeC:\Windows\system32\Lcieef32.exe89⤵PID:1780
-
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe90⤵PID:2960
-
C:\Windows\SysWOW64\Lbnbfb32.exeC:\Windows\system32\Lbnbfb32.exe91⤵PID:2852
-
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe92⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe93⤵PID:1744
-
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe94⤵PID:2320
-
C:\Windows\SysWOW64\Mgodjico.exeC:\Windows\system32\Mgodjico.exe95⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe96⤵PID:2496
-
C:\Windows\SysWOW64\Mbgela32.exeC:\Windows\system32\Mbgela32.exe97⤵PID:612
-
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe98⤵PID:2200
-
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe99⤵PID:1076
-
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe100⤵PID:1840
-
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe101⤵
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe102⤵PID:1544
-
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe103⤵PID:664
-
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe104⤵PID:3040
-
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe105⤵PID:2760
-
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2064 -
C:\Windows\SysWOW64\Oicbma32.exeC:\Windows\system32\Oicbma32.exe107⤵PID:1624
-
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe108⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe109⤵PID:2260
-
C:\Windows\SysWOW64\Pldknmhd.exeC:\Windows\system32\Pldknmhd.exe110⤵PID:2500
-
C:\Windows\SysWOW64\Pobgjhgh.exeC:\Windows\system32\Pobgjhgh.exe111⤵PID:2084
-
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe112⤵
- System Location Discovery: System Language Discovery
PID:792 -
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe113⤵PID:964
-
C:\Windows\SysWOW64\Pmjaadjm.exeC:\Windows\system32\Pmjaadjm.exe114⤵PID:2224
-
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe115⤵PID:1644
-
C:\Windows\SysWOW64\Poinkg32.exeC:\Windows\system32\Poinkg32.exe116⤵PID:2096
-
C:\Windows\SysWOW64\Ppjjcogn.exeC:\Windows\system32\Ppjjcogn.exe117⤵PID:2176
-
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe118⤵PID:1144
-
C:\Windows\SysWOW64\Qnoklc32.exeC:\Windows\system32\Qnoklc32.exe119⤵PID:1736
-
C:\Windows\SysWOW64\Qpmgho32.exeC:\Windows\system32\Qpmgho32.exe120⤵PID:2188
-
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe121⤵PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-